Domain 7 - Security Operations
Reporting and documenting incidents
Automate to inform stakeholders. Fed Gov --> US-Cert requires agencies to report incidents. Formal Incident Report --> Final report, things done and lessons learned, plus recommendations.
Audit trails
Date and time stamps Successful or not attempt Where the access was granted Who attempted access Who modified access privileges at supervisor level
Continuous Security Monitoring
Define --> Establish --> Implement --> Analyze --> Respond --> Review
CCTV
Multiplexer allows multiple camera screens shown over one cable on a monitor Via coax cables (hence closed) Attacks: replayed (video images) Fixed mounting versus PTZ Pan Tilt Zoom accunicator system (detects movements on screen and alerts guards) Recording (for later review) = detective control CCTV enables you to compare the audit trails and access logs with a visual recording
DR Test Types
Read Through - Members review roles and provide feedback. Walk Through - Gather team to go over plan Simulation - Uses scenario to test plan. Parallel Test - Activates DR facility but doesn't turn on operation. Full Interruption Test - Shut down primary site to test backup site in order to discover gaps.
virtual storage area networks (VSAN's)
SAN: dedicated high-speed network that hosts multiple storage devices -these are virtual implementations of it
Restricted Work Areas
Sensitive Compartmental Information Facilities (SCIF) 26 In highly restricted work areas or government SCIFs, there is a requirement to increase the security measures to ensure stricter access control to these areas. The physical security protection for a SCIF is intended to prevent as well as detect visual, acoustical, technical, and physical access by unauthorized persons. An organization may not be required to maintain government classified information; however, the organization's profitability and employment may be tied to proprietary information that requires the same level of security.
Digital Evidence
Six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence: -When dealing with digital evidence, all of the general forensic and procedural principles must be applied. -Upon seizing digital evidence, actions taken should not change that evidence. -When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. -All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review. -An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession. -Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles. Media analysis - a branch of computer forensic analysis, involves the identification and extraction of information from storage media. This may include the following: Magnetic media (e.g., hard disks, tapes) Optical media (e.g., CDs, DVDs, Blu-ray discs) Memory (e.g., RAM, solid state storage) Techniques used for media analysis may include the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media. Network Analysis - Forensic investigators are also often interested in the activity that took place over the network during a security incident. Network forensic analysis, therefore, often depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log network activity. These include: Intrusion detection and prevention system logs Network flow data captured by a flow monitoring system Packet captures deliberately collected during an incident Logs from firewalls and other network security devices The task of the network forensic analyst is to collect and correlate information from these disparate sources and produce as comprehensive a picture of network activity as possible. Software Analysis - Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application. In some cases, when malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities. In other cases, forensic analysis may be asked to review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks. Hardware/ Embedded Device Analysis - Forensic analysts often must review the contents of hardware and embedded devices. This may include a review of Personal computers & Smartphones
Fences
Small mesh and high gauge is most secure 3-4 feet deters casual trespasser 6-7 feet too hard to climb easily 8 feet + wires deters intruders, difficult to climb no one STOPS a determined intruder
DoS (denial of service)
attack that renders its victim unable to perform normal activities
teardrop attack
attacker fragments traffic in a way that makes it unable to put packets back together. -large packets are normally divided into smaller fragments when they're sent, and put back together by receiving system -this attack mangles the packets to a point that the system cannot put them back together -rarely a problem today bc of updates protection: 1) up to date systems 2) IDS's can check for this
man-in-the-middle attack
attacker positions himself b/t two endpoints of an ongoing connection 2 types: 1) involves copying/sniffing the traffic b/t the two parties (sniffer attack) 2) attacker acts as a store and forward or proxy -client and server think they are directly connected to each other, but the attacker captures all info -require more technical ability than other attacks bc attacker must impersonate client and server -often combines multiple attacks (false ARP, DNS poisoning) protection: 1) up to date systems 2) IDS cannot usually detect these, but can raise alerts for suspicious activity
SYN flood attack
attacker sends multiple SYN packets but never completes the connection with an ACK -disrupts TCP 3-way handshake protection: 1) using SYN cookies 2) reduce amount of time a server will wait for an ACK- half-open sessions are flushed from the system's memory faster
land attack
attacker sends spoofed SYN packets to a victim using victim's IP as the source and destination IP -tricks system into constantly replying to itself, causing a freeze, crash, etc. protection: 1) up to date system 2 filtering traffic to detect traffic with identical source/destination
TCP reset attack
attackers spoofs the source IP in a RST packet and disconnects active sessions. the two systems then need to reestablish the session, then must re-create the data, consuming many more resources than a standard SYN flood
ping-of-death attack
attacks victim with an oversized ping packet -pings are usually 32 or 64 bytes, this uses >64 KB pings -can cause buffer overflow or system crashes -rarely used today due to up to date patches
DLP (data loss prevention)
attempt to detect and block data exfiltration attempts -have ability to scan data looking for keywords and data patterns -can detect sensitive info in zipped files, for ex -*does not have the ability to decrypt data* -ex: scanning email for SSN's, PII, etc to prevent leaks 2 types: 1) network based 2) endpoint based ■ Enterprise DLP solutions, which provide organizations with advanced content-aware inspection capabilities and robust management consoles. ■ Channel DLP, which consists of content-aware DLP capabilities that are integrated within an existing application — typically email. ■ DLP-lite, a new subcategory of offerings that group a specific set of capabilities in a way that addresses a niche market typically by requirement, such as discovery only, or for a specific use case, such as small or midsize business (SMB), where a need may exist to monitor only a few protocols and provide a simplified management console or workflow.
mean time to repair
average time required to return a repairable component to service
RCA, Root Cause Analysis
Tree / Boolean -FAULT TREE ANALYSIS - 5Ways - Failure Mode and Effects analysis - Pareto Analysis - Fault Tree Analysis - Cause Mapping
Virtual Machine Types
Type I hypervisor: Ran on bare metal, most common in datacenters. Type II hypervisor: Ran on operating system of its own, ran on top of OS.
