CISSP - Domain 7
Surveillance, Search, and Seizure
- physical surveillance pertains to security cams, guards, CCTV. - computer surveillance pertains to auditing events, network sniffers, keyboard monitors, wiretaps, line monitoring. Most jurisdictions require search warrant. workplaces can legally monitor individuals if warn ahead of time. - if possible evidence might be destroyed, law enforcement may quickly seize evidence to prevent its destruction, referred to as exigent circumstances. - thin line btwn enticement and entrapment. enticement is legal and ethical, entrapment is illegal and unethical. honeypot entice b/c many open ports and services running attackers 'enticed' to exploit. if org names hyperlink indicating a legitimate place to go but but directs honeypot system, that is entrapment.
Preventing and Detecting
1. understand the risk. premise is can't ever eliminate all risks and should devote resources to mitigating most dangerous risks to level likelihood is acceptable to senior leaders. 2. use right controls. once focused on right set of risks, can more easily identify appropriate controls to mitigate them. 3. use controls correctly. also need ensure emplaced and config'd correctly. 4. manage config. properly done, config mgmt ensures have ground truth about network so can better answer questions typically asked when doing security operations. 5. assess your operation. should constantly (at least periodically) looking at defensive plan.
RAID Levels
0: striped over several drives, no redundancy or parity. one fails, entire volume unusable. 1: mirroring of drives. data written to two drives at once. 2: data striping over all drives at bit level, parity created w/ hamming code (identifies errors). 39 disk max. not used in production anymore. 3: data striping over all drives (byte-level) and parity data held on one drive. if a drive fails, can be reconstructed from parity drive. 4: same as 3, but parity created at block level. 5: data written in disk sector units to all drives, parity written to all drives also, no SPOF. 6: similar to 5, but w/ fault tolerance using second set of parity data on all drives (double parity). 0+1: data mirrored to sets of drives, then data striped across those drives, can support multiple drive failures. 1+0: data striped to sets of drives, then those drives are mirrored.
Machine Learning (ML) and Artificial Intelligence (AI)
ML and AI are tools that give systems the ability to learn and improve without much human input.
Grid Computing
a load-balanced parallel means of massive computation, similar to clusters bu implemented w/ loosely coupled systems that may join and leave grid randomly. many computers have extra CPU power not used and users volunteer to allow extra processing power available to groups for diff projects (first was Search for Extraterrestrial Intelligence). * sensitive data should not be processed this way and not proper for time-sensitive applications.
Choosing Software Backup Facility
Think about: - can media accessed necessary timeframe? - facility closed weekends/holidays, operate during specific hours of the day? - access control mechanisms tied to alarm and/or police? - facility have capability protect media from threats? - availability of vonded transport service? - geographical environmental hazards such as floods, earthquakes, tornadoes, etc.? - facility have fire detection and suppression? - physical, admin, logical access controls used?
Response during incident
This is a substage of analysis, where data gathered (audit logs, vid captures, human accounts of activities, system activities) figure out root cause of the incident. goals are figure out who did it, how, when, and why. Mgmt continually kept abreast. Biggest challenge is dynamic nature of logs; many systems purge or overwrite logs in short timeframe. once have hypothesis of goals and plans, test it.
Implementing Disaster Recovery - Training
Train your team on execution of DR plan, critical for at least three reasons. - allows to validate plan will work. - ensure everyone knows what supposed to do. - helps establish you are exercising due care (might keep you out of legal trouble in the aftermath).
Provisioning Cloud Assets
cloud provisioning is all activities to provide new cloud assets to user or group. Provisioning IaaS assets, user population is limited to the IT department (because the provisioning must securely limit who has access to the infrastructure, what the infrastructure has access to, etc.).
Emergency Management
common tool ensuring safety of personnel during emergencies is occupant emergency plan; describes actions that facilitate occupants take in order to ensure their safety during emergency. Locks should fail open (where possible). fail-safe device will automatically move to sate that ensures safety in the event of a failure.
Antimalware
commonly called antivirus, is software to detect and neutralize malicious SW, including viruses, worms, Trojan horses. majority is rule-based w/ new definitions automatically downloaded from vendor. works by identifying distinctive attribute of malware, extracting that as its signature, then updating all SW systems with it.
Liability Scenarios - Personal Information
company holding medical info doesn't have strict procedures how info disseminated or shared.... - Legally recognized obligation: HIPAA Privacy Rule requires company have policies and procedures to protect patient info. ADA prohibits employers making inquiries likely to reveal existence of disability before making job offer. - Failure to conform: sensitive info cannot be released to unauthorized person. employer cannot request info they shouldn't have. - Proximate cause and resulting injury/damage: if company provides info it shouldn't, emotional distress and prevention of getting a job can be shown. in addition, company cannot makes decisions based on info it shouldn't have.
Computer Forensics and Proper Collection of Evidence - Computer Criminal Behavior
computer criminals have specific modus operandi (MO); a district method of operation to carry out crime used to help identify them. * Locard's exchange principle: criminal leaves something behind at scene and takes something with them.
External Boundary Protection Mechanisms - Bollards
concrete pillars preventing driving vehicle through exterior wall, placed btwn facility and parking lot and/or facility and road.
Centralized Patch Management
considered a best practice. should also test patches, then patch subnets incrementally to minimize downtimes of bad patches. most common approaches: - agent based (update agent on each device comms w/ update servers) - agentless (one of more hosts connect to each device using admin credentials checking for needed updates [could be AD objects in DC to manage patches]) - passive (passively monitor network traffic to infer patch levels on each application or service, minimally intrusive and least effective).
