CruSec’s 2019 CISSP Study Guide - Domain 7: Security Operations
Domain 7: Security Operations
7.1 Understand and support investigations
Digital Forensics – focuses on the recovery and investigation of material found in digital devices, often related to computer crime. Closely related to incident response as it is based on gathering and protecting evidence. Biggest difference is that it’s not what you know, it’s what you can prove in court. Evidence is much more valuable.
International Organization of Computer Evidence’s 6 Principles for Computer Forensics:
All of the general forensic and procedural principles must be applied
Actions taken should not change evidence
Person investigating should be trained for the purpose
All activity must be fully documented, preserved and available for review
An individual is responsible for all actions taken with respect to digital evidence
Any agency, which is responsible for seizing/accessing/storing/transferring digitial evidence is responsible for compliance with these principles.
Binary images are required for forensics work. You never work on the original media. A binary image is exactly identical to the original, including deleted files.
Certified forensic tools include Norton Ghost, FTK Imager and EnCase
Four types of disk-based forensic data:
Allocated space – normal files
Unallocated space – deleted files
Slack space – leftover space at the end of clusters. Contains fragments of old files
Bad blocks – ignored by OS. May contain hidden data
7.2 Understand requirements for investigation types
Criminal vs. Civil Law – Criminal law has higher standards for evidence.
Also called Regulatory Law. Consists of regulations like HIPAA
Legal aspects of investigations
Evidence –Real Evidence (physical objects), Direct Evidence (Witness testimony), Circumstancial Evidence (Indirect evidence of guilt, can support other evidence but is inadequate for a conviction alone.)
Best evidence is going to be the original documents/hard drives etc
Secondary would include copies of original evidence, log files, etc
Evidence integrity contingent on hashes
Hearsay is inadmissible in court. In order for evidence to be admissible, it must be relevant to a fact at issue, the fact must be material to the case, and the evidence mast have been legally collected.
Evidence can be surrendered, obtained through a subpoena which compels the owner to surrender it, or forcefully obtained before a subject has an opportunity to alter it through a warrant
Chain of custody – documents entirely where evidence is at all times. If there is any lapse, the evidence will be deemed inadmissible
Reasonable Searches - 4th amendment protects against unreasonable search and seizure. Searches require warrants
Exceptions when an object is in plain site, at public checkpoints, or exigent circumstances (immediate threat to human life or evidence being destroyed).
7.3 Conduct logging and monitoring activities
Incident Response and Management
Involves the monitoring and detection of security events. Need clear processes and responses
Steps to incident response:
Preparation – involves training and creating policies/procedures
Detection/Identification – analyzing events to determine if a security incident has taken place through the examination of log files.
Response/Containment – preventing further damage by isolating traffic, taking the system offline, etc. You would often make binary images of systems involved.
Mitigation/Eradication – System is cleaned.
Reporting – notifying proper personnel. Two kinds
Technical – appropriate technical individuals
Non-technical – stakeholders, business owners, regulators and auditors
Recovery – putting the system back into production. Monitoring to see if the attack resumes
Remediation – Root cause analysis is performed to determine and patch the vulnerability that allowed the incident. New processes to prevent recurrence are created.
Lessons Learned - after action meeting to determine what went wrong, what went well and what could be improved on. Final report delivered to management.
7.4 Securely provisioning resources
7.5 Understand and apply foundational security operations concepts
7.6 Apply resource protection techniques
7.7 Conduct incident management
7.8 Operate and maintain detective and preventative measures
IDS – monitors activity and sends alert when suspicious actiity occurs. Often connected to SPAN port on switches.
HIDS – agent-based. Sits on a host. Scrutinizes logs, system files, etc.. Attackers may be able to detect and disable them
NIDS – monitors traffic traversing the network. Not visible to attackers but encryption interferes with their ability to analyze traffic.
Two ways to detect:
Signature-based – compares events to static signatures
Heuristic/anomaly-based – reports traffic that varies from the normal baseline, detects protocol errors.
Data Loss Prevention – prevents sensitive data from leaving the network
Honeypots – purposefully vulnerable (pseudo flaws) to attract attackers. Ties back to idea of enticement.
Padded Cells are where an attacker may be redirected upon detection.
7.9 Implement and support patch and vulnerability management
Critical part of change control involves security updates
Evaluate for applicability
Finds poorly configured machines
Zero Day Vulnerabilities have no patches available
7.10 Understand and participate in change management processes
Minimizes negative impact of changes. Allows managers to scrutinize changes, creates an audit trail of all completed changes, and aids in the patching of known vulnerabilities.
