27, 28,30, 32,33,
6 phases of IRP
1 Preparations 2 Identification 3 Containment 4 Eradication 5 Recovery 6 Lessons Learned
Business Partnership Agreement (BPA)
A business partnership agreement (BPA) is a legal agreement between partners that establishes the te
Capture the Flag
A capture-the-flag event is hands-on computer skill training where a user is tested to see if they can perform specific actions. Should they perform the actions correctly, they will uncover a flag that shows they have completed the test successfully. Many hacking competitions are variations of capture-the-flag events.
Cybersecurity Insurance
A common method of transferring risk is to purchase cybersecurity insurance. Insurance allows risk to be transferred to a third party that manages specific types of risk for multiple parties, thus reducing the individual cost.
Communication Plan
A communication plan as part of the incident response effort that answers the preceding questions and defines responsibilities for communication is a key element to be developed during the preparation phase.
Video
A convenient method of capturing significant information at the time of collection is video capture. Videos allow high-bandwidth data collection that can show what was connected to what, how things were laid out, desktops, and so forth.
Disaster Recovery Plan
A disaster recovery plan (DRP) is critical for effective disaster recovery efforts. A DRP defines the data and resources necessary and the steps required to restore critical organizational processes.
Hashing
A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream (or file) to calculate some number that is unique based on the information contained in the data stream (or file). If a subsequent hash created on the same data stream results in a different hash value, it usually means that the data stream was changed.
Classification
A key component of IT security is the protection of the information processed and stored on the computer systems and network. Organizations deal with many different types of information, and they need to recognize that not all information is of equal importance or sensitivity. This requires classification of information into various categories, each with its own requirements for its handling. Factors that affect the classification of specific information include its value to the organization (what will be the impact to the organization if this information is lost?), its age, and laws or regulations that govern its protection. Data classification is covered in detail in Chapter 35, "Privacy."
Onboarding
A key element when onboarding personnel is to ensure that the personnel are aware of and understand their responsibilities with respect to securing company information and assets. Agreements with business partners tend to be fairly specific with respect to terms associated with mutual expectations associated with the process of the business. Ensuring the correct security elements are covered during onboarding is essential to setting proper employee expectations. These considerations need to be made prior to the establishment of the relationship, not added at the time that it is coming to an end.
Single Point of Failure
A key principle of security is defense in depth. This layered approach to security is designed to eliminate any specific single point of failure (SPOF). A single point of failure is any system component whose failure or malfunctioning could result in the failure of the entire system. An example of a single point of failure would be a single connection to the Internet—fine for a small business, but not so for a large enterprise with servers providing content to customers. Redundancies have costs, but if the alternative cost is failure, then implementing levels of redundancy is acceptable. For mission-essential systems, single points of failure are items that need to be called to management's attention, with full explanation of the risk and costs associated with them. In some scenarios, avoiding a single point of failure may not be possible or practical, in which case everyone in the organization with responsibility for risk management should understand the nature of the situation and the resultant risk profile.
Memorandum of Understanding (MOU)
A memorandum of understanding (MOU) and memorandum of agreement (MOA) are legal documents used to describe a bilateral agreement between parties. They are written agreements that express a set of intended actions between the parties with respect to some common pursuit or goal. Typically, an MOU has higher-level descriptions, whereas an MOA is more specific; however, the boundary between these two legal terms is blurry and they are often used interchangeably. Both are more formal and detailed than a simple handshake, but they generally lack the binding powers of a contract. MOUs/MOAs are also commonly used between different units within an organization to detail expectations associated with the common business interest, including security requirements.
Lessons Learned
A postmortem session should collect lessons learned and assign action items to correct weaknesses and to suggest ways to improve.
Risk Assessment Types
A risk assessment is a method to analyze potential risk based on statistical and mathematical models. You can use any one of a variety of models to calculate potential risk assessment values. A common method is the calculation of the annual loss expectancy (ALE). Calculating the ALE creates a monetary value of the impact. This calculation begins by calculating a single-loss expectancy (SLE), which is presented in detail later in the chapter.
Risk Control Assessment
A risk control assessment is a tool used by the Financial Industry Regulatory Authority (FINRA) to assess a series of risks associated with their member institutions. Questions are asked about a wide range of topics, including cybersecurity. Answers to these questions paint a fairly detailed picture of the potential risk exposures a firm has, given its policies and practices.
Risk Matrix/Heat Map
A risk matrix or heat map is used to visually display the results of a qualitative risk analysis. This method allows expert judgment and experience to assume a prominent role in the risk assessment process and is easier than trying to exactly define a number for each element of risk.
