SlideShare a Scribd company logo

CISSP Prep: Ch 8. Security Operations

Sam Bowne, profile picture
Sam Bowne

This document discusses administrative security controls and incident response management. It covers topics such as least privilege, separation of duties, privilege monitoring, forensic data collection and analysis, incident response phases including preparation, detection, response, and recovery, and continuity planning including backup strategies, fault tolerance, and disaster recovery processes. The goal of these controls and plans is to mitigate risks from both internal and external threats and ensure business continuity even during disruptive events.

Education
1 of 112
Downloaded 373 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
CNIT 125: Information Security Professional (CISSP Preparation) Ch 8. Security Operations
Administrative Security
Administrative Personnel Controls • Least Privilege or Minimum Necessary Access • Need to Know (compartmentalizing) • Separation of Duties • Multiple people must approve critical transactions • Requires collusion of multiple people to bypass
Administrative Personnel Controls • Rotation of Duties/Job Rotation • People move from one job to another • Mitigates fraud • Can be costly, however • Mandatory Leave/Forced Vacation • Non-Disclosure Agreement (NDA) • Background Checks
Privilege Monitoring • Scrutinize • Account creation/deletion • Reboots • Backup and restore • Source code access • Audit log access
Forensics
Forensics • Preserve the "crime scene" • Collect evidence • Antiforensics • Makes forensics difficult or impossible • Malware that is entirely memory- resident • Makes Live Forensics important • Capturing RAM while system is still on
Phases of Forensics • Identification of potential evidence • Acquisition of evidence • Analysis of evidence • Production of a report
Forensic Media Analysis • Live capture • Binary images of hard disks, USB flash drives, CDs, DVDs, cell phones, MP3 players • Binary image includes deleted files • More complete than a normal backup
Four Types of Disk-Based Forensic Data • Allocated space (normal files) • Unallocated space (deleted files) • Slack space • Leftover space at end of clusters • Contains fragments of old files • Bad bocks/clusters/sectors • Ignored by operating systems • May contain hidden data
Binary Backup Tools • Norton Ghost (in forensic mode) • FTK Imager • EnCase
Network Forensics • Legal-focused analysis of traffic • Closely related to Network Intrusion Detection • Operations-focused analysis • Emails, Web surfing, IM conversations, and file transfers can be recovered from network captures
Forensic Software Analysis • Investigators have a binary file to analyze • Reverse engineering malware • Uses disassemblers and debuggers • And virtual machines for dynamic analysis
Embedded Device Forensics • SSDs (Solid State Drives) • Handheld devices
Electronic Discovery eDiscovery • Producing evidence for a lawsuit • Can be difficult • Backups may be inconvenient to access
Incident Response Management
Incident Response
Preparation • Training • Writing incident response policies and procedures • Providing tools such as laptops with sniffing softare, crossover cables, original OS media, removable drives, etc.
Incident Handling Checklist
Detection • Analyze events to determine whether a security incident has taken place • Requires log files • Many strange events are not security incidents
Response • Also called Containment • Prevent further damage • Take systems off the network • Isolate traffic • Power off systems • Make binary images of systems involved • Requires management approval: may impact business
Mitigation • Also called eradication • Determine cause of incident • So systems can be cleaned • Root cause analysis is required
Reporting • Musst begin immediately upon detection of malicious activity • Two types • Technical • Non-technical • Often neglected, but very important • Non-technical stakeholders include business and mission owners
Recovery • Restoring the affected systems to operation • Monitor systems to see if the infection or attacker returns
Remediation • Removal of the vulnerability that allowed the incident • Change passwords • Switch to two-factor authentication
Lessons Learned • Likely to be neglected • Greatest potential to improve security posture • Create a final report to deliver to management • Detail ways the incident could have been detected sooner, response could have been quicker or more effective, and areas for improvement
Root-Cause Analysis • Determine the underlying weakness or vulnerability that allowed the incident • Without this, incident could repeat
Operational Preventive Detective Controls
IDS & IPS • Intrusion Detection System • Detects malicious actions • Intrusion Prevention System • Prevents malicious actions • Network-based • Protects a whole network • Host-based • Protects only one host • Ex: Tripwire
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Types of IDS • Pattern matching • Compares events to static signatures • Protocol behavior • Detects protocol errors, like SYN/FIN TCP packets • Anomaly detection • Reports traffic that varies from normal baseline
Security Information and Event Management (SIEM) • Correlates data from many sources • Continuous Monitoring • Now recommended, replacing the earlier Certification and Accreditation approach of examining a system once every 3 years
Data Loss Prevention • Prevents sensitive data from leaving the network
Endpoint Security • Security suites, including • Antivirus, application whitelisting, removable media controls, disk encryption, Host Intrusion Prevention Systems, and firewalls