Storage Area Networks (SAN)
consists of numerous storage devices linked together by high-speed private network and storage-specific switches, creating a "fabric" allowing users to attach to and interact transparently. SANs provide redundancy, fault tolerance, reliability, and backups, and allows users and admins to interact w/ SAN as one virtual entity.
Contingency Planning
contingency mgmt defines what takes place during and after an incident. action req'd for emergency response, continuity of operations, and dealing w/ major outages must be documented and readily available to the operations staff. should be at least three instances -- on site, on site in fireproof safe, offsite. * BCP is how to keep org in business after disaster. contingency plan is how deal w/ small incidents not qualifying as disasters (power outage, server failure, etc.).
Outsourced services
may orgs turn to managed security services providers (MSSP). before doing so, should consider: - Req's: can't outsource responsibility, need understand own security needs. - Understanding: does MSSP understand your business processes, asking right questions to get there? you should also understand their qualifications and processes. - Reputation: need devote time to asking other security professionals about their experiences w/ specific companies. - Costing: likely have to compromise and address only subset of your req's. - Liability: reasonable MSSP will put limits on their liability if your org is breached. read the fine print!
Single Points of Failure
high potential risk to network b/c if device fails, segment of even entire network negatively affected. multiple paths should exist btwn routers in case one router goes down and dynamic routing protocols used so each router informed when change to network takes place.
Personnel Access Controls
identification and authentication can be verified by anatomical attribute (biometric system), smart or memory cards (swipe cards), presenting photo ID, using key, or providing card and PIN/PW. - piggybacking: individual gains unauthorized access by using someone else's credentials or access rights. - user-activated readers: means user has to do something; swipe card or enter PIN. - system sensing access control reader (aka transponders): recognize presence of approaching object and sends interrogating signals, obtains access code from card w/ out user doing anything. *Electronic access control (EAC) tokens: generic term describing proximity authentication devices which identify and authenticate users before allowing entrance.
Mean Time Between Failure (MTBF)
measure of how long expect equipment operate reliably. calculated by average time between failures of said equipment/component. Implies device or component is repairable (if it isn't, use mean time to failure [MTTF]).
Hardware Backups
identify equipment req'd to keep critical fctns running, incl servers, workstations, routers, switches, tape backup devices, and more. will images work on new computers, etc.? if org using legacy computers and HW, after disaster will it find replacements?
Physical Security
implemented using layered approach, working in two main modes: normal facility operations and another when facility is closed.
End-User Environment
manager tree set up, so each manager responsible for notifying people he is responsible for, getting everybody on same page. recovery process for user environment should be laid out in diff stages; first stage most critical departments, next stage second most critical, and so on. BCP team needs identify how automated tasks can be carried out manually, pen-and-paper methods might be needed, comms thru phones instead of email, couriers instead of regular mail.
media management
managing hard drives, optical discs, even paper.
mitigation during incident
mitigate, or contain, damage to most critical assets, followed by less important assets. goal of mitigation is prevent or reduce further damage so can recover and remediate. mitigation can be proactive or reactive.
Rolling Hot Site
mobile hot site; large truck or trailer turned into data processing or working area. trailer driven over to new site, data has to be retrieved, personnel put into place. another option is prefabricated building; easily and quickly put together. another option is multiple processing sites; service providers provide data processing from multiple sites so if org's data processing interrupted all or some of processing moved to service provider's servers.
Security and Network Personnel
security administrator should not report to network administrator (jobs can be at odds and mutually exclusive). security administrator jobs: - implement/maintain security devices and softare - carry out security assessments - create/maintain user profiles and implement/maintain access control mechanisms - config/maintain security labels in MAC environments - manage PW policies - review audit logs
Contractual Agreements
security considerations should be taken for (at least) following types: - outsourcing agreements - HW supply - system maintenance and support - system leasing agreements - website dev and support - nondisclosure and confidentiality agreements - info sec mgmt agreements - SW dev agreements - SW licensing
Backups
the more frequent, the more resources needed, so need to balance costs and actual risk of losing data. may find auto backups through software more economical and effective than spending IT work-hours.
Computer Forensics and Proper Collection of Evidence - Motive, Opportunity, Means
Motive, Opportunity, Means = MOM. motive: who and why. opportunity: where and when. means: abilities criminal needs to be successful.
Continuous Monitoring
NIST 800-39 "Information Security Continuous Monitoring" defines info sec continuous monitoring. an ongoing and structured verification of security controls. deliberate, risk-based process to determine what gets monitored, how monitored, and what to do w/ info gathered. logging policies should be pretty permissive to capture as much data as you can in case ever need it. monitoring more limited because typically req's human to do it or at least deal with reports. the point is to determine if controls remain effective, and involves deciding how to respond to findings.
Reporting during incident
NIST 800-61 Computer Security Incident Handling Guide: - summary of incident - indicators - related incidents - actions taken - chain of custody for all evidence - impact assessment - identity and comments of incident handlers - next steps to be taken
Patch management
NIST Special Pub 800-40 "guide to enterprise patch management technologies" is process for identifying, acquiring, installing, verifying patches for products and systems.
Travel
Determine threat landscape at destination. so orgs have country-specific briefings. Important to know location and contact info for nearest embassy or consulate. Some best practices: - ask for room on second floor. - ask for & keep hotel business card on you in case have to call policy or embassy and provide location. - secure valuables in room safe. - always use security latch on the door. - keep passport on you at all times.
