Domain 7: Security Operations
7.1 Understand and support investigations
Digital Forensics – focuses on the recovery and investigation of material found in digital devices, often related to computer crime. Closely related to incident response as it is based on gathering and protecting evidence. Biggest difference is that it’s not what you know, it’s what you can prove in court. Evidence is much more valuable.
International Organization of Computer Evidence’s 6 Principles for Computer Forensics:
All of the general forensic and procedural principles must be applied
Actions taken should not change evidence
Person investigating should be trained for the purpose
All activity must be fully documented, preserved and available for review
An individual is responsible for all actions taken with respect to digital evidence
Any agency, which is responsible for seizing/accessing/storing/transferring digitial evidence is responsible for compliance with these principles.
Binary images are required for forensics work. You never work on the original media. A binary image is exactly identical to the original, including deleted files.
Certified forensic tools include Norton Ghost, FTK Imager and EnCase
Four types of disk-based forensic data:
Allocated space – normal files
Unallocated space – deleted files
Slack space – leftover space at the end of clusters. Contains fragments of old files
Bad blocks – ignored by OS. May contain hidden data
7.2 Understand requirements for investigation types
7.3 Conduct logging and monitoring activities
Incident Response and Management
Preparation – involves training and creating policies/procedures
Detection/Identification – analyzing events to determine if a security incident has taken place through the examination of log files.
Response/Containment – preventing further damage by isolating traffic, taking the system offline, etc. You would often make binary images of systems involved.
Mitigation/Eradication – System is cleaned.
Reporting – notifying proper personnel. Two kinds
Technical – appropriate technical individuals
Non-technical – stakeholders, business owners, regulators and auditors
Recovery – putting the system back into production. Monitoring to see if the attack resumes
Remediation – Root cause analysis is performed to determine and patch the vulnerability that allowed the incident. New processes to prevent recurrence are created.
Lessons Learned - after action meeting to determine what went wrong, what went well and what could be improved on. Final report delivered to management.
7.4 Securely provisioning resources
7.5 Understand and apply foundational security operations concepts
7.6 Apply resource protection techniques
7.7 Conduct incident management
7.8 Operate and maintain detective and preventative measures
IDS – monitors activity and sends alert when suspicious actiity occurs. Often connected to SPAN port on switches.
HIDS – agent-based. Sits on a host. Scrutinizes logs, system files, etc.. Attackers may be able to detect and disable them
NIDS – monitors traffic traversing the network. Not visible to attackers but encryption interferes with their ability to analyze traffic.
Two ways to detect:
Signature-based – compares events to static signatures
Heuristic/anomaly-based – reports traffic that varies from the normal baseline, detects protocol errors.
Data Loss Prevention – prevents sensitive data from leaving the network
Honeypots – purposefully vulnerable (pseudo flaws) to attract attackers. Ties back to idea of enticement.
7.9 Implement and support patch and vulnerability management
Evaluate for applicability
7.10 Understand and participate in change management processes
Minimizes negative impact of changes. Allows managers to scrutinize changes, creates an audit trail of all completed changes, and aids in the patching of known vulnerabilities.
Provides a process by which all system changes are tracked, audited, controlled, identified and approved. Users are informed of impending changes.
Requires rigorous testing prior to being deployed. This avoids unintentional reductions in security.
Requires documentation and allows for training users
Implements the ability to reverse changes
Assess risk associated w ith change
Notify impacted parties of change
7.11 Implement recovery strategies
RAID 0 – Striping. Data is read from multiple disks.
RAID 1 – Mirroring
RAID 5 – Striping with parity. At least 3 disks. All data is spread across all disks. Parity allows data to still be read with drive failures by “guessing” the missing data.
RAID 10 – RAID 1 + RAID 0
7.12 Implement Disaster Recovery processes
Developing a BCP/DRP
1. Develop Policy
2. Conduct Business Impact Analysis - identify critical business functions/resources. Calculate metrics such as:
Recovery Time Objectives (RTO) – max time required to recover systems
Recovery Point Objective (RPO) – amount of data loss measured in time that an organization can withstand.
Maximum Tolerable Downtime (MTD) – total time a system can be inoperable before severe impact occur
3. Identify Preventive Controls – improving security, identify possible improvements in business processes.
4. Develop Recovery Strategies
Redundant sites – ready to go, include updated data
Hot site – equipment ready, but may take time to load data. Recovery time is 6 hours or less
Warm site – has some equipment, no data. Will take days to bring up
Cold site – lacks hardware and data. Could take weeks to bring up
Mobile site – datacenter on wheels that can be driven into the disaster area
Subscription service – outsourced BCP/DRP, such as IBM’s Sunguard
Full Backup – all data. Clears archive bit after backups
Incremental – only files that changed since last backup. Clears the archive bit.
With incremental backups, you must first restore the most recent full backup and then apply all incremental backups that occurred since that full backup.
Differential – only files changed since last full backup. Does not clear the archive bit
Electronic Vaulting transmits data over the internet. Can be backed up at short intervals. Should be encrypted.
Remote journaling – saves database checkpoints (transaction logs) periodically
Remote Mirroring - database transactions are mirrored at the backup site in real time
Database Shadowing – maintains two identical databases on different servers for fast recovery
5. Develop IP Contingency Plan
6. Plan/Test/Train using a type of DR test:
7. Plan Maintenance
7.13 Test Disaster Recovery Plans
7.14 Participate in Business Continuity planning and exercises
Business Continuity Planning
Business Continuity Plan is a long-term strategic business-oriented plan for continued operation after a disrupted event
Disaster Recovery Plan is more tactical insofar that it provides short-term plans for specific disruptions
Steps in Disaster Recovery Process:
Respond – quickly assess damage and determine if event is a disaster. Determine if facility is safe for continued use
Activate team – Call Trees assist in communication. Timely updates must make their way back to central team.
Communicate - Phones may be down so organizations should be prepared with multiple ways of communicating
Assess – Protect safety of personnel
Reconstitution – recover critical business processes, whether at primary or secondary site. Salvage team will begin recovery process at primary site
7.15 Implement and manage physical security
7.16 Address personal safety and security concerns