Risk Register
A risk register is a list of the risks associated with a system. It also can contain additional information associated with the risk element, such as categories to group like risks, probability of occurrence, impact to the organization, mitigation factors, and other data. There is no standardized form. The Project Management Institute has one format, other sources have different formats. The reference document ISO Guide 73:2009 Risk Management—Vocabulary defines a risk register to be a "record of information about identified risks."
Service Level Agreement (SLA)
A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider. SLAs essentially set the requisite level of performance of a given contractual service. SLAs are typically included as part of a service contract and set the level of technical expectations.
Personnel
A significant portion of human-created security problems results from poor security practices. These poor practices may be those of an individual user who is not following established security policies or processes, or they may be caused by a lack of security policies, procedures, or training within the user's organization. Through the establishment, enforcement, and monitoring of personnel-related policies—personnel management—an organization can create a framework that empowers its workers to achieve business objects yet keeps them constrained within recommended security practices. This section covers a dozen security topics related to the management of personnel.
Simulations
A simulation is an approximation of the operation of a process or system that is designed to represent the actual system operations over a period of time.
Snapshot
A snapshot, as you can easily guess, is a picture of a particular moment in time.
Supply Chain
A supply chain is a set of firms that operate together to manage the movement of goods and services between firms. If you order a part from a foreign supplier that will become part of your product being manufactured in another country, how do all the parts get to the right place for assembly, at the right time? Supply chains handle the details that make all of this happen.
Tabletop
A tabletop exercise is one that is designed for the participants to walk through all the steps of a process, ensuring all elements are covered and that the plan does not forget a key dataset or person.
Functional Recovery Plans
Accidents, disasters, and interruptions to business processes happen. This is why we have business continuity plans (BCPs). But what comes next? Functional recovery plans represent the next step—the transition from operations under business continuity back to normal operations. Just as the transition to business continuity operations needs to be planned, so too does the functional recovery plan. While the transition to disaster operations is fast, and planning is based on prioritized assessment of the level of critical importance with respect to continuing operations, the basis for the functional recovery plan is different. The functional recovery plan can be much more organized and staged over time, working to drive consistent efficiencies as opposed to speed. This can be done function by function and is driven by the function needs.
Acquisition
Acquisition refers to the collection of information that may be evidence in an investigation. Evidence consists of the documents, verbal statements, and material objects admissible in a court of law.
Administrator/Root Accounts
Administrator and root accounts have elevated privileges and require closer scrutiny as to who is issued these credentials and how they are used and monitored. Detailed information concerning the additional safeguards needed for these accounts is detailed in Chapter 24, "Implement Authentication and Authorization."
Annualized Loss Expectancy (ALE)
After the SLE has been calculated, the annual loss expectancy (ALE) is then calculated simply by multiplying the SLE by the likelihood or number of times the event is expected to occur in a year, which is called the annualized rate of occurrence (ARO): ALE = SLE × ARO
Documentation/Evidence
All evidence is not created equal. Some evidence is stronger and better than other, weaker evidence. Several types of evidence can be germane: • Direct evidence Oral testimony that proves a specific fact (such as an eyewitness's statement). The knowledge of the facts is obtained through the five senses of the witness, with no inferences or presumptions. • Real evidence Also known as associative or physical evidence, this includes tangible objects that prove or disprove a fact. Physical evidence links the suspect to the scene of a crime. • Documentary evidence Evidence in the form of business records, printouts, manuals, and the like. Much of the evidence relating to computer crimes is documentary evidence. • Demonstrative evidence Used to aid the jury and can be in the form of a model, experiment, chart, and so on, offered to prove that an event occurred.
Acceptable Use Policy
An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks. Organizations should be concerned about any personal use of organizational assets that does not benefit the company.
Network
An important source of information in an investigation can be the network activity associated with a device. There can be a lot of useful information in the network logs associated with network infrastructure. The level and breadth of this information is determined by the scope of the investigation. While the best data would be from a live network forensic collection process, in most cases this type of data will not be available. There are many other sources of network forensic data, including firewall and IDS logs, network flow data, and event logs on key servers and services.
Incident Response Plans
An incident response plan describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system or network. Two major elements play a role in determining the level of response. Information criticality is the primary determinant, and this comes from the data classification and the quantity of data involved. The second factor is how the incident potentially affects the organization's operations. A series of breaches, whether minor or not, indicates a pattern that can have public relations and regulatory issues.