Antivirus • Mostly depend on signature detectio • Blacklisting • Application whitelisting • New technique • Only allow known good software to run • May use • File path and name • Hash • Code signature
Removable Media Controls • Disable Autorun (default on modern Windows systems)
Disk Encryption • Full Disk Encryption is best
Honeypots • System designed to attract attackers • May have legal risks • Attacker may claim they were invited in • Honey nets • Real or simulated network of honeypots
Asset Management
Configuration Management • Consistent security configuration • Hardened beyond the defaults • Baselining • Captures security configuration at a point in time
Patch Management • Must evaluate and test patch • Deploying patches is best done with a management system
Vulnerability Management • Vulnerability scanning finds poor configurations and missing patches • Must remediate the vulnerabilities • Zero Day Vulnerability and Zero Day Exploits • No patch available
Change Management • Change control board oversees and coordinates change control process • Approves or denies changes baed on risk and cost management
Change Management Steps
Continuity of Operations
Service Level Agreements (SLA) • Dictates what is acceptable • Bandwidth, time to delivery, response times, etc. • Ex: 99.9% uptime
Fault Tolerance • A device may fail; that is a fault • If users no longer receive service, that's a failure • Fault-tolerant systems have redundant systems • So a fault does not lead to a failure
Backup • Full Backup • Incremental backup • Data changed since last full backup of any kind • May take several tapes to recover • Differential backup • Data changed since last full backup • May take two tapes to recover
RAID • Redundant Array of Inexpensive Disks
RAID Terms • Mirroring • Duplicating data on another disk • Skipping • Writing data across many disks • Improves performance, but does not provide fault tolerance • Parity • Saves XORed data from other drives • Provides fault tolerance
RAID Levels • RAID 0: Striped (no fault tolerance) • RAID 1: Mirrored (fault tolerant) • RAID 3: Parity on a single drive (fault tolerant) • RAID 5: Striped set with distributed parity (fault tolerant) • RAID 6: Striped set with dual distributed parity (can recover even if two drives fail)
RAID Levels • RAID 1+0 or RAID 10 • Striped set of mirrors • Fault tolerant
System Redundancy • Redundant Hardware • Extra power supplies, NICs, disk controllers • Redundant Systems • High Availability Clusters • Failover cluster uses another device when the primary one fails • Called "Active-Passive" • Active-Active or Load Balancing cluster • Uses all devices at all times
BCP and DRP Overview and Process
Business Continuity Planning (BCP) • Ensures that business will continue to operate before, throughout, and during a disaster • Ensures that critical services can be carried out • Strategic, long-term: focuses on business as a whole • An umbrella plan that includes multiple plans, most importantly the Disaster Recovery Plan (DLP)
Disaster Recovery Planning (DRP) • Tactical, short-term • Plan to deal with specific disruptions, such as a malware infection
CISSP Prep: Ch 8. Security Operations
Maximum Tolerable Downtime (MTD) • Used to determine how to allocate resources for recovery
Disasters or Disruptive Events • By Cause • Natural (like earthquakes) • Human • Intentional like terrorism, rogue insiders, DoS, phishing, etc. • Inadvertent like errors, laziness, carelessness • Environmental (like power blackouts, equipment failures, or software flaws)
CISSP Prep: Ch 8. Security Operations
Errors and Omissions • Most common source of disruptive events • Easily avoided with controls, if they can be identified
Temperature and Humidity Failures • Without proper controls, the Mean Time Between Failures (MTBF) for electrical equipment will decrease • Must test backup power and HVAC • UPS (Uninterruptible Power Supply) • Generators
Disasters • Warfare, terrorism, and sabotage • Financially motivated attackers • Personnel shortages • Pandemics and disease • Strikes • Loss of a critical individual worker
Communications Failure • Physical line breaks • Hurricanes
The Disaster Recovery Process • Respond • Activate Team • Communicate • Assess • Reconstitution
Respond • Initial assessment of damage • Quickly determine if the event is a disaster • Is the facility safe for continued use?
Activate Team & Communicate • Communicating with team may be difficult • Call Trees may help • Timely updates must get back to the central team • Phones may be down • Organization must be prepared with external communications
Assess • Disaster Recovery team will perform a more detailed and thorough assessment • Determine extent of damage • Proper steps • Consider Maximum Tolerable Downtime (MTD) • Protect safety of personnel
Reconstitution • Recover critical business processes • Either at a primary or secondary site • Salvage team will begin recovery process at primary site
Developing a BCP/DRP
CISSP Prep: Ch 8. Security Operations
Project Initiation Milestones 1. Develop contingency planning policy 2. Conduct Business Impact Analysis (BIA) to identify critical systems 3. Identify preventive controls 4. Develop recovery strategies 5. Develop IT contingency plan 6. Plan testing, training, and exercises 7. Plan maintenance
CISSP Prep: Ch 8. Security Operations
Management Support • "C" level management must support the plan • They can allocate resources • BCP / DRP planning may increase company efficiency even if no disaster occurs
BCP/DRP Project Manager • Key point of contact to ensure that BCP/ DRP plan is completed and tested • Must have good organizational skills • And credibility and authority • Does not need in-depth technical skills • Main skills: negotiation and people skills