Provides a process by which all system changes are tracked, audited, controlled, identified and approved. Users are informed of impending changes.
Requires rigorous testing prior to being deployed. This avoids unintentional reductions in security.
Requires documentation and allows for training users
Implements the ability to reverse changes
Assess risk associated w ith change
Notify impacted parties of change
Consistent security configurations through hardening, imaging, and baselining
7.11 Implement recovery strategies
RAID 0 – Striping. Data is read from multiple disks.
RAID 1 – Mirroring
RAID 5 – Striping with parity. At least 3 disks. All data is spread across all disks. Parity allows data to still be read with drive failures by “guessing” the missing data.
RAID 10 – RAID 1 + RAID 0
7.12 Implement Disaster Recovery processes
Developing a BCP/DRP
1. Develop Policy
2. Conduct Business Impact Analysis - identify critical business functions/resources. Calculate metrics such as:
Recovery Time Objectives (RTO) – max time required to recover systems
Recovery Point Objective (RPO) – amount of data loss measured in time that an organization can withstand.
Maximum Tolerable Downtime (MTD) – total time a system can be inoperable before severe impact occur
3. Identify Preventive Controls – improving security, identify possible improvements in business processes.
4. Develop Recovery Strategies
Redundant sites – ready to go, include updated data
Hot site – equipment ready, but may take time to load data. Recovery time is 6 hours or less
Warm site – has some equipment, no data. Will take days to bring up
Cold site – lacks hardware and data. Could take weeks to bring up
Reciprocal/Mutual Assistance Agreement– using another organization’s datacenter. Difficult to enforce in court. Also, partner is generally close in terms of proximity and may be affected by the same disaster
Mobile site – datacenter on wheels that can be driven into the disaster area
Subscription service – outsourced BCP/DRP, such as IBM’s Sunguard
Full Backup – all data. Clears archive bit after backups
Incremental – only files that changed since last backup. Clears the archive bit.
With incremental backups, you must first restore the most recent full backup and then apply all incremental backups that occurred since that full backup.
Differential – only files changed since last full backup. Does not clear the archive bit
Electronic Vaulting transmits data over the internet. Can be backed up at short intervals. Should be encrypted.
Remote journaling – saves database checkpoints (transaction logs) periodically
Remote Mirroring - database transactions are mirrored at the backup site in real time
Database Shadowing – maintains two identical databases on different servers for fast recovery
5. Develop IP Contingency Plan
6. Plan/Test/Train using a type of DR test:
Read-through – plan is distributed to departments and functional areas for review. Managers read over and indicate if anything is missing or should be modified.
Walk-through – often referred to as a “table top” exercise. DR team assembles and role plays a scenario.
Simulation Test – specific scenario is proposed and employees must simulate that event and start taking action to recover
Full Interruption Test – original site is shut down and processing is moved to the alternate site. Requires massive amounts of planning and can be very risky
Parallel Test – involves moving components to an alternate site. Regular production systems are not interrupted
7. Plan Maintenance
Top-down rule applies here. C level management must approve and support the plan, and allocate the resources
Plans should be tested/updated/reviewed annually
Continuity Planning Project Team includes:
Senior management, but does NOT include the CEO.
Anyone else responsible for essential functions
7.13 Test Disaster Recovery Plans
7.14 Participate in Business Continuity planning and exercises
Business Continuity Planning
Business Continuity Plan is a long-term strategic business-oriented plan for continued operation after a disrupted event
Disaster Recovery Plan is more tactical insofar that it provides short-term plans for specific disruptions
BCP comes first, DRP fills in the gaps. DRP kicks in when BCP fails
Steps in Disaster Recovery Process:
Respond – quickly assess damage and determine if event is a disaster. Determine if facility is safe for continued use
Activate team – Call Trees assist in communication. Timely updates must make their way back to central team.
Communicate - Phones may be down so organizations should be prepared with multiple ways of communicating
Assess – Protect safety of personnel
Reconstitution – recover critical business processes, whether at primary or secondary site. Salvage team will begin recovery process at primary site
NIST SP 800-34 – contingency plan for federal information sytems.
Business Continuity Institute – “the good practice guidelines”
7.15 Implement and manage physical security
Physical Security Attacks:
Abuse – tampering with or bypassing security controls, such as picking locks and propping doors open
Masquerading – using someone else’s badge or other credentials for authentication
Piggybacking – same as tailgating
7.16 Address personal safety and security concerns