Facility Access Control - Door Locks
'delaying' devices. should be used as part of protection scheme but not the only one. - mechanical locks can be warded and tumbler. warded has spring-loaded bolt and notch cut in it and wards surrounding keyhole (easiest to pick). tumbler lock has more parts. * pin tumbler: each pin must be pushed to correct height to allow cylinder to rotate. * wafer tumbler (aka disc tumbler locks): uses flat discs instead of pins (used often in cars and desks). * lever tumbler: - combination locks: require combo of numbers to unlock. - cipher locks (programmable locks): keypads to control access, possibly swipe card. combos can be changed, sequence values can be locked out, personnel in trouble or under duress enter specific code will open door and initiate remote alarm at same time. can have door delay (alarm goes off if door open too long), key override (emergency code overrides normal procedures), master keying (can change access codes), hostage alarm (duress code), and usually a visibility shield so others cannot see combo entered. * somebody should be designated to manage keys
Availability
'high availability': combination of technologies and processes work together ensure specific thing always up and running, can be database, network, app, power supply. redundancy: commonly in routing protocol levels, if one link down traffic router over diff link, but also HW. failover: if failure means cannot be handled via normal means, processing switched over to working system (server A sends server B heartbeat signal, if server B does not hear from A, then all processing sent over to B). clustered: overarching piece of software monitoring each server, carrying out load balancing. if one server w/ in cluster down, software stops sending data to it. fault tolerance: capability of technology to continue to operate even if unexpected takes place (a fault); TCP resending packets, database corruption rolled back to known-good state, parity in RAID rebuilds database. resiliency: when system continues to function, albeit in degraded fashion. reliability: probability system performs necessary functions for specified period.
configuration management
'operational process' of establishing and maintaining consistent baselines on all systems. have policy how changes take place, who makes them, how approved, how documented and communicated. (change management is 'business process'). - Change control process: well-structured change control process aids staff through diff types of changes to environment. should include following: * request for change: presented to individual or group to approve and oversee activities of changes. * approval of change: justify the reason(s) and show benefits and possible pitfalls of change. * documenting change: entered into change log, denied requests also documented so record of rationale for not making a change. * tested and presented: fully tested to find unforeseen results, should also have rollback plan to last known-good config. * implementation: fully tested and approved, schedule developed that outlines projected phases and necessary milestones, steps fully documented and progress monitored. * report change to mgmt: full report summarizing change submitted to mgmt. - change control documentation: keeping details organized is impossible unless log of activity kept. if nobody properly keeps documentation, company may be doomed to repeat same thing some months later.
threat intelligence feed
(TI feed) also referred to as a threat feed, is an ongoing stream of data related to identified potential threats to an organization's security, usually provided by threat intelligence sources (include open source intelligence, social media intelligence, human Intelligence, and technical intelligence, including intelligence from the dark web).
Personal Safety Concerns
*Human Safety always trumps other concerns.*
Incident Management Process
*incident management includes proactive and reactive processes. should be included in disaster recovery plan as appendix. employees also need to know how to report an incident. All orgs should have incident response policy indicating who has authority to initiate incident response, w/ supporting procedures before an incident takes place, as well as what systems can be taken offline to save evidence and which to keep running risking losing evidence. 7 phases: detect, respond, mitigate, report, recover, remediate, learn. * event: any occurrence observed, verified, documented. * incident: one of more events negatively affecting company and/or impact to security posture.
Computer Forensics and Proper Collection of Evidence - Types of Investigations
- Administrative: focused on policy violations; least impactful. - Criminal: aimed at determining cause to belie beyond reasonable doubt someone committed crime, then preserve evidence to ensure our org contacts appropriate LEA and assist them. - Civil: instead of working w/ LEA, probably w/ attorneys from both sides, and standard of proof much lower (preponderance of evidence). - Regulatory: initiated by govt regulator when reason to believe org is non-compliant.
Facility Access Control - Device Locks
- Switch controls: cover on/off switches - Slot locks: secure system to stationary component w/ steel cable - Port controls: block access to disk drives or unused serial or parallel ports - Peripheral switch controls: secure keyboard by inserting an on/off switch btwn system unit and keyboard input slot - cable traps: passing cables through lockable unit to prevent removal of I/O device.
External Boundary Protection Mechanisms
- control pedestrian and vehicle traffic - various levels of protection for diff security zones - buffers and delaying mechanisms to protect forced entry attempts - limit and control entry points All can be done via access control mechanisms (locks and keys, card access system, personnel awareness), physical barriers, intrusion detection (perimeter sensors, authentication mechanisms), assessment (guards, CCTV cameras), response (guards, local LE), deterrents (signs, lighting, environmental design).
Honeypot and Honeynet
- honeypot: device to deceive attackers thinking production system. - honeynet: entire network meant to be compromised - honeyclient: synthetic applications to allow attacker conduct client-side attack. could use it to visit link in e-mail to pretend it is a real user. some honeyclients are highly interactive while others are mostly/completely automated. * blackhole: routers with rules silently dropping specific packets w/out notifying source.
Trusted Recovery - security concerns
- protect bootup sequence: should be C:, A:, D:. system must prevent attacker from changing sequence; access to BIOS should be protected. - do not allow bypassing of writing actions to system logs: system logs and system state files must be preserved against attacks. - do not allow system forced shutdowns: only admins should be able to instruct critical systems to shut down. - do not allow outputs to be rerouted: diagnostic output from system can have sensitive info. log files and console output must be protected by access controls from being read except for authorized admins, unauthorized users must not be able to redirect destination of diagnostic logs and console output.