IronKey
USB flash drive that has built in AES 256 enc, antimalware, remote deny, self-destruct to destroy its own data
fraggle attack
Uses UDP port 7 and 19 to launch smurf attack instead of ICMP. Denial-of-service (DoS) attack that involves sending a large amount of spoofed UDP traffic to a router's broadcast address within a network. It is very similar to a Smurf Attack, which uses spoofed ICMP traffic rather than UDP traffic to achieve the same goal.
software defined networks (SDN's)
control plane: uses P's to decide where to send traffic data plane: includes rules that decide whether traffic will be forwarded *these decouple the control plane from the data plane (aka forwarding plane* -instead of using hardware (routers/switches), this uses simpler network devices that accept instructions from the controller
privileged entities
accounts that have been granted elevated privileges -usually restricted to admin's and system operators
IDS passive response
admin's get notifications via email, text, or pop-ups
collusion
agreement b/t 2 or more parties to perform some unauthorized activity
service level agreement (SLA)
agreement b/t an org and an outside vendor -stipulates performance expectations and often includes penalties if vendor fails
two-person control
aka "two-man rule" -similar to segregation of duties -requires approval of 2 people for critical tasks -ensures peer review and reduces likelihood of fraud and collusion
entitlement
amount of privileges granted to users, typically when *first provisioning an account* -should follow the principle of least privilege
aggregation
amount of privileges that users collect over time (in context of least privilege) -to prevent, admin's should revoke privileges when users move to a diff dept or don't need the previously assigned privileges
OWASP
contains general guidance on web app sec issues but does not track specific vuln's or go beyond web app's.
job rotation
employees are rotated through jobs, or at least some of the resp's are rotated to diff employees -provides peer review, reduces fraud, and emables cross-training -can act as both a deterrent and a detection mechanism
non-transitive trust
enforces the principle of least privilege and grants the trust to a single domain
primary goal of change mgmt?
ensure that changes do not cause outages -protect Availability -ensures that personnel can perform a sec impact analysis
separation of duties and responsibilities
ensures that no single person has total control over a critical function/system -two or more people must conspire/collude against the org, which increases the risk for them -this policy creates a checks-and-balances system where 2 or more users verify each others actions
marking data
ensures that personnel can easily recognize the data's value -data should be marked asap after creating it
violation analysis
environment is monitored for error occurrences -older form of auditing
root cause analysis
examines the incident to determine what allowed it to happen -recommend a change if this can ID a vuln that can be mitigated
entrapment
illegal activity -when honeypot owner actively solicits visitors to access the site and then charges them with unauthorized intrusion -i.e, tricking someone into performing an illegal action
egress monitoring
monitoring outgoing traffic to prevent data exfiltration (unauth transfer of data outside an org) -can involve looking for steganography, watermarking
HIDS (host-based IDS)
monitors activity on a single computer/host -can often examine events in more detail than NIDS -can track processes used by attacker -can detect anomalies on host system that NIDS cannot -often only installed on key systems disadvantages: 1) high cost and usability 2) require admin attention on each system 3) cannot detect network attacks on other systems 4) consumes a lot of system resources, lowering perf 5) easier for an intruder to discover and disable 6) logs can be modified by attacker more easily
NIDS (network-based IDS)
monitors and evaluates network activity to detect attacks/anomalies -can operate almost invisibly -little impact on perf -can discover the source of an attack by performing RARP or DNS lookups -usually able to detect the initiation of an attack -cannot tell if an attack affected specific systems, accounts, files, or app's disadvantages: 1) cannot monitor the content of enc'd traffic
darknet
portion of allocated IP's within a network that are not used -should not have any traffic -any traffic here is indication of an attack (few false positives)
hypervisor
primary software component in virtualization -manages the VM's, virtual data storage, virtual network components -represents an additional attack surface -responsible for controlling access to physical resources by virtual resources
need to know
principle that imposes the requirement to grant users access only to data/resources they need to perform assigned work tasks -the clearance does not automatically grant access to the data
user entitlement
privileges granted to users -reviews can discover when users have excessive privileges
sampling (data extraction)
process of extracting specific elements form a large collection of data to construct a meaningful representation/summary of the whole -form of data reduction that allows someone to glean valuable info by looking only at a small data sample
PaaS (platform as a service)
provide consumers with a computing platform, including hardware, an OS, and app's. -consumers manage their app's and possibly some config settings on the host -customer supplies source code that the CSP executes on its own infrastructure -CSP is resp for maintenance of the host and cloud infrastructure
community cloud deployment model
provides cloud based assets to two or more org's -maintenance resp's is based on who is hosting the assets and service models
SaaS (software as a service)
provides fully functional applications typically accessible with a web browser -CSP is resp for maintanance of the IaaS services -consumers do not manage any of the cloud based assets
NIST 800-47
provides info on MOU's and ISA's
IaaS (infrastructure as a service)
provides servers, storage, networking resources, (computing) to consumers -CSP is responsible for hardware and network, which includes configuring firewalls, maintaining hypervisor, and managing physical equipment -consumers install OS's, app's, and perform all maintenance -CSP maintains infrastructure
common vulnerability and exposures (CVE) dictionary
provides standard convention to ID known vuln's -makes it easier for org's to create patch/vuln mgmt tools -dictionary that contains standardized info on many diff sec issues
NIST SP 800-145
provides standard definitions for many cloud based services
security logs
record access to resources like files, folders, printers, etc. -record info about when a user accessed, modified, deleted a file
change logs
record change requests, approvals, and actual changes to a sytem as part of a change mgmt process
application logs
record info about specific app's -app dev's can choose what to record
system logs
record system events such as when a system starts/stops/reboots, or when services start/stop
separation of privilege
requires the use of granular rights/perm's -admin's assign different rights/perm's for each type of privileged operation -can also apply to user and service accounts
recovery
return the system to a fully functioning state -after a compromised system is rebuilt from scratch, ensure it is config'd properly and secure -most secure method of restoring a system after an incident is to completely rebuild the system
monitoring
reviewing info logs looking for something specific
baselines
starting configuration for a system -admin's often modify this after deploying systems to meet different requirements -microsoft uses Group Policy to control baselines and changes to baselines
media mgmt
steps taken to protect media and data stored on media -can be tapes, optical media (CD, DVD), USB's, FireWire drives, external SATA (eSATA) drives, HD's, SSD's, flash drives -
principle of least privilege
subjects are granted only the privileges *necessary to perform assigned work tasks* and no more -protects conf and integrity
ConfigMgr
software app used to ensure computers is healthy according to predefined requirements, like antivirus sw -can run on windows, iOS, android
vulnerability scans
software tools to test a system for known sec issues ex: missing patches, weak passwords
sec controls to protect info over its lifetime?
