Tel: 020 8456 3550
CISSP: CHAPTER 7CISSP: CHAPTER 7
Security Operations
CHAPTER 7 SECURITY OPERATIONS REVIEW
Incident Response
Forensics
Evidence Collection
Admissibility Issues
Types of Evidence
Fault tolerance and recovery strategies
SECURITY INCIDENCE RESPONSE
Event: negative occurrence that can be observed, verified and documented
Incident: Series of events that has a negative impact on the company and its security
Incidence response focuses on containing the damage of an attack and restoring normal operations
Investigations focuses on gathering evidence of an attack with the goal of prosecuting the attacker
SECURITY INCIDENCE RESPONSE
CONTINUED
Framework should include:
Response Capability
Incident Response and handling
Recovery and Feedback
RESPONSE CAPABILITY
Incident Response
Corporate incidence response polices, procedures and guidelines should be in place
Legal, HR, Executive management, and key business units must be involved
If handling in-house, an incident response team must be in place
Items the Computer Incident Response Team must have at its disposal
List of outside agencies and resources to contact or report to
Computer Emergency Response Team (CERT)
List of computer or forensics experts to contact
Steps on how to secure and preserve evidence
Steps on how to search for evidence
List of items that should be included on the report
A list that indicates how the different systems should be treated in this type of situation
INCIDENT RESPONSE AND HANDLING
Triage
Detection
Identification
Notification
Investigations
Containment
Analysis and Tracking
RECOVERY AND FEEDBACK
Recovery and Repair: restoration of the system to operations. Remember, it does no good to restore to its original status—must provide greater security lest if fall prey to the same attack again
Provide Feedback: One of the most important (and most overlooked) steps. Document, document, document!
COMPUTER FORENSICS
Computer Forensics: The discipline of using proven methods toward the collection, preservation, validation, identification, analysis, interpretation, documentation and presentation of digital evidence.
IOCE and SWGDE are two entities that provide forensics guidelines and principles as follows
All forensic principles must be applied to digital evidence
Evidence should not be altered as a result of collection
If a person is to access original digital evidence, that person must be trained for such a purpose
All activity relating to the seizure, access, storage, and transfer of digital evidence must be fully documented and available for review
An individual is responsible for actions affecting digital evidence while that evidence is in their possession
Any entity responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles
FIVE RULES OF DIGITAL EVIDENCE
Digital Evidence Must:
Be authentic
Be accurate
Be complete
Be convincing
Be admissible
THE FORENSICS INVESTIGATION PROCESS
Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision
THE FORENSICS INVESTIGATION PROCESS
Identification
Locard’s principle of Exchange: when a crime is committed, the attacker takes something and leaves something behind. What they leave behind can help us identify aspects of the responsible party
THE FORENSICS INVESTIGATION PROCESS
Preservation
Chain of Custody must be well documented
A history of how the evidence was
Collected
Analyzed
Transported
Preserved
Necessary because digital evidence can be manipulated so easily
Hashing Algorithms are used to show the integrity of the evidence has not been modified by the investigation process
THE FORENSICS INVESTIGATION PROCESS
Collection
Minimize handling/corruption of evidence
Keep detailed logs of your actions
Comply with the 5 rules of digital evidence
Do not exceed your knowledge
Follow organization’s security policy
Capture an accurate image of the system
Ensure actions are repeatable
Work Fast (digital evidence may have a short lifespan)
Work from volatile to persistent evidence
DO NOT run any programs or open any files on the infected system until a forensic copy of the disk has been made
THE FORENSICS INVESTIGATION PROCESS
Collection (Continued)
Steps to evidence collection:
Photograph area, record what is on the screen
Dump contents from memory
Power down system
Photograph inside of system
Label each piece of evidence
Record who collected what and how
Have legal department and possibly human resources involved
THE FORENSICS INVESTIGATION PROCESS
Collection (Continued)
The Fourth Amendment protects against illegal search and seizure
Exceptions to previous statement
Private citizen not subject to Fourth Amendment rules unless acting as a police agent
Citizen may be subject to restrictions of Electronic Communications Privacy Act
Computer evidence can be obtained by law enforcement only through:
Subpoena
Search warrant
Voluntary consent
Exigent Circumstances
THE FORENSICS INVESTIGATION PROCESS
Examination
Look for signatures of known attacks
Review audit logs
Hidden data recovery
Analysis
Primary image (original) vs. Working image (copy)
Working image should be a bit by bit copy of original
Both copies must be hashed and the working copy should be write-protected
What is the root cause?