Recovery Site Strategies
3 main types of disruptions: nondisasters (significant but limited impact), disasters (entire facility unusable for >=day), catastrophes (major disruption destroying facility altogether). three basic options to mitigate these: dedicated site org operates itself, lease commercial facility such as a 'hot site', formal agreement w/ another facility to restore operations. * Hot site: fully configured and ready to operate w/ in few hours; only missing resources are data, retrieved from backup site and people processing the data. (backup data should be tested here to make sure it is useful). most expensive recovery site option. * warm site: partially config'd w/ some equipment like HVAC and foundational infrastructure components, not actual computers. most widely used model b/c less expensive and up and running in reasonable acceptable time period. * cold site: basic environment, electrical wiring, A/C, plumbing, flooring, but no equipment or add'l services. essentially an empty data center, may take weeks to be activated. * service bureau: company that has add'l space and capacity to provide applications and services such as call centers. pay a monthly subscription fee for this space and service. * contingency company: purpose is to supply services and materials to org experiencing an emergency.
off-site location distance requirements
5 miles at the bare minimum from primary site 15 miles for low-to-medium critical environments 50-200 miles for critical operations for max protection should consider: - how long facility avail? - how much assistance will staff supply integrating two environments and ongoing support? - how quickly can move into new facility - issues of interoperability - how many resources available? - how differences and conflicts addressed? - how often drills and testing take place? - how to do change control and config mgmt? - how critical assets of both companies properly protected?
cyber kill chain
7 stage intrusion model: 1. reconn 2. weaponization: adversary determines best way into system(s) 3. delivery: email 95% of the time 4. exploitation: malicious software executing on CPU w/in network 5. installation: malicious payload delivered in stages; exploit compromised system, some other SW installed to ensure persistence. 6. command and control (C&C): malware phones home to tell attack was successful. 7. actions on objective: malware ready to do whatever designed to do. * best to thwart attack before stage 4. tune sensors and analysis platforms to reduce false positives.
User and Entity Behavior Analytics (UEBA)
Also known as user behavior analytics (UBA), is the process of gathering data regarding daily user network events. Once collected and analyzed, it will aid in detecting the use of compromised credentials, lateral movement, and other malicious behavior.
Supply and Technology Recovery
BCP should also include solutions for: - network and computer equipment - voice and data comms - human resources - transportation of equipment and personnel - environment issues (HVAC) - Data and personnel security - Supplies - documentation
Business Process Recovery
BCP team must understand different steps of company's most critical processes, usually presented as workflow w/ roles and resources. - req'd roles - req'd resources - input/output mechanisms - workflow steps - req'd time for completion - interfaces w/ other processes
Backup Storage Strategies
BCP team responsibility is provide solutions to protect data and identify ways to restore it after disaster. operations team responsible for defining which data backed up and how often; can be full, differential (changes since last full), incremental (changes since last incremental). should be good way to back out of backup reconstruction if something goes wrong. archive bit: OS file system tracks what has been modified by setting archive bit (set to 1 after change). backup software looks at that bit setting. during full backup archive bit set to 0.
External Boundary Protection Mechanisms - Visual Recording Devices
Closed-circuit TV (CCTV): monitoring device w/ cameras. must consider several items: purpose of CCTV, type of environment will work in (internal v external), field of view required, amt of illumination of environment, integration w/ other security controls (guards, IDSs, alarm systems). - CCTVs made up of cameras, transmitters, receivers, recording system, monitor (cameras connect to both multiplexer and control unit [PTZ], multiplexer connects to monitor). CCTV sends captured data from camera's xmitter to monitor's receiver thru coaxial cable. - CCTVs use light-sensitive chips (charged-coupled devices, CCD). 2 types of lenses are fixed focal length and zoom (varifocal). shorter focal length means is wider angle views (2.8-4.3mm covers warehouse). size of images on monitor w/ area covered by one camera is defined focal length. - 'depth of field' is portion of environment in focus when shown on monitor; depth of field increases as size of lens opening decreases. - 'irises' control amt of light entering lens. - lux: illumination requirements req'd for camera (1 ft-candle = 10.76 lux). - annunciator system: can either "listen" for noise and activate devices or can detect movement.
threat hunting
Cyber defense activity that proactively and iteratively searches networks to detect and isolate advanced threats that evade existing security solutions.
Administrative Management
Dealing w/ personnel issues (including separation of duties and job rotation, mandatory vacations, least privilege, and need-to-know).
Computer Forensics and Proper Collection of Evidence - Forensic Investigation Process
Ensures standardized manner and evidence collection admissible. Identification, Preservation, Collection, Examination, Analysis, Presentation, Decision. - critical to work from image containing ALL data from original disk, bit-level copy, sector by sector, captures deleted files, slack spaces and unallocated clusters. Can be done via Forensic Tookit (FTK), EnCase Forensic, or dd Unix utility. Create message digests for files and directories before and after analysis to prove integrity of original image. - document who at crime scene and allow only those authorized to be there. record last individuals to interact w/ systems. - original media should have two copies created: primary image (control copy) and working image (for analysis). new media must be properly purged so not contain residual data (old data can be on brand new drives). - data can be in volatile memory; registers and cache, process tables and ARP cache, system memory (RAM), temp file systems, special disk sectors. - evidence marked w/ date, time, initials of collector, case number if one assigned, sealed in container w/ evidence tape (writing on the tape to indicate if opened). wires and cables labeled, photo of labeled system taken before disassembled, media write-protected if possible. - media evidence storage dust free, room temp w/ out humidity, away from magnets/magnetic fields, handled with cloth gloves.
Operations Department
Ensuring people, apps, equipment, and overall environment are properly and adequately secured.
Computer Forensics and Proper Collection of Evidence - Incident Investigators
Good ones aware of suspicious or abnormal behavior other might normally ignore. could identify port scans, attempted SQL injections, evidence in a log of dangerous activity. Identifying these activities more difficult b/c more subtle. Can perform 4 types of assessments: - Network analysis (traffic, log, path tracing). - Media analysis (disk imaging, timelines, registry, slack space, shadow volumes). - SW analysis (reverse engineering, malicious code review, exploit review). - HW/embedded device analysis (dedicated appliance attack points, FW and dedicated memory inspections, embedded OSs, virtual SW, hypervisor analysis).