1) marking data 2) handling 3) storing 4) destroying
log protection measures
1) prevent unauth access 2) store copies on a central system 3) delete after data becomes unnecessary 4) ensure logs have accurate time stamps- network time P (NTP) server can ensure accurate time
3 cloud deployment models?
1) public 2) private 3) hybrid
change mgmt process ( 5 steps)
1) request the change 2) review the change 3) approve/reject the change 4) schedule/implement change 5) document the change
common log types
1) sec logs 2) system logs 3) app logs 4) firewall logs 5) proxy logs 6) change logs
Containment Strategy
1. Damage potential 2. Evidence preservation 3. Serviceabilility 4. Resource requirements 5. Expected effectiveness 6. Solution timeline
DLP Actions
1. Pattern matching: Recognizes patterns such as PCI, PII SSN etc. 2. Watermarking: Identifies sensitive info using electronic tags.
honeynet
2+ honeypots used together to simulate a network
pen testing (aka ethical hacking)
*preventive* measure, done to mimics an actual attack in an attempt to ID what techniques attackers can use -attempts to exploit vuln's -some methods can cause outages -should only be done after approval from sr mgmt
ending of auditing process
1) exit conference 2) auditors present their findings 3) final audit report is given to the org (to remain unaffected by office politics/coercion) 4) org's internal auditors review final audit report and make recommendations to Sr mgmt
benefits of monitoring?
1) increasing accountability 2) helping w/ investigations 3) helping w/ troubleshooting
Sarbanes-Oxley Act of 2002 (SOX)
*requires a segregation of duties policy* [named after 2 senators] -commonly used to ensure that sec duties are separate from other duties within an org -i.e, auditing personnel are not resp for sec -applies to all public companies that have registered equity or debt securities with the Securities and Exchange Commission (SEC).
Security incident and event management (SIEM)
- Automating much of the routine work of log review. Provide real‐time analysis of events occurring on systems throughout an organization but don't necessarily scan outgoing traffic.
Backup validation strategy
- Built-in backup verification - Regularly test backups
Business Continuity plans development
- Defining the continuity strategy - Computing: strategy to preserve the elements of hardware/software/ communication lines/ applications/ data - Facilities: use of main buildings or any remote facilities - People: operators, management, technical support persons - Supplies and equipment: paper, forms HVAC - Documenting the continuity strategy
Incident Scene
- ID the Scene - Protect the environment - ID evidence and potential sources of evidence - Collect evidence - hash + - Minimize the degree of contamination Locard's Exchange Principle - perps leave something behind
mitigation
-attempt to contain an incident to limit the effect/scope of an incident
IDS (intrusion detection system)
-automates the inspection of logs and real-time system events to detect intrusion attempts and system failures -effective way to detect DoS -these can modify the environment to stop an attack -goal is to provide fast, accurate responses to intrusions 2 forms: 1) knowledge-based detection 2) behavior-based detection -responds passively or actively
traffic/trend analysis
-forms of monitoring that examine the flow of packets rather than packet contents -aka network flow monitoring
reporting
-if a data breach exposes PII, the org must report it -many org's are required to report breaches
response
-incident should be *contained* in this step -team members assist with investigation, assessing damage, collecting evidence, reporting the incident, recovery, and in the remediation/lessons learned stages, and root cause analysis
mean time to failure (MTTF)
-once media reaches this point, it should be destroyed -classification dictates how it should be destroyed
dual admin accounts
-used to reduce risk -one account is for normal day to day use -other acct is for privileged use and admin work
ways to detect incidents?