Job Rotation
Another policy that provides multiple benefits is job rotation. Rotating through jobs provides individuals with a better perspective of how the various parts of the organization can enhance (or hinder) the business. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization's security problems. A secondary benefit is that it also eliminates the need to rely on one individual for security expertise. If all security tasks are the domain of one employee, security will suffer if that individual leaves the organization. In addition, if only one individual understands the security domain, should that person become disgruntled and decide to harm the organization, recovering from their attack could be very difficult.
Application
Application logs are generated by the applications themselves as they run.
Application Server
Application servers are the part of the enterprise that handles specific tasks we associate with IT systems.
Artifacts
Artifacts are the key element in modern digital forensics. Most of the items used to demonstrate a specific action as occurring fall into one of two categories: metadata or OS artifacts.
Internal vs. External
As mentioned previously in the chapter, threats can come from internal and external sources. Internal threats have their origin within an organization, whereas external risks come from the outside. When disasters are examined, they can be seen to have originated either within the company or outside the company. While it is easy to always blame an outside force, in many cases, internal policies and procedures increase a firm's risk profile for easily understood external risks. If supply chain decisions are made to go with a single overseas vendor for a minor price advantage, with no backup, and then a disaster strikes the country of the supplier, is this an internal or external risk? It can be viewed as both, but an internal policy decision drives the risk of going with a single vendor.
Asset Management
Asset management is the policies and processes used to manage the elements of the system, including hardware, software, and the data that is contained within them.
Attack Frameworks
Attack frameworks provide a roadmap of the types of actions and sequence of actions used when attacking a system. Frameworks bring a sense of structure and order to the multidimensional problem associated with defending a variety of systems against multiple different types of attackers with various objectives.
Authentication
Authentication logs contain information about successful and failed authentication attempts. The most common source of authentication log information comes from the system's security logs, but additional sources exist as well.
Avoidance
Avoiding the risk can be accomplished in many ways. Although you can't remove threats from the environment, you can alter the system's exposure to the threats. Not deploying a module that increases risk is one manner of risk avoidance.
Bandwidth monitors
Bandwidth monitors are utilities designed to measure network bandwidth utilization over time. Bandwidth monitors can provide information as to how much bandwidth is being utilized, by service type, and how much remains.
Benchmarks and Secure Configuration Guides
Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented.
Business Impact Analysis
Business impact analysis (BIA) is the process used to determine the sources and relative impact values of risk elements in a process. It is also the name often used to describe a document created by addressing the questions associated with sources of risk and the steps taken to mitigate them in the enterprise. The BIA also outlines how the loss of any of your critical functions will impact the organization. This section explores the range of terms and concepts related to conducting a BIA.
Regulations, Standards, and Legislation
Business operations never happen in a vacuum; there are at least some policies and procedures one must follow. But these policies and procedures get their direction from regulations, standards, and legislation. Laws are made by the legislative bodies of government to create a specified set of conditions and penalties. Government agencies develop and issue regulations to implement the laws. Standards are sets of consensus-built specifications for products, services, or systems. A wide range of different bodies create standards, and whether or not one wishes to follow them is a business decision. Laws and regulations must be followed; otherwise, the consequences specified within them can be invoked by the government.
Business Partners
Business partners are entities that share a relationship with a firm in their business pursuits. Business partners can be enrolled in a business effort for multiple reasons: to share risk, share liability, share costs, leverage specialty expertise, and more.
Cache
Caches are temporary storage locations for commonly used items and are designed to speed up processing.
Change Control
Change control is the process of how changes to anything are sourced, analyzed, and managed. Change control is a subset of change management, focused on the details of a change and how it is documented.
Checksums
Checksums are mathematical algorithms that produce a check digit based on an incoming stream. Designed for error testing across small data sets, they have advantages and disadvantages. One advantage is that for error checking, they are fast and can detect a single-bit error. A disadvantage is that they miss larger numbers of errors as a second error can cancel the effect of the first on a checksum.
Computer-Based Training (CBT)
Computer-based training (CBT) is the use of a computer program to manage training of users. Self-paced modules can facilitate skill development across a wide range of skills, and the flexibility of CBT is very attractive. Not all learners learn well under these circumstances, but for those who do, CBT provides a very affordable, scalable training methodology.
Containment
Containment is the set of actions taken to constrain the incident to a minimal number of machines. This preserves as much of production as possible and ultimately makes handling the incident easier.