What files were altered/installed?
What communications channels were opened?
THE FORENSICS INVESTIGATION PROCESS
Presentation
Interpreting the results of the investigation and presenting the findings in an appropriate format
Documentation
Expert Testimony
Decision
What is the result of the investigation?
Suspects?
Corrective Actions?
EVIDENCE LIFE CYCLE
Evidence Life Cycle
Collection and identification
Analysis
Storage, Preservation, Transportation
Present in court
Return to victim (owner)
Integrity and authenticity of evidence must be preserved throughout the life cycle
CONTROLLING THE CRIME SCENE
The scene of the crime should be immediately secured with only authorized individuals allowed in
Document, document, document—the integrity of the evidence could be called in to question if it is not properly documented
Who is at the crime scene/who has interaction with the systems and to what degree. Also, any contamination at the crime scene must be documented (contamination does not always negate the evidence)
Logs should be kept detailing all activities. In most instances, an investigator’s notebook is not admissible as evidence, however the investigator can use it to refer to during testimony
EVIDENCE TYPES
Direct Evidence: Can prove a fact by itself and does not need backup information. Information provided based on the 5 sense of a (reliable) witness.
Real Evidence: Physical evidence. The objects themselves that are used in a crime.
Best Evidence: Most reliable—a signed contract
EVIDENCE TYPES
Secondary: Not strong enough to stand alone, but can support other evidence. Expert Opinion
Corroborative Evidence: Support evidence. Backs up other information presented. Can’t stand on its own.
Circumstantial: Proves one fact which can be used to reasonably to suggest another. Again, can’t stand on its own.
EVIDENCE TYPES
Hearsay: 2nd hand oral or written. Usually not admissible.“John heard that Bill heard that…..” Copies of a document.
Demonstrative: Presentation based. Photos of a crime scene, x-rays, diagrams.
WHO SHOULD DO THE INVESTIGATION?
Law Enforcement
Available skilled resources for this investigation?
Fourth amendment, jurisdiction, Miranda, privacy issues
More restrictions than private citizen
Information dissemination is not controlled
SUSPECT’S ACTIONS AND INTENT
Enticement
Tempting a potential criminal
Legal and ethical
Honeypot
Entrapment
Tricking a person into committing a crime
Illegal and unethical
Pointing user to a site and then saying they trespassed
SECURITY OPERATIONS
OBJECTIVES
Evidence Collection and Forensics
Configuration Management
Media Management
Fault tolerance and recovery strategies
Business Continuity and Disaster Recovery
GENERAL INFORMATION SECURITY PRINCIPLES
•Simplicity•Separation of
Privilege
• Fail-Safe• Psychological
• Complete
Acceptability• Open Design• Layered Defense
• Incident Recording
CONTROL MECHANISMS
Control Mechanisms
Protect information and resources from unauthorized disclosure, modification, and destruction
Main types of mechanisms
Physical
Administrative
Technical
GENERAL CONTROL LAYERS
Administrative Controls Development of policies, standards, and procedures
Screening personnel, security awareness training, monitoring system and network activity, and change control
Technical Controls
Logical mechanisms that provide password and resource management, identification and authentication, and software configurations
Physical Controls
Protecting individual systems, the network, employees, and the facility from physical damage
ACCESS CONTROL FUNCTIONS
Preventative * Controls used to STOP undesirable events from taking place Detective * Controls used to identify undesirable events that have occurred
Corrective * Controls used to correct the effects of undesirable events
Deterrent * Controls used to DISCOURAGE security violations
Recovery * Controls used to restore resources and capabilities Compensation * Controls used to provide alternative solutions