1) IDS/IPS systems 2) anti-malware 3) audit logs 4) users can detect irregular activity *just bc an IT admin receives an incident alert, does not mean an incident has occurred*
exit interview procedure
1) at least one witness is present during exit interview 2) account access is disabled during interview 3) employee ID badges, etc are collected during/immediately after interview 4) employee is escorted off the premises immediately after the interview
pen testing techniques
1) black box testing 2) white box testing 3) gray box testing
incident response steps
1) detection 2) response 3) mitigation 4) reporting 5) recovery 6) remediation 7) lessons learned "DR. MRRRL" *does not include a counterattack against the attacker*
patch mgmt steps
1) evaluate patches: admin's eval patches to determine if they apply to their systems 2) test patches: admin's should test on isolated system if possible 3) approve patches 4) deploy patches: often automated process 5) verify that patches are deployed
basic preventive measures
1) keep systems and app's up-to-date 2) remove/disable unneeded services and protocols 3) use IDS/IPS 4) use up-to-date anti-malware 5) use firewalls
Nessus
popular vulnerability scanner
Evidence
Admissible Evidence - The evidence must be relevant to determining a fact. - The fact that the evidence seeks to determine must be material (that is, related) to the case. - The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
Intrusion Detection and Prevention (594)
An intrusion occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization's resources. Intrusion detection is a specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion. IDS - intrusion detection system automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. IDSs are an effective method of detecting many DoS and DDoS attacks. They can recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once they detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack. A primary goal of an IDS is to provide a means for a timely and accurate response to intrusions. An IDS is intended as part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them. IPS - intrusion prevention system includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions. If desired, administrators can disable these extra features of an IPS, essentially causing it to function as an IDS
Roles and responsibilities
BCP committee - Senior staff (ultimate responsibility, due care/diligence) - Various business units (identify and prioritize time critical systems) - Information Systems - Security Administrator - People who will carry out the plan (execute) representatives from all departments
Live evidence
Best Evidence: -Primary Evidence-is used at the trial because it is the most reliable. -Original documents-are used to document things such as contracts - NOTE: no copies! -Note: Oral is not best evidence though it may provide interpretation of documents, etc. Secondary Evidence -Not as strong as best evidence. -A copy, Secondary Evidence, is not permitted if the original, Best Evidence, is available -Copies of documents. -Oral evidence like Witness testimony Direct Evidence: -Can prove fact by itself and does not need any type of backup. -Testimony from a witness -one of their 5 senses: •Oral Evidence is a type of Secondary Evidence so the case can't simply stand on it alone But it is Direct Evidence and does not need other evidence to substantiate
BCP (pro) & DRP (reactive)Goals
Business continuity- Ensuring the business can continue in an emergency, 1st business organization analysis Focus on business processes 1. Scope and plan initiation - Consider amount of work required, resources required, management practice 2. BIA - helps to understand impact of disruptive processes 3. Business Continuity Plan development a. Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development) b. Testing 4. Plan approval and implementation - Management approval - Create awareness Update plan as needed, At least once a year testing Disaster Recovery - Recover as quickly as possible - Heavy IT focus - Allows the execution of the BCP - Needs Planning - Needs Testing CRITICAL, URGENT, IMPORTANT
Location
CPTED Crime Prevention Through Environmental design - Natural Access control: guidance of people by doors fences bollards lightning. Security zones defined - Natural surveillance: cameras and guards - Territorial Reinforcements: walls fences flags Target - Hardening: focus on locks, cameras guards Facility site: CORE OF BUILDING (thus with 6 stores, on 3rd floor)
Request for change (RFC)
Change system, must be approved.
Law
Common law - USA, UK Australia Canada (judges) Civil law - Europe, South America Islamite and other Religious laws - ME, Africa, Indonesia USA 3 branches for laws: Legislative: writing laws (statutory laws). Executive: enforces laws (administrative laws) Juridical: Interprets laws (makes common laws out of court decisions) 3 categories Criminal law - individuals that violate government laws. Punishment mostly imprisonment Civil law - wrongs against individual or organization that result in a damage or loss. Punishment can include financial penalties. AKA tort law (I'll Sue You!) Jury decides liability Administrative/Regulatory law - how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties Uniform Computer Information Transactions Act (UCITA) - is a federal law that provides a common framework for the conduct of computer-related business transactions. UCITA contains provisions that address software licensing. The terms of UCITA give legal backing to the previously questionable practices of shrink-wrap licensing and click-wrap licensing by giving them status as legally binding contracts. Computer Crime Laws -3 types of harm - unauthorized intrusion, - unauthorized alteration or destruction - malicious code Admissible evidence relevant, sufficient, reliable, does not have to be tangible Hearsay second-hand data not admissible in court Enticement is the legal action of luring an intruder, like in a honeypot Entrapment is the illegal act of inducing a crime, the individual had no intent of committing the crime at first Federal Sentencing Guidelines provides judges and courts procedures on the prevention, detection and reporting
Live evidence
Conclusive evidence -Irrefutable and cannot be contradicted -Requires no other corroboration Circumstantial evidence -Used to help assume another fact -Cannot stand on its own to directly prove a fact Corroborative Evidence: -Supports or substantiates other evidence presented in a case Hearsay Evidence something a witness hears another one say. Also business records are hearsay and all that's printed or displayed. One exception to business records: audit trails and business records are not considered hearsay when the documents are created in the normal course of business.
Configuration Management
Configuration item (CI) - component whose state is recorded Version: recorded state of the CI Configuration - collection of component CI's that make another CI Building - assembling a version of a CI using component CI's Build list - set of versions of component CI's used to build a CI Software Library - controlled area only accessible for approved users ARTIFACTS - CONFIGURATION MANAGEMENT
Disaster Recovery Test (679)
Desk Check - review plan contents Table-top exercise -members of the disaster recovery team gather in a large conference room and role-play a disaster scenario. Simulation tests - are more comprehensive and may impact one or more noncritical business units of the organization, all support personnel meet in a practice room Parallel tests - involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also Full-interruption tests - involve relocating personnel to the alternate site and shutting down operations at the primary site
Transaction Redundancy Implementations
Electronic vaulting - transfer of backup data to an offsite storage location via communication lines Remote Journaling - parallel processing of transactions to an alternative site via communication lines Database shadowing - live processing of remote journaling and creating duplicates of the database sets to multiple servers
Disaster Recovery Planning (672)
End Goal - Restore normal business operations. Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information Goal: provide organized way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster BIA has already been done, now were going to protect! Disaster - any event, natural or manmade, that can disrupt normal IT operations The disaster is not over until all operations have been returned to their normal location and function It will be officially over when the data has been verified at the primary site, as accurate
Trusted recovery
Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems. Failure preparation Backup critical information thus enabling data recovery System recovery after a system crash 1. Rebooting system in single user mode or recovery console, so no user access is enabled 2. Recovering all file systems that were active during failure 3. Restoring missing or damaged files 4. Recovering the required security characteristic, such as file security labels 5. Checking security-critical files such as system password file Common criteria hierarchical recovery types 1. Manual System administrator intervention is required to return the system to a secure state 2. Automatic Recovery to an secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures) 3. Automatic without Undo Loss Higher level of recovery defining prevention against the undue loss of protected objects 4. Function system can restore functional processes automatically Types of system failure System reboot System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources Emergency restart when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments System cold start when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.