Control Risk
Control risk is a term used to specify risk associated with the chance of a material misstatement in a company's financial statements. This risk can be manifested in a couple ways: either there isn't an appropriate set of internal controls to mitigate a particular risk or the internal controls set in place malfunctioned. Business systems that rely on IT systems have an inherent risk associated with cybersecurity risks.
Reputation
Corporate reputation is important in marketing. Would you deal with a bank with a shoddy record of accounting or losing personal information? How about online retailing? Would the customer base think twice before entering their credit card information after a data breach? These are not purely hypothetical questions; these events have occurred, and corporate reputations have been damaged as a result, thus costing the firms in customer base and revenue.
Correlation
Correlation is the process of establishing a relationship between two variables. However, as a wise scientist once stated, correlation is not causation, meaning that just because measurements trend together doesn't mean one causes the other.
Credential Policies
Credential policies refer to the processes, services, and software used to store, manage, and log the use of user credentials. User-based credential management solutions are typically aimed at assisting end users in managing their growing set of passwords.
DNS
DNS logs, when enabled, can contain a record for every query and response. This can be a treasure trove of information for an investigator because it can reveal malware calling out to its command-and-control server, or data transfers to non-company locations.
Data Breach Notification Laws
Data breach notification laws are covered in detail in Chapter 35, "Privacy," but are worthy of mention in our discussion of forensics because the discovery of a breach can occur during a forensic examination. Many forensic investigations are related to the theft of intellectual property, and many times that is also a breach of data protected under privacy laws.
Governance
Data governance is the process of managing the availability, usability, integrity, and security of the data in enterprise systems. This must be done by policy, as it involves a large number of data owners and users.
Retention
Data retention is the management of the data lifecycle with an emphasis on when data reaches its end of useful life for an organization. Maintaining old, excess data that no longer serves a business purpose only represents system risk, and thus should be removed from the system and properly destroyed.
Retention Policies
Data retention is the storage of data records. One of the first steps in understanding data retention in an organization is the determination of what records require storage and for how long.
Devices
Devices are physical items that require access to a network or enterprise system. To have this access, they require credentials just like human users. Unlike human users, devices do not have the ability to change their password, so they are typically enabled with very long passwords to prevent hacking and have longer-than-normal password expiration periods. This makes device accounts natural targets for attackers; while their long passwords may not be crackable, they can be stolen. Device accounts should be controlled by policy and monitored as to scope of use.
Disasters
Disasters are major events that cause disruptions. The timescale of the disruption can vary, as can the level of disruption, but the commonality is that the external event that caused the disruption is one that cannot be prevented.
Dump Files
Dump files are copies of what was in memory at a point in time—typically a point when some failure occurred. Dump files can be created by the operating system (OS) when the OS crashes, and these files can be analyzed to determine the cause of the crash. Dump files can also be created by several utilities and then shipped off to a third party for analysis when an application is not behaving correctly. Dump files can contain a wide range of sensitive information, including passwords, cryptographic keys, and more.
E-mail is half metadata, half message. For short messages, the metadata can be larger than the message itself. E-mail metadata is in the header of the e-mail and includes routing information, the sender, receiver, timestamps, subject, and other information associated with the delivery of the message.
End of Life (EOL)
End of Life (EOL) or end of support is when the manufacturer quits selling an item. In most cases, the manufacturer no longer provides maintenance services or updates. In some cases, this date is announced to be a future date, after which support ends. When something enters the EOL phase, it is at the end of its lifecycle and upgrade/replacement needs to be planned and executed. When a product enters EOL phase, security patches may or may not be still produced and distributed.
End of Service Life (EOSL)
End of service life (EOSL) is the term used to denote that something has reached the end of its "useful life." When EOSL occurs, the provider of the item or service will typically no longer sell or update it. Sometimes the end of updates will be a specified date in the future. EOSL typically occurs because newer models have been released, replacing the older model. During the EOSL phase, some manufacturers may still offer maintenance options, but usually at a premium price. Old versions of software have had this issue, where critical systems cannot easily be upgraded and instead have contracts with the original vendor to maintain the system past its normal EOSL.
Eradication
Eradication involves removing the problem, and in today's complex system environment, this may mean rebuilding a clean machine.
Third-Party Risk Management
Every business will have third parties associated with their business operations. Whether these third parties are vendors, suppliers, or business partners, they bring the opportunity for both risk and reward. Third-party risk management is a fairly straightforward process. The first step is to recognize that risks are present. You need to inventory and assess these risks and then develop the mitigations necessary to keep them in an acceptable range. The important concept is that risk does not magically vanish because a third party is involved; it still needs to be managed like all other business risks.