Building the BCP/DRP Team • First establish a Continuity Planning Project Team (CPPT) with stakeholders • Human resources • Public relations • IT • Physical security • Line managers • Anyone else responsible for essential functions
Scoping the Project • What assets are protected? • Which emergency events are addressed? • What resources are needed?
Assessing the Critical State • List IT assets, and • Who uses them • What business process they support • Business Impact of outage
Business Impact Analysis (BIA) • Determine Maximum Tolerable Downtime (MTD) for specific IT assets • First, identify critical assets • Second, comprehensive risk analysis • Including vulnerability analysis
Example Risk Assessment for Email Risk Vulnerability BIA Mitigation Server room unlocked Unauthorized personnel may enter Loss of CIA for system from physical attack Install locks with PIN and alarm (risk reduced to tolerable level) Software out of date Known insecurities, end-of-life Loss of CIA from cyberattack Update software (risk eliminated) No firewall Added exposure to Internet cyberattacks Loss of CIA from cyberattack Move server to managed hosting (transfer risk)
Determine Maximum Tolerable Downtime (MTD) • Recovery Point Objective (RPO) • Amount of data loss an organization can withstand • Recovery Time Objective (RTO) • Max. time required to recover systems • Work Recovery Time (WRT) • Time required to configure a recovered system • MTD = RTO + WRT
MTBF • Mean Time Between Failures (MTBF) • Estimate, systems may fail sooner • Mean Time to Repair (MTTR) • Minimum Operating Requirements • Minimum environmental and connectivity requirements to operate computer equipment
Recovery Strategy
Supply Chain Management • A large disaster may impact your suppliers • Some vendors offer guaranteed replacement insurance
Telecommunication Management • Communication may fail during a disaster • Alternatives • T1 lines • Wireless networks • Satellite phones
Utility Management • Address all required utilities • Power • Heating • Cooling • Water
Recovery Options • Redundant Site: ready to go, including up-to-date data • Hot Site • Equipment ready, but may take an hour or so to load data • Warm Site • Has some equipment, but not exact duplicates; 1-3 days to bring it up • Cold Site • Datacenter but lacks hardware or data, may take weeks to bring up
Recovery Options • Reciprocal Agreement • Use another organization's datacenter • Mobile Site • Datacenter on wheels, drive into disaster area • Subscription services • Outsource BCP/DRP • IBM's SunGard
CISSP Prep: Ch 8. Security Operations
Related Plans • Continuity of Operations (COOP) • Move personnel to alternate site • Business Recovery Plan (BRP) • After COOP, move back to original site • Continuity of Support Plan • Covers IT only • Cyber Incident Response Plan • Viruses, worms, intrusions
Related Plans • Occupant Emergency Plan • Safety and evacuation of people • Crisis Management Plan (CMP) • Coordinate managers
Crisis Management Plan (CMP) • Crisis Communications Plan • Resist rumors by providing the truth • Call Trees • Employees call a list of other employees • Automated Call Trees • Emergency Operations Center (EOC) • Command post • Vital Records (stored offsite)
Executive Succession Planning • Some executive should be on-site at all times
Backups and Availability
Continuous Availability • Maximum Tolerable Downtime (MTD) • Getting shorter • Some systems require Continuous Availability • MTD of zero
Hardcopy Data • Continue business using paper records during a disaster
Backups • Full backup (all data) • Incremental backup • All data changed since last full or incremental backup • May require several tapes to recover • Differential backup • All data changed since last full backup • May require two tapes to recover
Tape Rotation Methods • First In First Out (FIFO) • 14 tapes--14 days of backups • Grandfather-Father-Son (GFS) • 7 daily tapes (son) • 4 weekly tapes (father) • 12 monthly tapes (grandfather) • Once per week a son graduates to a father • Once a month a father becomes a grandfather
Electronic Vaulting • Transmits backup data over the Internet • Can backup at very short intervals • Should be encrypted in transit • Remote Journaling • Saves database checkpoints periodically • Database Shadowing • Maintains two identical databases on different servers, for faster recovery
HA (High Availability) Options • High Availability Cluster • Active-Active has all systems working • Also called load balancing • Active-Passive • Backup devices come up when main device goes down
Software Escrow • What happens if the company that wrote your mission-critical software goes out of business? • Source code may be stored at a trusted third party
DRP Testing, Training and Awareness
DRP Testing • DRP Review • DRP team reads the whole plan to find flaws • Read-Through • Lists all necessary components • Ensures they are available • Walkthrough/Tabletop • Talk through steps • Find omissions, gaps, erroneous assumptions, etc.
DRP Testing • Simulation Test/Walkthrough Drill • Teams actually carry out the recovery process • Parallel Processing • Duplicate real business transactions on backup systems • Partial and Complete Business Interruption • Stop normal systems • Can cause a disaster
Training • Starting Emergency Power • Call Tree Training/Test • Awareness • For employees not directly participating in the DRP
Continued BCP/DRP Maintenance
Change Management • MCP team should be a member of the Change Control board • BCP/DRP Version Control
CISSP Prep: Ch 8. Security Operations
Specific BCP/DRP Frameworks
Specific BCP/DRP Frameworks • NIST SP 800-34 • For US Gov't systems • ISO/IEC-27031 • Part of ISO 27000 series • BS-25999 • British standard • ISO 22301 • Supersedes BS-25999
BCI • Business Continuity Institute • Six Professional Practices