Incident Response
Events: anything that happens. Can be documented verified and analyzed Security Incident - event or series of events that adversely impact the ability of an organization to do business Security incident - suspected attack Security intrusion - evidence attacker attempted or gained access Lifecycle - Response Capability (policy, procedures, a team), Incident response and handling (Triage, investigation, containment, and analysis & tracking), Recovery (Recovery / Repair), Debriefing / Feedback (External Communications) Mitigation - limit the effect or scope of an incident Detection -->Response-->Mitigation-->Reporting-->Recovery-->Remediation-->Lessons Learned
Failure Modes
Fail open - Failed security controls bypassed. Fail secure - failed security controls blocked.
Digital Forensics
Five rules of evidence: Collect, preserve, and analyze: - Be authentic; evidence tied back to scene - Be accurate; maintain authenticity and veracity - Be complete; all evidence collected, for & against view - Be convincing; clear & easy to understand for jury - Be admissible; be able to be used in court Forensic Disk Controller - intercepting and modifying or discarding commands sent to the storage device - Write Blocking, intercepts write commands sent to the device and prevents them from modifying data on the device - Return data requested by a read operation - Returning access-significant information from device - Reporting errors from device to forensic host LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS Non digital: Videotapes and witness statements
Lightning
Glare protection - against blinding by lights Continuous lightning - evenly distributed lightning Controlled lightning - no bleeding over no blinding Standby Lightning - timers Responsive areas illumination - IDS detects activities and turns on lightning NIST: for critical areas the area should be illuminated 8 feet in height with 2-foot candle power
Backup types
Full - All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming Incremental - only modified files, archive bit cleared, Advantage: least time and space, Disadvantage: first restore full then all incremental backups, thus less reliable because it depends on more components. Note, a synthetic full backup makes a full copy then uses incremental updates (when needed), the backup server actually has a full backup since the incremental backups are combined to the master on each go around. Differential - only modified files, doesn't clear archive bit. Advantage: full and only last diff needed, Intermediate time between full and diff. Redundant servers - applies raid 1 mirroring concept to servers. On error servers can do a fail-over. This AKA server fault tolerance Server clustering - group of independent servers which are managed as a single system. All servers are online and take part in processing service requests. Individual computing devices on a cluster vs. a grid system - cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem Tape Rotation Schemes - GF/Father/Son, Tower of Hanoi, Six Cartridge Weekly RAIT - robotic mechanisms to transfer tapes between storage and drive mechanisms Mirror Backup = selected files/folders Disk Imaging = Backs up physical disk at volume level
Backup strategy
Grandfather - Father - Son = 12 sets of backups
Firewalls
HIDS - Host-based IDS, monitors activity on a single computer, including process calls and information recorded in firewall logs. It can often examine events in more detail than an NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker. A benefit of HIDSs over NIDSs is that HIDSs can detect anomalies on the host system that NIDSs cannot detect. NIDS - Network-based IDS, monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details. A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.
Things to know
Hackers and crackers - want to verify their skills as intruders Entitlement - refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges Aggregation - Privilege Creep, accumulate privileges Hypervisor - software component that manages the virtual components. The hypervisor adds an additional attack surface, so it's important to ensure it is deployed in a secure state and kept up-to date with patches, controls access to physical resources Notebook - most preferred in the legal investigation is a bound notebook, pages are attached to a binding. Exigent circumstances allows officials to seize evidence before its destroyed (police team fall in) Data haven is a country or location that has no laws or poorly enforced laws Chain of custody = collection, analysis and preservation of data Forensics uses bit-level copy of the disk Darknet - unused network space that may detect unauthorized activity Pseudo flaw - false vulnerability in a system that may attract an attacker FAIR INFORMATION PRACTICES • Openness • Collection Limitation • Purpose Specification • Use Limitation • Data Quality • Individual Participation • Security Safeguards • Accountability Noise and perturbation: inserting bogus information to hope to mislead an attacker First step by change process = management approval. NB: when a question is about processes, there must always be management's approval as First step. PROTOTYPING: customer view taken into account SQL -SUDIGR, 6 basic SQL commands Select, Update, Delete, Insert, Grant, Revoke Bind variables are placeholders for literal values in SQL query being sent to the database on a server Bind variables in SQL used to enhance performance of a database Monitor progress and planning of projects through GANTT and PERT charts Piggybacking: looking over someone's shoulder to see how someone gets access. Data center should have: • Walls from floor to ceiling • Floor: Concrete slab: 150 pounds square foot • No windows in a datacenter • Air-conditioning should have own Emergency Power Off (EPO) Electronic Access Control (EAC): proximity readers, programmable locks or biometric systems
Attacks ()
Hacktivists - combination of hacker and activist), often combine political motivations with the thrill of hacking. Thrill attacks - are the attacks launched only for the fun of it. Pride, bragging rights Script kiddies - Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. The main motivation behind these attacks is the "high" of successfully breaking into a system. Service interruption. An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Common to do website defacements Business Attacks - focus on illegally obtaining an organization's confidential information. The use of the information gathered during the attack usually causes more damage than the attack itself. Financial Attacks - carried out to unlawfully obtain money or services. Terrorist Attacks - purpose of a terrorist attack is to disrupt normal life and instill fear Military or intelligence attack - designed to extract secret information. Grudge Attacks - are attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person's reputation. Sabotage - is a criminal act of destruction or disruption committed against an organization by an employee. It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled. Espionage - is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization. Attackers often commit espionage with the intent of disclosing or selling the information to a competitor or other interested organization (such as a foreign government). Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization. Countermeasures against espionage are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities. Integrity breaches - unauthorized modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances Confidentiality breaches - theft of sensitive information
vulnerability mgmt
ID'ing vuln's, evaluating them, and taking steps to mitigate risks associated with them -not possible to eliminate risks/vuln's
configuration documentation
ID's the current config of systems -ID's who is resp for the system and its purpose, and lists all changes from baseline
Software Forensics
Intellectual Property Malware Origins
Interviewing and Interrogation
Interviewing - gather facts and determine the substance of the case. Interrogation-Evidence retrieval method, ultimately obtain a confession The Process - Due Process -Prepare questions and topics, put witness at ease, summarize information -interview/interrogation plan -Have one person as lead and 1-2 others involved as well -never interrogate or interview alone
ALARMS
Local alarms - audible alarm for at least 4000 feet far Central stations - less than 10mins travel time for e.g. an private security firm Proprietary systems - owned and operated by the customer. System provides many of the features in-house Auxiliary Station systems - on alarm ring out to local fire or police Line supervision check - if no tampering is done with the alarm wires Power supplies - alarm systems needs separate circuitry and backup power
Evidence Paper Trail
Log of events (presented in court) 1. Initial collection 2. Transfer 3. Storage 4. Open and closing of container.