Liability Scenarios - Hacker Intrusion
If Financial institution buys necessary middleware to enable offer online bank account transactions but does not add necessary security safeguards -- customers' checking and savings accts hacked. - legally recognized obligation: under Safeguards Rule in Gramm-Leach-Bliley Act (GLBA), financial institutions req'd have info security programs protecting consumers' personal financial info. - failure to conform: not erecting policy and program security controls, they broke federal regulations. - proximate cause and injury/damage: failure to practice due care, caused clients to $439K.
Software Backups
If IT dept's environment had to be rebuild, how gain SW packages? SW needs backed up and can be applications, utilities, databases, OSs. make sure at least two copies of OS SW and critical applications; one copy onsite and other copy secure offsite location. Software escrow: 3rd party holds source code, backups of compiled code, manuals, and other supporting materials. contract btwn SW vendor, customer, and 3rd party outlines who can do what, when, w/ source code (usually states customer can access source code only if & when vendor goes out of business, is unable carry out responsibilities, or is in breach of original contract.
Accountability
Important to maintain user privileged account management process to enforce principle of least privilege and avoid authorization creep.
Network and Resource Availability
Key points: - Redundant HW: 'hot swapping' keeps info highly available. - fault-tolerant technologies: keep info available against individual storage faults but also whole system failures; among most expensive solutions and is justified only for most mission-critical info. - service level agreements (SLAs): help service providers (whether internal or outsourcer) decide type of availability is appropriate. - solid operational procedures: req'd to maintain availability, most reliable HW w/ highest redundancy for fastest mean time to repair will be waste of money if operational procedures/training not part of operational environment.
Disaster Recovery
Maximum Tolerable downtime (MTD) values are broad strokes; not enough detail to pinpoint actual recovery solutions needing to be purchased and implemented. Recovery time objective (RTO) max time to be restored to service level after disaster. MTD is total tolerated downtime, then RTO is time to get back up -- remaining time of MTD is work recovery time (WRT) and deals w/ restoring data, testing processes, putting everything into production. -Recovery Point Objective is acceptable amt dta loss measured in time, represents earliest point at which data must be recovered. * MTD, RTO, RPO values derived during business impact analysis (BIA).
Implementing Disaster Recovery - Personnel
Might have: - damage assessment team: document and include following; cause of disaster, potential for further damage, ID affected business functions and areas, ID level of functionality for critical resources, ID resources must be replaced immediately, estimate how long bring critical functions back online, determine if will take longer than estimated MTD to restore ops, declare BCP put into action and which teams to activate. some things to consider may be some or all of: danger to human life, danger to state/nat'l security, damage to facility, damage to critical systems, estimated value of downtime will be experienced. - recovery team - relocation team - restoration team: gets alt site functional. enter restoration phase once damage assessment complete. well organized to get company up and running as soon as possible. need consider employee safety, adequate HVAC, equipment/supplies in working order, comms working. once readiness of facility signed off, carry out: backup data from alt site to restore w/in new facility, terminate contingency ops, transport equipment and personnel to new facility. least critical functions moved first to limit impact to issues w/ comms. - salvage team: starts recovery of original site - security team
Intrusion Detection and Prevention Systems
Once clear on risk trying to mitigate, can start deciding which detection and prevention controls offer bets return on investment. placement of sensors is critical -- want to start as close to edge routers as you can while staying inside perimeter. as resource needs dictate, can place add'l IDS/IPS in and/or btwn subnets. also need to reduce false positives and false negatives. * baselining is process of establishing normal patterns of behavior for netowrk or system. * any inline network security device (FW, IDS, IPS) has max througput. must match throughput w/ load on network segment or will create bottleneck and drop packets.
Procurement and Vendor Processes
Org's security req's can be expressed and integrated into procurement process, includes activities and processes involved w/ defining req's, evaluating vendors, contract negotiation, purchasing, and receiving needed solution. - acquisition of a solution often includes 'request for proposals" (RFP), designed to get vendors to provide solutions to problems, brings structure to the procurement decision, allow risks and benefits of solution identified up-front. - vendor mgmt: involves developing and monitoring vendor relationships after contracts in place. - vendor mgmt governing: includes performance metrics, SLAs, scheduled meetings, reporting structure, and someone directly responsible.
incident response team - characteristics and types
Respond to large array of possible security incidents. Ensure group of people properly skilled, follow set of procedures when event takes place. Three types of teams: - virtual (experts w/ other duties w/in org, has slower response time). - permanent (dedicated response staff, can be cost prohibitive to smaller orgs). - hybrid (virtual and permanent models, core members permanently assigned and others called in as needed. * members of the team should be on the mailing list of CERT to keep up-to-date on new issues and spot malicious events.
Implementing Disaster Recovery
Start by anticipating threats and developing goals supporting business's continuity of operations. - responsibility: each individual responsibilities spelled out, tasks assigned, etc. - authority: every team does much better w/ established trusted leader, knows what is expected, etc. - priorities: must know critical versus nice to have, will prioritize money and people. - implementation and testing: once plan developed, actually put into action; drills at least once a year and entire program continually updated and improved.
System Hardening
Start with Gold Master (GM); standard hardened image. - include applications and services needed by all users, - then develop secure configs for all software, ensuring still provide functionality and interoperability w/ rest of network, - next put image through vuln scan and ideally penetration testing, - finally, roll out image by cloning it onto hard drives of all users' workstations. - Database engines should run as unprivileged user, than not root or SYSTEM.
incident response team - needs and processes
Team should have: - list of outside agencies/resources to contact/report to - outline of roles and responsibilities - call tree to contact these roles and outside entities - list of computer or forensic experts - list of items included in report for mgmt and courts - description of how diff systems treated during incident First, team investigates report to determine if actual crime committed. it one has, senior mgmt informed immediately. if employee did it, HR called right away. begin documenting team's findings/procedures right away. team must decide conduct own forensic investigation or call in experts. If experts called, system should be left alone to preserve evidence.