External
External threats come from outside the organization and, by definition, begin without access to the system. Access is reserved for users who have a business need to know and have authorized accounts on the system. Outsiders must first hijack one of these accounts. This extra step and the reliance on external connections typically make external attackers easier to detect.
File
File metadata comes in two flavors: system and application. The file system uses metadata to keep track of the filename as well as the timestamps associated with last access, creation, and last write. The system metadata will include items needed by the OS, such as ownership information, parent object, permissions, and security descriptors.
Finance
Finance is in many ways the final arbiter of all activities because it is how we keep score. We can measure the gains through sales and profit, and we can measure the losses through unmitigated risks. We can take most events, put a dollar value on them, and settle the books. Where this becomes an issue is when the impacts exceed the expected costs associated with the planned residual risks because then the costs directly impact profit. Impacts to a business ultimately become a financial impact. What starts as a missed patch allows ransomware to infiltrate a system. This results in a business impact that eventually adds costs, which should have been avoided.
Firmware
Firmware is a set of software that is associated with a physical device. Firmware exists for almost every electronic device, not just computers; for example, firmware exists for USB devices.
Role-Based Training
For training to be effective, it needs to be targeted to the user with regard to their role in the subject of the training. While all employees may need general security awareness training, they also need specific role-based awareness training in areas where they have individual responsibilities. Role-based training with regard to information security responsibilities is an important part of information security training.
Key Frameworks
Frameworks provide a means of assessing the path through the maze of regulatory requirements and how they relate to risk management. One of the challenging aspects of cybersecurity operations is determining where one should concentrate efforts, how resources should be deployed, and what balance of emphasis to place between short-term and long-term items to optimize efforts on risk mitigation.
Gamification
Gamification is the use of games to facilitate user training. This methodology has several interesting advantages. First, it makes rote learning of training material less boring. Second, it enables a more comprehensive situation-based approach to training, with consequences of bad decisions being shared with those taking the training. Third, it allows for group training by using people's job functions in a manner that facilitates both learning and auditing of the policies and procedures in a non-threatening environment.
Stakeholder Management
Having a stakeholder management process, including defined personnel roles and responsibilities, is essential for the management of the stakeholders and their relationships during incidents. internal and external stakeholders
International Organization for Standardization (ISO) 27001/27002/27701/31000
ISO 27001 is the international standard defining an information security management system (ISMS). ISO 27001 is one of many related standards in the 27000 family. ISO 27002 is a document that defines security techniques and a code of practice for information security controls. ISO 27701 is a privacy extension to the 27000 series and adds the requirements to establish and maintain a privacy information management system. The ISO 31000 series is a set of guidelines, principles, framework, and process for managing risk. ISO 31000 addresses all forms of risk and management, not just cybersecurity risk.
Identification
Identification is the process where a team member suspects that a problem is bigger than an isolated incident and notifies the incident response team for further investigation.
Multiparty
In traditional risk management, the driving factor under consideration is risk to one's own enterprise. In a traditional two-party system (an attacker versus a firm), the risk equations are fairly easy to determine and optimize. But when a system has multiple parties, each with its own risk determinations, the management of the overall risk equation gets complicated. If a firm is negotiating to make a major system change, and all the stakeholders are within the firm, then it is still considered a single party, but if the financing for the project is from another firm, and subcontractors are involved, other party determinations of acceptable risk levels become an issue very quickly.
Inherent Risk
Inherent risk is defined as the amount of risk that exists in the absence of controls. This can be confusing, as the definition of "no controls" could include no access controls, no door locks, no personnel background checks—in essence an environment that would equate to everything becoming high risk.
Life
Injury and loss of life are outcomes that backups cannot address and can result in consequences beyond others. As part of a business impact analysis (BIA), you would identify these systems and ensure that they are highly redundant, to avoid impact to life
Integrity
Integrity is a very important concept in security because it refers to the veracity of a data element. Has there been an unauthorized change to an element, or can one trust its current value? This works well as a concept, but how is this actually instantiated in a system? It is done through the use of cryptographic hashes, checksums, and data provenance.
Internal
Internal threats include disgruntled employees and well-meaning employees who make mistakes or have an accident. Internal threats tend to be more damaging, as the perpetrator has already been granted some form of access. The risk is related to the level of access and the value of the asset being worked on. For instance, if a system administrator working on the domain controller accidently erases a critical value and crashes the system, it can be just as costly as an unauthorized outsider performing a DoS attack against the enterprise.
IPFIX
Internet Protocol Flow Information Export (IPFIX) is an IETF protocol that's the answer to the proprietary Cisco NetFlow standard.