Investigation
MOM means, opportunity and motive Determine suspects Victimology -why certain people are victims of crime and how lifestyle affects the chances that a certain person will fall victim to a crime investigation Types - Operational - Criminal - Civil - eDiscovery When investigating a hard drive, don't use message digest because it will change the timestamps of the files when the file-system is not set to Read-Only. Slack space on a disk should be inspected for hidden data and should be included in a disk image
Data destruction and reuse
Object reuse - use after initial use Data remanence - remaining data after erasure Format magnetic media 7 times (orange book) Clearing - overwriting media to be reused Purging - degaussing or overwriting to be removed Destruction - complete destroy preferably by burning
Witnesses
Opinion Rule -Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case. Expert Witnesses -Used to educate the jury, can be used as evidence.
Intrusion detection
PHYSICAL PARAMETER DETECTION Electromechanical - detect a break or change in a circuit magnets pulled lose, wires door, pressure pads Photoelectric - light beams interrupted (as in an store entrance) Passive infrared - detects changes in temperature Acoustical detection - microphones, vibrations sensors MOTION wave pattern motion detectors - detects motions proximity or capacitance detector - magnetic field detects presence around an object
Data Loss Prevention
PROTECT SENSITIVE INFORMATION Data loss prevention systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns. Network-based DLP - scans all outgoing data looking for specific data. Administrators would place it on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP system will send an alert, such as an email to an administrator. Endpoint-based DLP - can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer. 3 states of information - data at rest (storage) - data in transit (the network) - data being processed (must be decrypted) / in use / end-point Can look for sensitive information stored on hard drives
Security access cards
Photo id card: dumb cards Digital-coded cards: • Swipe cards • Smartcards Wireless proximity cards • User activated • System sensing o Passive device, no battery, uses power of the field o Field Powered device: active electronics, transmitter but gets power from the surrounding field from the reader Transponders: both card and receiver holds power, transmitter and electronics
BCP
Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation
Discovery
Preservation --> Collection --> Production (share with other organizations)
Trusted Path
Protect data between users and a security component. Channel established with strict standards to allow necessary communication to occur without exposing the TCB to security vulnerabilities. A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB interchange. ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY
Raid Levels
RAID 0 Striped, one large disk out of several -Improved performance but no fault tolerance RAID 1 Mirrored drives -fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed RAID 2 not used commercially. Hammering Code Parity/error RAID 3 Striped on byte level with extra parity drive -Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives RAID4 Same as Raid 3 but striped on block level; 3 or more drives RAID 5 Striped on block level, parity distributed over all drives - requires all drives but one to be present to operate hotswappable. Interleave parity, recovery control; 3 or more drives RAID 6 Dual Parity, parity distributed over all drives -requires all drives but two to be present to operate hot- swappable RAID 7 is same as raid5 but all drives act as one single virtual disk Backup storage media: Tape: sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries Disk fast read/write, less robust than tape Optical drive: CD/DVD. Inexpensive Solid state: USB drive, security issues, protected by AES MTTF (mean time to failure) MTTR (mean time to repair) MTBF Mean time between failures (Useful Life) = MTTF + MTTR JBOD - MOST BASIC TYPE OF STORAGE
Recovery procedures
Recovery procedures: system should restart in secure mode Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals Fault-tolerant continues to function despite failure Fail safe system, program execution is terminated and system protected from compromise when hardware or software failure occurs DOORS usually Fail Closed/secure - most conservative from a security perspective Fail Open Fail Hard - BSOD, human to see why it failed Fail soft or resilient system, reboot, selected, non-critical processing is terminated when failure occurs Failover, switches to hot backup. FAIL SAFE: doors UNLOCK FAIL SECURE: doors LOCK
Evidence
Sufficient -persuasive enough to convince one of its validity Reliable -consistent with fact, evidence has not been tampered with or modified Relevant -relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts Permissible - lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence Preserved and identifiable - collection, reconstruction Identification labeling, recording serial number etc. Evidence must be preserved and identifiable •Collection, documentation, classification, comparison, reconstruction EVIDENCE LIFECYCLE 1. Discovery 2. Protection 3. Recording 4. Collection and identification 5. Analysis 6. Storage, preservation, transportation 7. Present in court 8. Return to owner Witnesses that evidence is trustworthy, description of procedures, normal business methods collections, error precaution and correction
Disaster recovery process
TEAMS Recovery team mandated to implement recovery after the declaration of the disaster Salvage team goes back to the primary site to normal processing environmental conditions. Clean, repair, Salvage. Can declare when primary site is available again Normal Operations Resume plan has all procedures on how the company will return processing from the alternate site Other recovery issues Interfacing with other groups: everyone outside the corporation. Employee relations: responsibility towards employees and families. Fraud and Crime: like vandalism, looting and people grabbing the opportunity Financial disbursement, Media relations 1. Find someone to run it Documenting the Plan: Activation and recovery procedures Plan management HR involvement Costs Required documentation Internal /external communications Detailed plans by team members GET COMMUNICATIONS UP FIRST THEN MOST CRITCAL BUSINESS FUNCTIONS
Employees during BCP/DR event
Temp roles (learning during awareness training), ends when things are back to normal. Employee safety is #1.
Access Control Head End
The application software housed in the CPU is the physical intelligent controller where all access control systems are activity monitored, recorded into history, commanded, and controlled by the operator. Current access systems allow each local security panel to hold the system logic for its associated devices. The CPU retains the system-specific programming to allow entry (access) for authorized personnel and deny access to unauthorized personnel.