Reciprocal Agreements
agreement w/ another company in similar field or has similar technology infrastructure; company A can use company B resources if disaster and vice versa. may introduce security issues mixing operations, may need subset of people w/ privileges and direct access to your resources in the shared environment. mutual aid agreement: more than two orgs help one another during emergency. legal and IT depts should carefully scrutinize accords before org signs onto them.
Redundant Site
aka, mirrored site. fully equipped and config'd exactly like primary site. is under org's complete control but is most expensive backup option. Orgs own redundant sites but hot sites are leased.
artifact
artifact: in a digital forensics investigation includes things like registry keys, files, timestamps, and event logs. These are the traces security professionals follow in digital forensic work. They will vary depending on the device type, operating system, and other factors.
External Boundary Protection Mechanisms - Lighting
critical areas need illumination reaches at least eight feet w/ illumination of two foot-candles (foot-candle = 1 lumen per square foot). lighting should be pointed at gates or exterior access points, guard locations should be more in the shadows or under lower amount of illumination ('glare protection'). array of lights providing even amt of illumination across an area referred to as 'continuous lighting', while 'standby lighting' is set to turn on/off at certain times, and 'responsive area illumination' is when IDS detects suspicious activities and turns on lights in specific area.
Implementing Disaster Recovery - Communications
critical that different formats of the plan available to team, both electronic and paper versions. publish call tree on cards to affix to badges or kept in wallet. * PACE: comms plan for US Armed Forces. Primary (normal/expected capability), Alternate (fully satisfactory capability to achieve objective w/ minimal impact to ops), Contingency (workable capability to achieve objective), Emergency (last-resort capability).
Computer Forensics and Proper Collection of Evidence
digital forensics: synonyms for computer forensics, netowrk forensics, electronic data discovery, cyberforensics, forensic computing. - in most situations, best to remove system from network, dump memory, power down system, make sound image of attacked system, perform forensic analysis on the copy. capturing RAM or conducting live analysis can introduce changes to crime scene b/c state changes and operations take place. in the US, Scientific Working Group on Digital Evidence (SWGDE) aims to ensure consistency across forensic community, governed by: - consistency w/ all legal systems - allowance for use of common language - durability - ability to cross int'l and state boundaries - ability to instill confidence in integrity of evidence - applicability at every level; individual, agency, country * Digital Forensic Research Workshop (DFRWS) joins academic researchers and forensic investigators to address standardized process for collecting evidence.
Vulnerability management
cyclical process of identifying vulnerabilities, determining risks posed to org, applying security controls that bring risks to acceptable levels. vulns exist in business processes and people, too. Vuln assessment steps: 1) prepare (scope teh assessment), scan (outside normal hours), remediate (compensating controls), document. - SW vulns: usually discovered by security researches who notify vendors, but not public until vendor has patch available (aka responsible disclosure). CERT is main clearinghouse for vuln disclosures. - Process vulns: flaw of weakness in process, independent of use of automation (ex: threat actor spoofs supervisor email to provision acct for themselves). can use Red Team; trusted individuals whose job is look at something from adversary's perspective (study process, understand org's environment, look for ways to circumvent controls). - Human vulns: over 90% of security incidents traced back to a person. social engineering assessments involve team of trained personnel exploiting vulns in org's staff -- 3 phases are open-source intel (OSINT; collecting public info about person), assessment planning (identify kinds of engagements, topics, pretexts to exploit them), assessment execution (engage target(s)).
Remote Access Security
dangerous to allow computers directly connect to corporate network w/out knowing if properly patched, virus signatures updated, or infected w/ malware. best security includes: - require VPN protected by tw-factor authentication. - commands and data not take place in cleartext, even if using VPN. - strong authentication in place for any admin activities. - only small number of admins should able to carry out this remote functionality.
Liability and Its Ramifications
develop liability and responsibility approaches. company responsible for providing fire detection and suppression systems, fire resistant construction material, alarms, exits, fire extinguishers, etc. - due care means company did all it could reasonably do to prevent security breaches, and also took reasonable steps ensure if breach did happen proper controls or countermeasures were in place to mitigate damages. in short, org practiced common sense and prudent mgmt acted responsibly. - due diligence: org properly investigated all possible weaknesses and vulns. costs and benefits of security should be evaluated in monetary and non-monetary terms to ensure cost of security not outweigh expected benefits. - downstream liability: when one company's security breach negatively impacts another company. to prove negligence, plaintiff must establish defendant had legally recognized obligation to protect plaintiff from unreasonable risks and defendant's failure was proximate cause (cause-in-fact, naturally and directly producing consequence) of plaintiff's damages. penalties can be civil or criminal. - legally recognized obligation: needed by plaintiff to prove negligence exists in court.
Disk duplexing, shadowing, vaulting, journaling
disk duplexing: more than one disk controller; if one controller fails the other is ready. disk shadowing: ensures availability of data and fault-tolerant solution by duplicating hardware and maintaining more than one copy of the info; each disk has corresponding mirrored disk containing exact same info. (if shadow sets used, data stored as images on two or more disks). electronic vaulting (occurs in batches): xferring bulk info to offsite facilities. remote journaling (done in real time): usually only includes journal of xaction logs to offsite facility, not actual files. logs contain the deltas taken place to individual files. when data corrupted, bank can retrieve these logs used to rebuild the lost data. If need move software and files (in dev environment), object and source code should be backed up along w/ libraries, patches, and fixes. tape vaulting: back-up data to tapes then manually xferred to offsite facility by courier or employee. Asynchronous replication: primary and secondary data out of sync (by seconds, minutes, hours, days). Synchronous replication: primary and secondary data always in sync (true real-time duplication).