More Related Content

PPTX
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
PPTX
CISSP - Software Development Security
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
PPTX
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
PPTX
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
PPTX
CISSP - Security Assessment
Karthikeyan Dhayalan
 
PPTX
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
CISSP - Software Development Security
Karthikeyan Dhayalan
 
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
Chapter 5 - Identity Management
Karthikeyan Dhayalan
 
CISSP - Chapter 3 - Cryptography
Karthikeyan Dhayalan
 
CISSP Chapter 7 - Security Operations
Karthikeyan Dhayalan
 
CISSP - Security Assessment
Karthikeyan Dhayalan
 
CISSP Chapter 1 BCP
Karthikeyan Dhayalan
 

What's hot (20)

PPTX
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
PPTX
Threat hunting and achieving security maturity
DNIF
 
PPTX
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
PPTX
Chapter 1 Personal security
Karthikeyan Dhayalan
 
PPTX
Security testing
Khizra Sammad
 
PPT
authentication.ppt
jayarao21
 
PDF
Cyber security and demonstration of security tools
Vicky Fernandes
 
PPTX
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
PDF
Access Control Presentation
Wajahat Rajab
 
PDF
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
PDF
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
PPTX
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
PPTX
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
PPTX
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
PPT
Chapter 5 Presentation
Amy McMullin
 
PDF
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 
PPT
Application Security
Reggie Niccolo Santos
 
PDF
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
PDF
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
Sam Bowne
 
PPTX
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Mark Arena
 
CISSP - Chapter 4 - Intranet and extranets
Karthikeyan Dhayalan
 
Threat hunting and achieving security maturity
DNIF
 
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Chapter 1 Personal security
Karthikeyan Dhayalan
 
Security testing
Khizra Sammad
 
authentication.ppt
jayarao21
 
Cyber security and demonstration of security tools
Vicky Fernandes
 
CISSP - Chapter 3 - CPU Architecture
Karthikeyan Dhayalan
 
Access Control Presentation
Wajahat Rajab
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
CNIT 152: 1 Real-World Incidents
Sam Bowne
 
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
CISSP - Chapter 3 - System security architecture
Karthikeyan Dhayalan
 
CISSP - Chapter 4 - Network Fundamental
Karthikeyan Dhayalan
 
Chapter 5 Presentation
Amy McMullin
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 
Application Security
Reggie Niccolo Santos
 
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
CISSP Prep: Ch 2. Security and Risk Management I (part 2)
Sam Bowne
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Mark Arena
 
Ad

Similar to CISSP Prep: Ch 8. Security Operations (20)

PDF
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
PDF
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
PDF
CNIT 160 4e Security Program Management (Part 5)
Sam Bowne
 
PDF
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
PPT
css ppt.ppt
ShivaTyagi26
 
PPT
Chap11
Aman Sharma
 
PPT
Security and privacy
Haa'Meem Mohiyuddin
 
PPTX
Chap11
nitin_009
 
PDF
Chapter 15 incident handling
newbie2019
 
PDF
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
PDF
CNIT 50: 9. NSM Operations
Sam Bowne
 
PPT
Security and privacy
Mohammed Adam
 
PDF
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
IGN MANTRA
 
PDF
CNIT 125 Ch 3. Asset Security
Sam Bowne
 
PDF
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
PDF
1. Network Security Monitoring Rationale
Sam Bowne
 