Investigations
Investigations are used to determine what happened, who did what, and what elements of an information system have been affected by some specific event or series of events.The elements that need to be investigated for unauthorized activity and changes include both the data elements in the system and the system itself. There can be a wealth of diagnostic and investigatory data collected as part of an ongoing security operation or developed in response to an incident. This chapter looks at how to utilize these sources of data to support an investigation and shed light on what actually happened to both the system and the data it processed.
Third Party
Just as users inside a firm require credentials to access systems, there are situations where third parties also require credentials. Whether credentials for a system or physical access, third-party credentials should be managed by policies to ensure they are issued when needed to the correct parties, and when access is no longer needed, they are revoked appropriately.
Legacy Systems
Legacy systems are older, pre-existing systems. But age really isn't the issue—the true issue behind what makes a system a legacy system is the concept of technical debt. Technical debt is the cost occurred over time as a result of not maintaining a system completely.
Log Files
Log files are a primary source of information during an investigation. Software can record in log files a wide range of information as it is operating.
Event Logs
Logs that can document any unsuccessful events and the most significant successful events.
Web Server
Many different web servers are used in enterprises, but the market leaders are Microsoft, Apache, and Nginx. By definition, web servers offer a connection between users (clients) and web pages (data being provided), and as such they are prone to attacks.
Mean Time Between Failures (MTBF)
Mean time between failures (MTBF) is a common measure of reliability of a system and is an expression of the average time between system failures. The time between failures is measured from the time a system returns to service until the next failure. The MTBF is an arithmetic mean of a set of system failures:
Mean Time to Repair (MTTR)
Mean time to repair (MTTR) is a common measure of how long it takes to repair a given failure. This is the average time, and it may or may not include the time needed to obtain parts. The CompTIA Security+ Acronyms list indicates mean time to recover as an alternative meaning for MTTR. In either case, MTTR is calculated as follows: MTTR = (total downtime) / (number of breakdowns)
Measurement Systems Analysis (MSA)
Measurement systems analysis (MSA) is a field of study that examines measurement systems for accuracy and precision. Before an enterprise relies on measurement systems, it is important to understand whether the chosen measurement system is acceptable for its intended use, to understand the different sources of variation present in it and to identify and understand sources of bias, errors, and factors associated with repeatability and reproducibility.
Metadata
Metadata is data about data. A file entry on a storage system has the file contents plus metadata, including the filename, creation, access, and update timestamps, size, and more.
Mobile
Mobile devices generate, store, and transmit metadata. Common fields include when a call or text was made, whether it was an incoming or outgoing transmission, the duration of the call or the text message's length (in characters), and the phone numbers of the senders and recipients
NXLog
NXLog is a multiplatform log management tool designed to assist in the use of log data during investigations. NXLog has connectors to most major applications and can act as a log collector, forwarder, aggregator, and investigative tool for searching through log data.
NetFlow/sFlow
NetFlow and sFlow are protocols designed to capture information about packet flows (that is, a sequence of related packets) as they traverse a network. NetFlow is a proprietary standard from Cisco. Flow data is generated by the network devices themselves, including routers and switches. sFlow is more suited for statistical traffic monitoring. Cisco added statistical monitoring to NetFlow on its high-end infrastructure routers to deal with the traffic volumes.
Network Infrastructure Devices
Network infrastructure devices are the switches, routers, concentrators, firewalls, and other specialty devices that make the network function smoothly. Properly configuring these devices can be challenging but is very important because failures at this level can adversely affect the security of traffic being processed by them.
Network
Network logs tend to have a duplication issue as packets can traverse several devices, giving multiple, nearly identical records. Removing duplicate as well as extraneous data is the challenge with network logging, but the payoff can be big because proper logging can make tracing attackers easier.
Nondisclosure Agreement (NDA)
Nondisclosure agreements (NDAs) are standard corporate documents used to explain the boundaries of company secret material, information over which control should be exercised to prevent disclosure to unauthorized parties. NDAs are frequently used to delineate the level and type of information, and with whom it can be shared. NDAs can be executed between any two parties where one party wishes that the material being shared is not further shared, enforcing confidentiality via contract.
NDA
Nondisclosure agreements were covered previously in this chapter, and they work in the same fashion with respect to third parties. Whenever information is shared with a party, inside or outside the company, if the sharing entity wishes to have contractual terms to limit sharing or disclosure, an NDA is used.