KEY OPERATIONAL PROCEDURES AND CONTROLS
Fault Management
Configuration Management
System Hardening
Change Control
Trusted Recovery
Media Management
Identity and Access Management
Monitoring
Security Auditing and Reviews
FAULT MANAGEMENT
Spares
Redundant Servers
UPS
Clustering
RAID
Shadowing, Remote Journaling, Electronic Vaulting
Back Ups
Redundancy of Staff
SPARES
Redundant hardware
Available in the event that the primary device becomes unusable
Often associated with hard drives
Hot, warm and cold swappable devices
SLAs
MTBF and MTTR
Mean time between failure = 785 days; Mean time to repair = 16 Hours
Mean time between failure =650 days; Mean time to repair = 12 Hours
Mean time between failure =652 days; Mean time to repair = 24 Hours
RAID
RAID-0 : Disk striping provides no redundancy or fault tolerance but provides performance improvements for read/write functions
RAID-1: Disk Mirroring-Provides redundancy but is often considered to be the least efficient usage of space
RAID-5: Disk Striping with Parity: Fault tolerance + Speed
REDUNDANT SERVERS
Primary server mirrors data to secondary server
If primary fails it rolls over to secondary
Server fault tolerance
CLUSTERING
Group of servers that are managed as a single system
Higher availability, greater scalability, easier to manage instead of individual systems
May provide redundancy, load balancing, or both.
Active/Active
Active/Passive
Cluster looks like a single server to the user
Server farm
UNINTERRUPTIBLE POWER SUPPLY
Issues to Consider
Size of load UPS can support
How long it can support this load (battery duration)
Speed the UPS takes on the load when the primary power source fails
Physical space required
Desirable Features
Long battery life
Remote diagnostic software
Surge protection and line conditioning
EMI/RFI filters to prevent data errors caused by electrical noise
High MTBF values
Allow for automatic shutdown of system
BACKUPS
Backing up software and having backup hardware is a large part of network availability
It is important to be able to restore data:
If a hard drive fails
A disaster takes place
Some type of software corruption
BACKUPS
Full backup
Archive Bit is reset
Incremental backup
Backs up all files that have been modified since last backup
Archive Bit is reset
Differential backup
Backs up all files that have been modified since last full backup
Archive Bit is not reset
Copy backup
Same as full backup, but Archive Bit is not reset
Use before upgrades, or system maintenance
BACKUPS
SundayMondayTuesdayWednesday
ThursdayBackups
neededFullFullFullFull
Full(w)
to
Full(s) +FullIncIncInc
recover
Inc (m,t,w)
FullDiffDiffDiff
Full(s) +
Diff (w)
Server Crash!!!!!
BACKUP ISSUES
Identify what needs to be backed up first
Media Rotation Scheme
Grandfather, Father, Son
Tower of Hanoi
Backup schedule needs to be developed
If restoring a backup after a compromise, ensure that the backup material does not contain the same vulnerabilities that were exploited
REDUNDANCY OF STAFF
Eliminate Single Point of Failure
Cross Training
Job Rotation
Mandatory Vacations
Training and Education
MEDIA MANAGEMENT
Production Libraries
Holds software used in production environment
Programmer Libraries
Holds work in progress
Source Code Libraries
Holds source code and should be escrowed
Media Library
Hardware centrally controlled
CONTROLLING ACCESS TO MEDIA –
LIBRARIAN
Librarian to control access
Log who takes what materials out and when
Materials should be properly labeled
Media must be properly sanitized when necessary
Zeroization (Previous DoD standards required seven wipes. Currently, only one is required.)
Degaussing (Only good for magnetic media)
Coercivity: Amount of energy required to reduce the magnetic field to zero
Physical destruction (The best means of removing remnants).
SECURITY OPERATIONS OBJECTIVES
Incident Response, Evidence Collection and Forensics
Fault tolerance and recovery strategies
Business Continuity and Disaster Recovery