PDF
2. Asset Security
Sam Bowne
 
PPT
Latihan6 comp-forensic-bab5
sabtolinux
 
PDF
Ccna sec 01
EduclentMegasoftel
 
PDF
Operations Security Presentation
Wajahat Rajab
 
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
CISSP Prep: Ch 3. Asset Security
Sam Bowne
 
CNIT 160 4e Security Program Management (Part 5)
Sam Bowne
 
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
css ppt.ppt
ShivaTyagi26
 
Chap11
Aman Sharma
 
Security and privacy
Haa'Meem Mohiyuddin
 
Chap11
nitin_009
 
Chapter 15 incident handling
newbie2019
 
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
CNIT 50: 9. NSM Operations
Sam Bowne
 
Security and privacy
Mohammed Adam
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
IGN MANTRA
 
CNIT 125 Ch 3. Asset Security
Sam Bowne
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
1. Network Security Monitoring Rationale
Sam Bowne
 
2. Asset Security
Sam Bowne
 
Latihan6 comp-forensic-bab5
sabtolinux
 
Ccna sec 01
EduclentMegasoftel
 
Operations Security Presentation
Wajahat Rajab
 
Ad

More from Sam Bowne (20)

PDF
Introduction to the Class & CISSP Certification
Sam Bowne
 
PDF
Cyberwar
Sam Bowne
 
PDF
3: DNS vulnerabilities
Sam Bowne
 
PDF
8. Software Development Security
Sam Bowne
 
PDF
4 Mapping the Application
Sam Bowne
 
PDF
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
PDF
12 Elliptic Curves
Sam Bowne
 
PDF
11. Diffie-Hellman
Sam Bowne
 
PDF
2a Analyzing iOS Apps Part 1
Sam Bowne
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
PDF
10 RSA
Sam Bowne
 
PDF
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
PDF
9. Hard Problems
Sam Bowne
 
PDF
8 Android Implementation Issues (Part 1)
Sam Bowne
 
PDF
11 Analysis Methodology
Sam Bowne
 
PDF
8. Authenticated Encryption
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
7. Attacking Android Applications (Part 1)
Sam Bowne
 
PDF
5. Stream Ciphers
Sam Bowne
 
Introduction to the Class & CISSP Certification
Sam Bowne
 
Cyberwar
Sam Bowne
 
3: DNS vulnerabilities
Sam Bowne
 
8. Software Development Security
Sam Bowne
 
4 Mapping the Application
Sam Bowne
 
3. Attacking iOS Applications (Part 2)
Sam Bowne
 
12 Elliptic Curves
Sam Bowne
 
11. Diffie-Hellman
Sam Bowne
 
2a Analyzing iOS Apps Part 1
Sam Bowne
 
9 Writing Secure Android Applications
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
10 RSA
Sam Bowne
 
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne
 
9. Hard Problems
Sam Bowne
 
8 Android Implementation Issues (Part 1)
Sam Bowne
 
11 Analysis Methodology
Sam Bowne
 
8. Authenticated Encryption
Sam Bowne
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
7. Attacking Android Applications (Part 1)
Sam Bowne
 
5. Stream Ciphers
Sam Bowne
 

Recently uploaded (20)

PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
RMMM.pdf make it easy to upload and study
sajedul2
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
Nguyen Thanh Tu Collection
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Business Ethics Teaching Materials for college
CynthiaCastillo40
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Institutional Correction lecture only . . .
limvtheghins
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 