Nonrepudiation
Nonrepudiation is a characteristic that refers to the inability to deny an action has taken place. This can be a very important issue in transactions via computers that involve money or things of value.
Diversity of Training Techniques
Not all learners learn in the same fashion; some people learn by seeing, some people learn better by hearing. Almost everyone learns better by doing, but in some areas, doing a task is not practical or feasible. The bottom line is that there is a wide range of methods of training, and for the best results it is important to match the training methods to the material for the best outcome. In the previous section, several different training methods were covered, including gamification, capture-the-flag exercises, and simulations. There are even more methods to round out a wide diversity of training solutions, including in-person lectures, online content, and practice-based skill development. The key is to match the material to the method and to the learners, and then test outcomes to ensure successful training has been achieved.
Offboarding
Offboarding refers to the processes and procedures used when an employee leaves an organization. From a security perspective, the offboarding process for personnel is very important. Employee termination needs to be modified to include termination or disablement of all accounts, including those enabled on mobile devices. It's not uncommon to find terminated employees with accounts or even company devices still connecting to the corporate network months after being terminated. E-mail accounts should be removed promptly as part of the employee termination policy and process. Mobile devices supplied by the company should be collected upon termination. Bring-your-own-device (BYOD) equipment should have its access to corporate resources terminated as part of the offboarding process. Regular audits for old or unterminated accounts should be performed to ensure prompt deletion or disablement of accounts for terminated employees. Exit interviews can be powerful tools for gathering information when people leave an organization.
Journalctl
On Linux systems, the initial daemon that launches the system is called systemd. When systemd creates log files, it does so through the systemd-journald service. Journalctl is the command that is used to view these logs. To see the various command options for journalctl, you should consult the man pages on the system. Here is an example of a journalctl command to view logs for a given system service: journalctl -u ssh
Environmental
One of the largest sources of threats is from the environment. Environmental changes can come from a wide variety of sources—weather, lightning, storms, and even solar flares—and these can cause changes to the system in a manner that disrupts normal operations. These changes can increase risk. While IT security measures cannot change the environmental factors that can impact operations, they can have an effect on the risk associated with the environmental issue. Making systems resilient can reduce impacts and mitigate these sources of risk to the enterprise. And there are times when these effects can be felt at a distance; for instance, how can you back up to a remote site if the remote site is down due to power outage as a result of a fallen branch from a storm?
Device
One of the most common device acquisitions is USB storage devices. These devices are used to transport files between machines and are common in any case where the removal of information is suspected. A number of artifacts can be tied to USB device usage on a system, including when it was connected, link files and prefetch items on the drive, and who was logged in to the machine at the time of use.
Least Privilege
One of the most fundamental principles in security is least privilege, which means that an object (which may be a user, application, or process) should have only the rights and privileges necessary to perform its task, with no additional permissions. Limiting privileges limits the amount of harm the object can cause, thus limiting the organization's exposure to damage. Users should only have access to the information and systems necessary to perform their job duties. Enforcing the principle of least privilege helps an organization protect its most sensitive resources and helps ensure that whoever is interacting with these resources has a valid reason to do so.
Mandatory Vacation
Organizations have been providing vacation time for their employees for many years. Until recently, however, few organizations forced employees to take this time if they didn't want to. Some employees are given the choice to either "use or lose" their vacation time, and if they do not take all of their time, they'll lose at least a portion of it. Many arguments can be made as to the benefit of taking time off, but more importantly, from a security standpoint, an employee who never takes time off is a potential indicator of nefarious activity. Employees who never take any vacation time could be involved in activity such as fraud or embezzlement and might be afraid that if they leave on vacation, the organization would discover their illicit activities. As a result, requiring employees to use their vacation time through a policy of mandatory vacation can be a security protection mechanism. Using mandatory vacation as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. Having a second person familiar with security procedures is also a good policy in case something happens to the primary person.
Person-made
Person-made threats are those that are attributable to the actions of a person. But these threats aren't limited to hostile actions by an attacker; they include accidents by users and system administrators. Users can represent one of the greatest risks in an IT system. More files are lost by accidental user deletion than by hackers deleting files, and to the team trying to restore the lost files, the attribution has no bearing on the restoration effort. User actions, such as poor cyber hygiene and password reuse, have been shown to be the starting point for many major cybersecurity events over the past several years. A system administrator that improperly configures a backup, the error being discovered when the backup was needed and there is no data on the backup to recover, can easily be a disaster. It is not a result of hostile activity, but destructive nonetheless. Proper controls to manage the risk to a system must include controls against both accidental and purposeful acts.