Physical Security
Visitor Mgmt 1. Cameras. 2. Logs 3.Badget 4. No tailgating, use mantrap.
Locks
Warded lock - Hanging lock with a key Tumbler lock - Cylinder slot Combination lock - 3 digits with wheels Cipher Lock - Electrical Device lock - Bolt down hardware Preset - Ordinary door lock Programmable - Combination or electrical lock Raking - Circumvent a pin tumbler lock
Network Forensics
Wireshark Network data flow
botnet
bot herder: criminal who controls all the computers in the botnet -computers often join by accidentally infecting themselves with malware protection: 1) up to date antimalware 2) up to date browsers/plugins
IDS active response
can modify the environment using several different methods: 1) modifying ACL's to block traffic based on ports 2) block specific IP's
proxy logs
can record details such as what sites users visit, how much time they spend, what time prohibited sites are visited -can control what websites users can visit -(proxy servers improve internet access perf)?
firewall logs
can record events about any traffic that reaches a firewall -commonly log source/destination IP, source/destination ports, but not the packet contents
endpoint-based DLP
can scan files stored on a system as well as files sent to external devices -can prevent users from copying data to USB drives or sending sensitive info to printers -
CSP
cloud service provider
drive-by download
code downloaded and installed on a user's system w/o the user's knowledge
patch
code written to correct a bug/vuln or improve perf of existing software
service packs
collections of patches that bring a system up-to-date with current patches
split knowledge
combines the concepts of sep of duties and 2-person control into a single solution -the info/privilege required to perform an operation should be divided among 2 or more users -ensures no single person has sufficient priv's to compromise the sec of the environment
CIRT
computer incident response team -designated incident response team
honeypots
computers created as a trap for intruders -can be legally used as an enticement device if the intruder discovers it through no outward efforts of the owner
behavior-based IDS (aka statistical detection, anomaly detection, heuristics-based detection)
creates a baselines of normal activities/events, then watches for abnormalities from this baselines for alerts -if network is modified, baseline needs to be updated -can be labeled as an expert system or pseudo-artificial intelligence system bc it can learn and make assumptions -often raises high number of false flags
sandboxing
creates a sec boundary for app's and prevents the app from interacting with other app's -great for testing unknown app's
sabotage
criminal act by employees to destroy/disrupt -occurs most often when an employee suspects they will be fired w/o just cause, or employee retains access after leaving protection: 1) employee terminations should be handled swiftly, account access should be disabled asap afterwards 2) intensive auditing 3) open lines of comm b/t mgr's and employees 4) properly compensating employees
destroying data
data should be destroyed when no longer needed -deleting files will not be sufficient, so more thorough methods are needed
log analysis
detailed and systematic form of monitoring inwhich the logged info is analyzed for trends, abnormal, unauth, illegal, and policy violating activities
detection
detect and verify that an incident is legitimate
memorandum of understanding (MOU)
document the intention of two entities to work together toward a common goal -less formal than an SLA and does not include any monetary penalties
DRDoS (distributed reflective denial of service)
doesn't attack victim directly , but manipulates traffic or a network service so that the attacks are reflected back to the victim from other sources. -ex: DNS poisoning and smurf attacks
watermarking
embedding an image/pattern in paper that isn't readily perceivable -can mark files according to their sensitivity ("confidential", "proprietary") -can be detected by DLP systems -can be used to digitally mark a file for copyright reasons
zero-day exploit
exploiting a vuln that is unknown to others 3 contexts: 1) attacker first discovers a vuln- (most common def; vendor is unaware of vuln) 2) vendor learns of vuln 3) vendor releases patch- time gap from when system is patched to when vuln is apparent protection: 1) remove unneeded services 2) enable firewalls 3) use IDS/IPS 4) honeypots, padded cells
transitive trust
extends the trust relationship b/t 2 security domains to all of their subdomains
pseudo flaws
false vuln's intentionally implanted in a system to tempt attackers
smurf attack
floods victim with ICMP echo packets instead of TCP SYN packets. -uses a spoofed broadcast ping request using the IP of the victim as the source IP -take advantage of an amplifying network (aka smurf amplifier) by sending a directed broadcast thru a router, which combine to attack the victim -a change in the default router settings disables the ability to forward directed broadcast traffic -these attacks are rarely a problem today (ping uses ICMP to check connectivity with remote systems) -prevention: 1) disable ICMP on firewalls, routers, servers
ping flood attack
floods victim with ping requests -very effective when launched by zombies in a botnet
mandatory vacations
forces an employee to take 1-2 week vacations periodically -peer review and helps detect fraud and collusion -deterrent and detection mechanism
clipping
form of non-statistical sampling -selects only events that exceed a "clipping level", which is a predefined threshold for the event -system ignores events until they reach this threshold -ex: raising an alarm for 5 failed logon attempts in 30 min -does not offer an accurate representation of the whole body of data and will ignore events that don't reach the clipping level
espionage
gathering proprietary, secret, private, sensitive, or confidential info about an org -info is often sold or used by foreign govt protection: 1) strictly control access to nonpublic data 2) thoroughly screen new employees 3) track employee activities
audit trails
give investigators ability to reconstruct events long after they have occurred -can record access abuses, privilege violations, attempted intrusions, etc -passive form of detective sec control -serve as deterrent -important as evidence in the prosecution of criminals
Microsoft Sec Bulletins
good source of vuln info but not comprehensive db of known issues.