Mean Time to Repair (MTTR)
expected time to get device fixed and back into production after failure. likely measured in hours. if MTTR too high for critical device, redundancy should be used.
External Boundary Protection Mechanisms - Intrusion Detection Systems
expensive, require human intervention to respond, need redundant power, can be linked to centralized security system, should have fail-safe config default to 'active', should detect, and be resistant to, tampering. - used to sense changes in an environment. can detect beams of light, sounds/vibrations, motion, types of fields (microwave, ultrasonic, electrostatic), electrical circuit. - electromechanical systems (magnetic switches, foil in windows, pressure mats to detect break in circuit) or volumetric systems (more sensitive b/c detect changes in subtle characteristics, like vibrations, microwaves, ultrasonic frequencies, infrared values, photoelectric changes. - photoelectric (photometric) systems, detect changes in light beam and can only be used in windowless rooms. can be cross-sectional (one area has several different light beans across it usually by hidden mirrors) and invisible. - passive infrared (PIR) detects changes of heat waves. acoustical detection system uses microphones in floors, walls, or ceilings. - vibration sensors also implemented to detect forced entry. wave-pattern motion detectors detect frequency of waves they monitor (microwave, ultrasonic, low freq as sent out and reflected back). - proximity detector emits magnetic field and alarm sounds if field disrupted.
Clustering
fault-tolerant server technology similar to redundant servers, but each server takes part in processing services requested. server cluster is group of servers viewed logically as one server and managed as single logical system. clusters may also be referred to as server farms. also provides load balancing, redundancy, and failover.
Direct Access Storage Device (DASD)
general term for magnetic disk storage devices, historically in mainframes and minicomputers. RAID is a type of DASD. * distinction btwn DASD and SASD (sequential access) is any point on a DASD may be promptly reached, whereas points between current position and desired position of a SASD must be traversed to reach the desired position (tape drives are SASDs).
Insurance
goal is make sure insurance coverage fills gap of what current preventive countermeasures cannot protect against. all policies should be reviewed annually. 'cyber insurance': insures losses caused by denial-of-service attacks, malware damages, hackers, e-theft, privacy-related law suites, and more. - business interruption insurance policy: if company out of business for certain length of time, insurance pay for specified expenses and lost earnings. can also buy insurance for accounts receivables.
Input and Output Controls
input needs monitored for errors and suspicious activity. applications need programmed to only accept certain types of values input and do logic checking about received input values. - data entered into system be correct format and validated not malicious. - xactions should be atomic (cannot be interrupted btwn input provided and generation of output). - xactions should be timestamped and logged. - ensure output reaches proper destination securely. cryptographic hashes or message authentication codes ensure integrity of files, output clearly labeled to indicate sensitivity or classification of data, when output created proper access controls implemented, if report has no info should contain "no output".
Sandboxing
isolating execution of code from OS to prevent security violations and outages.
Egress monitoring
keeping an eye on info flowing 'out' of network. common approach is allow only certain hosts to comm directly w/ external destinations. not uncommon to do deep packet inspection on all HTTPS traffic before allowing info to flow out.
tracking hardware
multiple reports of confirmed or suspected backdoors installed in hardware assets by manufacturers or third parties before get to organization. ISO/PAS 28000:2007 is for orgs to use consistent approach to securing their supply chains. also, should have spreadsheet or database (at minimum) w/ each HW asset and when acquired, where it is, who has it, what used for.
remediation during incident
need ensure attack never again successful. need decide which measures to neutralize or reduce effectiveness of attack to be made permanent. identification of your indicators of attack (IOA) used to detect attack in real-time. indicators of compromise (IOC) tell when attack successful and security compromised. attack and compromise indicators include: outbound traffic to particular IP address or domain name, abnormal DNS query patterns, unusually large HTTP requests / responses, DDoS traffic, new registry entries (Windows systems).
External Boundary Protection Mechanisms - Fencing
need to consider: - gauge of the metal correlating to types of physical threats - height of fencing (3-4ft deters causal trespassers, 6-7ft too high to climb easily, 8+ft w/ barbed/razor wire for critical areas). barbed wire should be tilted in or out. * 11 gauge: .0907-inch * 9 gauge: .1144-inch * 6 gauge: .162-inch extremely high security: 3/8" mesh, 11 gauge very high security: 1" mesh, 9 gauge high security: 1" mesh, 11 gauge greater security: 2" mesh, 6 gauge normal industrial security: 2" mesh, 9 gauge Perimeter Intrusion Detection and Assessment System (PIDAS) fencing: has sensors on the wire mesh and base of fence to detect attempts to cut or climb fence. can cause many false alarms. Class I: residential usage Class II: commercial where gen public expected Class III: industrial usage where limited access expected (ex: warehouse property entrance not intended for gen public) Class IV: restricted access (ex: prison entrance).
Documentation during disaster
need to document HOW to complete the backups or won't be able to complete it when needed.
Massive Array of Inactive Disks (MAID)
new entrant into medium-scale storage (usually in the hundreds of terabytes); carries out mostly write operations. tape drives remain economic solution. rack-mounted disk arrays have all inactive disks powered down w/ only disk controller alive -- when app asks for data controller powers up appropriate disk drive(s) to get the data then powers it down again.
Recovery during incident
once mitigated, enter recovery phase. return all systems to known-good state. systems should never be trusted if attacked or infected; always wipe and rebuild.