CISSP Prep: Ch 8. Security Operations

  • 3. Administrative Personnel Controls • Least Privilege or Minimum Necessary Access • Need to Know (compartmentalizing) • Separation of Duties • Multiple people must approve critical transactions • Requires collusion of multiple people to bypass
  • 4. Administrative Personnel Controls • Rotation of Duties/Job Rotation • People move from one job to another • Mitigates fraud • Can be costly, however • Mandatory Leave/Forced Vacation • Non-Disclosure Agreement (NDA) • Background Checks
  • 5. Privilege Monitoring • Scrutinize • Account creation/deletion • Reboots • Backup and restore • Source code access • Audit log access
  • 7. Forensics • Preserve the "crime scene" • Collect evidence • Antiforensics • Makes forensics difficult or impossible • Malware that is entirely memory- resident • Makes Live Forensics important • Capturing RAM while system is still on
  • 8. Phases of Forensics • Identification of potential evidence • Acquisition of evidence • Analysis of evidence • Production of a report
  • 9. Forensic Media Analysis • Live capture • Binary images of hard disks, USB flash drives, CDs, DVDs, cell phones, MP3 players • Binary image includes deleted files • More complete than a normal backup
  • 10. Four Types of Disk-Based Forensic Data • Allocated space (normal files) • Unallocated space (deleted files) • Slack space • Leftover space at end of clusters • Contains fragments of old files • Bad bocks/clusters/sectors • Ignored by operating systems • May contain hidden data
  • 11. Binary Backup Tools • Norton Ghost (in forensic mode) • FTK Imager • EnCase
  • 12. Network Forensics • Legal-focused analysis of traffic • Closely related to Network Intrusion Detection • Operations-focused analysis • Emails, Web surfing, IM conversations, and file transfers can be recovered from network captures
  • 13. Forensic Software Analysis • Investigators have a binary file to analyze • Reverse engineering malware • Uses disassemblers and debuggers • And virtual machines for dynamic analysis
  • 14. Embedded Device Forensics • SSDs (Solid State Drives) • Handheld devices
  • 15. Electronic Discovery eDiscovery • Producing evidence for a lawsuit • Can be difficult • Backups may be inconvenient to access
  • 18. Preparation • Training • Writing incident response policies and procedures • Providing tools such as laptops with sniffing softare, crossover cables, original OS media, removable drives, etc.
  • 20. Detection • Analyze events to determine whether a security incident has taken place • Requires log files • Many strange events are not security incidents
  • 21. Response • Also called Containment • Prevent further damage • Take systems off the network • Isolate traffic • Power off systems • Make binary images of systems involved • Requires management approval: may impact business
  • 22. Mitigation • Also called eradication • Determine cause of incident • So systems can be cleaned • Root cause analysis is required
  • 23. Reporting • Musst begin immediately upon detection of malicious activity • Two types • Technical • Non-technical • Often neglected, but very important • Non-technical stakeholders include business and mission owners
  • 24. Recovery • Restoring the affected systems to operation • Monitor systems to see if the infection or attacker returns
  • 25. Remediation • Removal of the vulnerability that allowed the incident • Change passwords • Switch to two-factor authentication
  • 26. Lessons Learned • Likely to be neglected • Greatest potential to improve security posture • Create a final report to deliver to management • Detail ways the incident could have been detected sooner, response could have been quicker or more effective, and areas for improvement
  • 27. Root-Cause Analysis • Determine the underlying weakness or vulnerability that allowed the incident • Without this, incident could repeat
  • 29. IDS & IPS • Intrusion Detection System • Detects malicious actions • Intrusion Prevention System • Prevents malicious actions • Network-based • Protects a whole network • Host-based • Protects only one host • Ex: Tripwire
  • 32. Types of IDS • Pattern matching • Compares events to static signatures • Protocol behavior • Detects protocol errors, like SYN/FIN TCP packets • Anomaly detection • Reports traffic that varies from normal baseline
  • 33. Security Information and Event Management (SIEM) • Correlates data from many sources • Continuous Monitoring • Now recommended, replacing the earlier Certification and Accreditation approach of examining a system once every 3 years
  • 34. Data Loss Prevention • Prevents sensitive data from leaving the network
  • 35. Endpoint Security • Security suites, including • Antivirus, application whitelisting, removable media controls, disk encryption, Host Intrusion Prevention Systems, and firewalls
  • 36. Antivirus • Mostly depend on signature detectio • Blacklisting • Application whitelisting • New technique • Only allow known good software to run • May use • File path and name • Hash • Code signature
  • 37. Removable Media Controls • Disable Autorun (default on modern Windows systems)
  • 38. Disk Encryption • Full Disk Encryption is best
  • 39. Honeypots • System designed to attract attackers • May have legal risks • Attacker may claim they were invited in • Honey nets • Real or simulated network of honeypots
  • 41. Configuration Management • Consistent security configuration • Hardened beyond the defaults • Baselining • Captures security configuration at a point in time