security audits/review
help ensure that an org has implemented sec controls properly -common items to check: 1) patch mgmt 2) vuln mgmt 3) config mgmt 4) change mgmt
IPS (intrusion prevention system)
includes all the capabilities of an IDS but can also prevent intrusions -can function as IDS if extra features are disabled -*placed in-line with traffic* -can choose what traffic to forward/block -can use knowledge based and/or behavior based detection
public cloud model
includes assets available for any consumers to rent/lease and is hosted by an external CSP -SLA's can ensure the CSP provides acceptable services -vendor builds a single platform that is shared among many different customers
Bugtraq
just a mailing list for software bug notifications
rogueware
malware that is promoted as antimalware
versioning
numbering system to differentiate different software versions
vulnerability assessments
often include vuln scan results -can determine of an org is addressing vuln's -often done as part of a risk analysis/assessment -pen tests often start with one of these
private cloud deployment model
org's create and host private clouds using their own resources -org is resp for all maintenance -org can also rent resources from a 3rd party and split maintenance requirements
padded cell
performs intrusion isolation -after detection, intruder is automatically transferred here, which resembles a real environment but is fake and attacker cannot perform any dangerous activities -admin's can gather evidence here
lessons learned
personnel examine the incident and the response to see if there are any lessons that can be learned -incident response team will be involved -output of this stage can be fed back to the detection stage -common to create a report after this step
remediation
personnel look at the incident and attempt to ID what allowed it to occur, and then implement methods to prevent it from happening again -*includes a root cause analysis*
storing data
physical sec methods protect stored backups against theft -environmental controls protect data against corruption losses
virtual machines (VM's)
run as guest OS's on physical servers. -include extra processing power, memory, and disk storage
network based DLP
scans all outgoing data looking for specific data -if sensitive data is sent, the DLP with detect it, prevent it from leaving, and send an alert
segregation of duties
similar to sep of duties/resp, but it also combines the principle of least privilege -goal is to ensure that individuals do not have excessive system access that may result in a conflict of interest -if duties are properly segregated, no single employee will have the ability to commit fraud or make a mistake and have the ability to cover it up
SIEM (sec info event mgmt)
tool that provides real time analysis of events on a system -centralized app to automate system monitoring
RFID (radio frequency ID)
transmit radio info from devices to keep track of their location -more expensive than bar codes, but reduce time needed to conduct an inventory
handling data
transporting data -key is to provide the same level of protection for the data during transport as it was during storage -level of protection is dependent on the value of the data -encryption helps
software defined everything (SDx)
trend of replacing hardware with software using virtualization
hybrid models
use a combo of 2+ cloud models
baseline images
used to create baselines -3 steps: 1) admin installs OS/app's. config's system sec and test 2) admin captures a system image 3) image is deployed to systems as needed
interconnection security agreement (ISA)
used when 2+ parties plan to transmit sensitive data to specify the technical requirements of the connection -provides info on how 2 org's establish, maintain, and disconnect the connection -id's the minimum enc to be used
knowledge-based IDS (aka signature based, or pattern-matching)
uses db of known attacks developed by the IDS vendor -effective only against known attack methods
war dialing
using a modem to search for a system that accepts inbound connection attempts -systematically dial phone numbers and listen for computer carrier tones to collect numbers -can search any range of #'s -newer forms can use VoIP to make calls w/o modems, which can scan many more phone numbers and detect more devices protection: 1) strong authentication 2) use callback sec 3) ensure no unauthorized modems are present 4) restrict what P's are present 5) use call loggin
interim report
written or verbal report given to the org about any observed sec weaknesses that demand immediate attention. -issued by auditors whenever a problem is too important to wait until the final audit report
Order of volatility
{Time} 1. Network traffic 2. Memory Contents 3. System and processed data 4. Files 5. Logs 6. Archived Records
Disaster Processing Continuity plan
■ Reciprocal Agreement - In this strategy, the organization signs an agreement with a similar business operation to provide backup capabilities to each other in the event either experiences a disaster. ■ Mobile Unit - A mobile unit is typically a contract with a vendor to provide a mobile trailer at the time of disaster, which contains the specified equipment necessary to support recovery. ■ Outsourcing / Cloud - The technology environment is outsourced to a vendor who provides the disaster recovery plan for the applications that are deemed critical to the business. Subscription services Third party, commercial services provide alternate backups and processing facilities. Most common of implementations! - Redundant - Mirrored site, potential 0 down time - HOT SITE - Internal/External, Fully configured computer facility. All applications are installed, up-to-date mirror of the production system. For extremely urgent critical transaction processing. Advantage: 24/7 availability and exclusive use are assured. Short and long term. Disadvantage: extra administrative overhead, costly, security controls needs to be installed at the remote facility too. Exclusive to one company hours to be up - WARM SITE - Cross between hot and cold site. The computer facility is available but the applications may not be installed or need to be configured. External connections and other data elements that take long time to order are present. Workstations have to be delivered and data has to be restored. Advantage: Less costly, more choices of location, less administrative resources. Disadvantage: it will take some time to start production processing. Nonexclusive. 12 hours to be up - COLD SITE - Least ready but most commonly used. Has no hardware installed only power and HVAC. Disadvantage: Very lengthy time of restoration, false sense of security but better than nothing. Advantage: Cost, ease of location choice. Nonexclusive. week - Dual Data Center - This strategy is employed for applications that cannot accept any downtime without unacceptably impacting the business. The applications are split between two geographically dispersed data centers and either load-balanced between the two centers or hot-swapped between them. The surviving data center must have enough capacity to carry the full production load in either case. - SERVICE BUREAU - Contract with a service bureau to fully provide alternate backup processing services. Advantage: quick response and availability, testing is possible. Disadvantage: expense and it is more of a short time option. Multiple centers (aka dual sites) Processing is spread over several computer centers. Can be managed by same corporation (in-house) or with another organization (reciprocal agreement). Advantage: costs, multiple sites will share resources and support. Disadvantage: a major disaster could affect both sites; multiple configurations have to be administered. Other data center backup alternatives - Rolling/mobile sites - Mobile homes or HVAC trucks. Could be considered a cold site - In-house or external - supply of hardware replacements. Stock of hardware either onsite or with a vendor. May be acceptable for warm site but not for hot site. - Prefabricated buildings - A very cold site. RTO: recovery time objectives. Refers to business processes not hardware. RTO 5 minutes or hours Hot site; RTO 1-2 days warm site RTO 3-5 days mobile site; RTO 1tgt-2 weeks cold site