Human Resources
pay for temp housing for necessary employees? pay their moving costs? hire new employees in area of offsite facility? BCP expands job responsibilities, descriptions, hours, even workplaces. should identify critical personnel and subordinates who develop plan and execute duties during an incident. 'Executive succession planning' in place (senior executive retires, leaves, or killed, predetermined steps to carry out to protect company; filled quickly w/ right individual)?
Firewalls
placement is not the only concern, operational challenge is to accurately track current sets of rules and identify rules to be added, modified, or deleted. next-generation firewalls (NGFW) use connections to external data sources (like AD and policy servers) and even they need formal process to ensure right rules get to right places at the right time.
Hierarchical Storage Management (HSM)
provides continuous online backup; combines hard disk tech w/ cheaper and slower optical or tape boxes. The HSM dynamically manages the storage and recovery. faster media holds files accessed more often, and seldom-used files stored on slower devices ('near-line' devices). HSM migrates actual content of less used files to lower-speed, lower-cost storage and leaves "stub" behind for the user as if it contains the full data of the migrated file. transfers should be done securely, not using TFTP!
Secure Resource Provisioning
provisioning is set of all activities to provide one of more information services to user or group of users. consists of 4 phases: - business case: champion creates case and obtains management approval. - acquisition: change mgmt board dictates how & when asset is acquired. - operation and maintenance (O&M): IT and security ops team config to balance 3 goals; functionality, security, and interoperability. - retirement: when no longer required or effective, change mgmt board review, consideration of stored data and hazardous materials, etc.
Third Party Risk
should conduct third-party risk assessment for all services involving collection, processing, xmission, storage of sensitive data or critical business functionality processing.
Investigations during incident
should treat systems and facilities as potential crime scenes; not always sure if incident has criminal element. should treat it as crime scene until proven otherwise.
Redundant Array of Independent Tapes (RAIT)
similar to RAID but uses tape drives for very large write-mostly storage, where MAID is not economical or tape drive provides sufficient performance and higher reliability. RAIT is striped to multiple tape drives w/ or w/out parity or redundant parity drive.
Security Information and Event Management (SIEM)
software platform aggregates security info and security events, presenting them in single, consistent, and cohesive manner. emasses all relevant security data, provides dashboards to see state of network. one of best-known commercial is Splunk. best-known open source is Elastic Stack.
Facility Access Control - Circumventing Locks
tension wrench: tool shaped like L to apply tension to cylinder of lock. lock pick: used to manipulate individual pins of lock. raking: lock pick pushed to back of lock and quickly slid out while providing upward pressure. lock bumping: force pins to open position by using bump key. Lock strengths: - grade 1: commercial/industrial - grade 2: heavy-duty residential/light-duty commercial - grade 3: residential/consumer Cylinders w/ in locks fall into 3 categories: - low security: no pick or drill resistance provided - medium security: a degree of pick-resistance (can be found w/ in any lock grade above) - high security: pick-resistance protection through many mechanisms (only used in grade 1 and 2 locks).
Clipping Level
threshold/baseline for violation activities normal user commits before alarms are raised. once clipping level exceeded, further violations recorded for review.
tracking software
unlicensed or pirated software is unethical, also exposes org to financial liability. certain SW packages "phone home" to vendors' servers. pirated SW more problematic b/c many forms include backdoors installed by pirates or are Trojan horses. Should keep manual inventory of SW at very least. SW asset inventory problem starts w/ assessment of legitimate application requirements; here are widely accepted best practices: - application whitelisting: list of approved SW on devices, prevents unlicensed/unauthorized SW being installed. - using gold masters: standard image workstation or server w/ properly config'd and authorized SW. - enforcing principle of least privilege: if typical user not able to install SW it becomes harder for rogue apps to show up. - automated scanning: every device should be periodically scanned.
Unmanaged patching
use of decentralized or unmanaged patching where each software package on each device periodically checks for updates and auto-installs. risks to this are: - credentials (typically requires an admin to install things) - config mgmt (diff or impossible determine status of every application) - bandwidth utilization (each app/service getting patches leads to network congestion - service availability (servers almost never auto-update themselves b/c could lead to unscheduled outage.
Duress
use of threats or violence to force someone to do something wouldn't otherwise do. can put duress alarms in security systems; employee enters code that not only disarms the alarm but also alerts authorities to an emergency. Duress codes can also be verbal.
Redundant Array of Independent Disks (RAID)
used for redundancy of storage, disks are combined into logical arrays. control data spread across disk (called parity; instructions to rebuild lost data on new hard drive), so if one disk fails others work together to restore its data. RAID 5 most commonly used. 'striping' is across all drives.
Computer Forensics and Proper Collection of Evidence - What is admissible in court?
when logs used as evidence, must be collected in regular course of business. computer-related documents are considered hearsay and not admissible. lifecycle of evidence: - collection and identification - storage, preservation, transportation - presentation in court - return of evidence to victim or owner evidence must be relevant (reasonable and sensible to findings), complete (present whole truth of issue), sufficient (believable, persuasive enough to convince reasonable person of validity), reliable (accurate and consistent w/ the facts).
Trusted Recovery - after system crash
when systems go down, important operations personnel troubleshoot and fix problem. some steps: - enter into single user or safe mode: OS boots up only so far in these modes and systems do not start services for users or network, file systems remain unmounted, only local console accessible. - fix issue and recover files: in single user mode admin salvages file systems from damage, attempts identify cause to prevent recurrence. sometimes, also roll back or roll forward databases in single user mode. - validate critical files and operations: if investigation suggests corruption occurred thru SW or HW failure, or attack, admin must validate contents of config files and ensure system files consistent w/ expected state. cryptographic checksums can be verified by programs (e.g., Tripwire).
Whitelisting and Blacklisting
whitelist: set of known-good resources (IP addresses, domain names, applications). blacklist: set of known-bad resources. * use whitelists first, then fall back on blacklists.