  • 42. Patch Management • Must evaluate and test patch • Deploying patches is best done with a management system
  • 43. Vulnerability Management • Vulnerability scanning finds poor configurations and missing patches • Must remediate the vulnerabilities • Zero Day Vulnerability and Zero Day Exploits • No patch available
  • 44. Change Management • Change control board oversees and coordinates change control process • Approves or denies changes baed on risk and cost management
  • 47. Service Level Agreements (SLA) • Dictates what is acceptable • Bandwidth, time to delivery, response times, etc. • Ex: 99.9% uptime
  • 48. Fault Tolerance • A device may fail; that is a fault • If users no longer receive service, that's a failure • Fault-tolerant systems have redundant systems • So a fault does not lead to a failure
  • 49. Backup • Full Backup • Incremental backup • Data changed since last full backup of any kind • May take several tapes to recover • Differential backup • Data changed since last full backup • May take two tapes to recover
  • 50. RAID • Redundant Array of Inexpensive Disks
  • 51. RAID Terms • Mirroring • Duplicating data on another disk • Skipping • Writing data across many disks • Improves performance, but does not provide fault tolerance • Parity • Saves XORed data from other drives • Provides fault tolerance
  • 52. RAID Levels • RAID 0: Striped (no fault tolerance) • RAID 1: Mirrored (fault tolerant) • RAID 3: Parity on a single drive (fault tolerant) • RAID 5: Striped set with distributed parity (fault tolerant) • RAID 6: Striped set with dual distributed parity (can recover even if two drives fail)
  • 53. RAID Levels • RAID 1+0 or RAID 10 • Striped set of mirrors • Fault tolerant
  • 54. System Redundancy • Redundant Hardware • Extra power supplies, NICs, disk controllers • Redundant Systems • High Availability Clusters • Failover cluster uses another device when the primary one fails • Called "Active-Passive" • Active-Active or Load Balancing cluster • Uses all devices at all times
  • 55. BCP and DRP Overview and Process
  • 56. Business Continuity Planning (BCP) • Ensures that business will continue to operate before, throughout, and during a disaster • Ensures that critical services can be carried out • Strategic, long-term: focuses on business as a whole • An umbrella plan that includes multiple plans, most importantly the Disaster Recovery Plan (DLP)
  • 57. Disaster Recovery Planning (DRP) • Tactical, short-term • Plan to deal with specific disruptions, such as a malware infection
  • 59. Maximum Tolerable Downtime (MTD) • Used to determine how to allocate resources for recovery
  • 60. Disasters or Disruptive Events • By Cause • Natural (like earthquakes) • Human • Intentional like terrorism, rogue insiders, DoS, phishing, etc. • Inadvertent like errors, laziness, carelessness • Environmental (like power blackouts, equipment failures, or software flaws)
  • 62. Errors and Omissions • Most common source of disruptive events • Easily avoided with controls, if they can be identified
  • 63. Temperature and Humidity Failures • Without proper controls, the Mean Time Between Failures (MTBF) for electrical equipment will decrease • Must test backup power and HVAC • UPS (Uninterruptible Power Supply) • Generators
  • 64. Disasters • Warfare, terrorism, and sabotage • Financially motivated attackers • Personnel shortages • Pandemics and disease • Strikes • Loss of a critical individual worker
  • 65. Communications Failure • Physical line breaks • Hurricanes
  • 66. The Disaster Recovery Process • Respond • Activate Team • Communicate • Assess • Reconstitution
  • 67. Respond • Initial assessment of damage • Quickly determine if the event is a disaster • Is the facility safe for continued use?
  • 68. Activate Team & Communicate • Communicating with team may be difficult • Call Trees may help • Timely updates must get back to the central team • Phones may be down • Organization must be prepared with external communications
  • 69. Assess • Disaster Recovery team will perform a more detailed and thorough assessment • Determine extent of damage • Proper steps • Consider Maximum Tolerable Downtime (MTD) • Protect safety of personnel
  • 70. Reconstitution • Recover critical business processes • Either at a primary or secondary site • Salvage team will begin recovery process at primary site
  • 73. Project Initiation Milestones 1. Develop contingency planning policy 2. Conduct Business Impact Analysis (BIA) to identify critical systems 3. Identify preventive controls 4. Develop recovery strategies 5. Develop IT contingency plan 6. Plan testing, training, and exercises 7. Plan maintenance
  • 75. Management Support • "C" level management must support the plan • They can allocate resources • BCP / DRP planning may increase company efficiency even if no disaster occurs
  • 76. BCP/DRP Project Manager • Key point of contact to ensure that BCP/ DRP plan is completed and tested • Must have good organizational skills • And credibility and authority • Does not need in-depth technical skills • Main skills: negotiation and people skills
  • 77. Building the BCP/DRP Team • First establish a Continuity Planning Project Team (CPPT) with stakeholders • Human resources • Public relations • IT • Physical security • Line managers • Anyone else responsible for essential functions
  • 78. Scoping the Project • What assets are protected? • Which emergency events are addressed? • What resources are needed?
  • 79. Assessing the Critical State • List IT assets, and • Who uses them • What business process they support • Business Impact of outage
  • 80. Business Impact Analysis (BIA) • Determine Maximum Tolerable Downtime (MTD) for specific IT assets • First, identify critical assets • Second, comprehensive risk analysis • Including vulnerability analysis
  • 81. Example Risk Assessment for Email Risk Vulnerability BIA Mitigation Server room unlocked Unauthorized personnel may enter Loss of CIA for system from physical attack Install locks with PIN and alarm (risk reduced to tolerable level) Software out of date Known insecurities, end-of-life Loss of CIA from cyberattack Update software (risk eliminated) No firewall Added exposure to Internet cyberattacks Loss of CIA from cyberattack Move server to managed hosting (transfer risk)
  • 82. Determine Maximum Tolerable Downtime (MTD) • Recovery Point Objective (RPO) • Amount of data loss an organization can withstand • Recovery Time Objective (RTO) • Max. time required to recover systems • Work Recovery Time (WRT) • Time required to configure a recovered system • MTD = RTO + WRT
  • 83. MTBF • Mean Time Between Failures (MTBF) • Estimate, systems may fail sooner • Mean Time to Repair (MTTR) • Minimum Operating Requirements • Minimum environmental and connectivity requirements to operate computer equipment
  • 85. Supply Chain Management • A large disaster may impact your suppliers • Some vendors offer guaranteed replacement insurance
  • 86. Telecommunication Management • Communication may fail during a disaster • Alternatives • T1 lines • Wireless networks • Satellite phones
  • 87. Utility Management • Address all required utilities • Power • Heating • Cooling • Water
  • 88. Recovery Options • Redundant Site: ready to go, including up-to-date data • Hot Site • Equipment ready, but may take an hour or so to load data • Warm Site • Has some equipment, but not exact duplicates; 1-3 days to bring it up • Cold Site • Datacenter but lacks hardware or data, may take weeks to bring up
  • 89. Recovery Options • Reciprocal Agreement • Use another organization's datacenter • Mobile Site • Datacenter on wheels, drive into disaster area • Subscription services • Outsource BCP/DRP • IBM's SunGard
  • 91. Related Plans • Continuity of Operations (COOP) • Move personnel to alternate site • Business Recovery Plan (BRP) • After COOP, move back to original site • Continuity of Support Plan • Covers IT only • Cyber Incident Response Plan • Viruses, worms, intrusions
  • 92. Related Plans • Occupant Emergency Plan • Safety and evacuation of people • Crisis Management Plan (CMP) • Coordinate managers
  • 93. Crisis Management Plan (CMP) • Crisis Communications Plan • Resist rumors by providing the truth • Call Trees • Employees call a list of other employees • Automated Call Trees • Emergency Operations Center (EOC) • Command post • Vital Records (stored offsite)
  • 94. Executive Succession Planning • Some executive should be on-site at all times
  • 96. Continuous Availability • Maximum Tolerable Downtime (MTD) • Getting shorter • Some systems require Continuous Availability • MTD of zero
  • 97. Hardcopy Data • Continue business using paper records during a disaster
  • 98. Backups • Full backup (all data) • Incremental backup • All data changed since last full or incremental backup • May require several tapes to recover • Differential backup • All data changed since last full backup • May require two tapes to recover
  • 99. Tape Rotation Methods • First In First Out (FIFO) • 14 tapes--14 days of backups • Grandfather-Father-Son (GFS) • 7 daily tapes (son) • 4 weekly tapes (father) • 12 monthly tapes (grandfather) • Once per week a son graduates to a father • Once a month a father becomes a grandfather
  • 100. Electronic Vaulting • Transmits backup data over the Internet • Can backup at very short intervals • Should be encrypted in transit • Remote Journaling • Saves database checkpoints periodically • Database Shadowing • Maintains two identical databases on different servers, for faster recovery
  • 101. HA (High Availability) Options • High Availability Cluster • Active-Active has all systems working • Also called load balancing • Active-Passive • Backup devices come up when main device goes down
  • 102. Software Escrow • What happens if the company that wrote your mission-critical software goes out of business? • Source code may be stored at a trusted third party
  • 103. DRP Testing, Training and Awareness
  • 104. DRP Testing • DRP Review • DRP team reads the whole plan to find flaws • Read-Through • Lists all necessary components • Ensures they are available • Walkthrough/Tabletop • Talk through steps • Find omissions, gaps, erroneous assumptions, etc.
  • 105. DRP Testing • Simulation Test/Walkthrough Drill • Teams actually carry out the recovery process • Parallel Processing • Duplicate real business transactions on backup systems • Partial and Complete Business Interruption • Stop normal systems • Can cause a disaster
  • 106. Training • Starting Emergency Power • Call Tree Training/Test • Awareness • For employees not directly participating in the DRP
  • 108. Change Management • MCP team should be a member of the Change Control board • BCP/DRP Version Control
  • 111. Specific BCP/DRP Frameworks • NIST SP 800-34 • For US Gov't systems • ISO/IEC-27031 • Part of ISO 27000 series • BS-25999 • British standard • ISO 22301 • Supersedes BS-25999
  • 112. BCI • Business Continuity Institute • Six Professional Practices