Background Checks
Personnel are key to security in the enterprise. Hiring good personnel has always been a challenge in the technical field, but it is equally important to hire trustworthy people, especially in key roles that have greater system access. Performing routine background checks provides the HR team the necessary information needed to make the correct decisions. Background checks can validate previous employment, criminal backgrounds, financial background, and even social media behavior. Depending on the industry, firm, and position, different elements from these areas may be included.
Phishing Campaigns
Phishing campaigns are a series of connected phishing attacks against an organization. Since phishing is an operational method of social engineering, the greater the level of institutional, organizational, and personal knowledge one possesses about their target, the greater the chance of success. Phishing campaigns use this common knowledge to increase their odds, rather than just randomly attacking targets. This is why internal communications concerning phishing attempts are important, to alert other users that the system may be under attack and that a heightened sense of awareness towards this form of attack is warranted.
Tags
Physical serialized tags are attached to each item, and the tag number is used to identify a specific item. Frequently the items are then stored in anti-static bags to protect them from damage.
Organizational Policies
Policies are high-level, broad statements of what the organization wants to accomplish. They are made by management when laying out the organization's position on some issue. Procedures are the step-by-step instructions on how to implement policies in the organization.
Preparations
Preparation is the phase of incident response that occurs before a specific incident. Preparation includes all the tasks needed to be organized and ready to respond to an incident.
Clean Desk Space
Preventing access to information is also important in the work area. Firms with sensitive information should have a clean desk policy specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise. The clean desk policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads or in unsecured desk drawers.
Property
Property damage can be the result of unmitigated risk. Property damage to company-owned property, property damage to property of others, and even environmental damage from toxic releases in industrial settings are all examples of damage that can be caused by IT security failures.
Provenance
Provenance is a reference to the origin of data. In the case of digital forensics, it is not enough to present a specific data element as "proof"; one must also show where it came from. Provenance is specific, as in where on a file structure and where on a device; in most cases, there will be multiple representations, as in the file structure with respect to where a file resides and with respect to the OS (logical) and its location on a physical drive in sectors (physical).
Qualitative
Qualitative risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. Qualitative risk assessment usually involves the use of expert judgment and models to complete the assessment. This type of risk assessment is highly dependent on expert judgment and experience and can also suffer from biases. The risk matrix/heat map presented earlier is an example of a qualitative risk model.
Quantitative
Quantitative risk assessment is the process of objectively determining the impact of an event that affects a project, program, or business. Quantitative risk assessment usually involves the use of metrics and models to complete the assessment.
Random-Access Memory (RAM)
Random-access memory (RAM) is the working memory of the computer that handles the current data and programs being processed by the CPU. This memory, once limited to a single megabyte, now commonly consists of 4 GB or more.
Time Offset
Record time offset is the difference in time between the system clock and the actual time. Computers keep their own internal time, but to minimize record time offset, most computers sync their time over the Internet with an official time source.
Data Recovery
Recovery in a digital forensics sense is associated with determining the relevant information for the issue at hand—simply stated, recover the evidence associated with an act.
Recovery
Recovery is the process of returning the asset into the business function and restoring normal business operations.
Recovery Point Objective (RPO)
Recovery point objective (RPO), a totally different concept from RTO, is the time period representing the maximum period of acceptable data loss. The RPO defines the frequency of backup operations necessary to prevent unacceptable levels of data loss. A simple example of establishing RPO is to answer the following questions: How much data can you afford to lose? How much rework is tolerable?
Regulations That Affect Risk Posture
Regulations can have a dramatic effect on risk exposure. Sometimes that effect is a direct action of a regulation, such as financial firms being forced by regulators to have certain levels of encryption to protect certain types of processes. Other times it is less direct, as in specific monitoring required for reporting, and firms change operations to avoid having to report. The breadth of regulations is wide, but some of the common ones associated with cybersecurity include Sarbanes-Oxley, various financial regulations on protecting data, and Payment Card Industry Data Security Standard (PCI-DSS) for credit card data.
Interviews
Remember that witness credibility is extremely important. It is easy to imagine how quickly credibility can be damaged if the witness can't answer affirmatively when asked, "Did you lock the file system?" Or, when asked, "When you imaged this disk drive, did you use a new system?", the witness can't answer that the destination disk was new or had been completely formatted using a low-level format before data was copied to it. Witness preparation can be critical in a case, even for technical experts. As human memory is not as long lasting as computer files, it is important to get witness testimony and collect that data as early as possible. Having them write down what they remember immediately is very helpful in preserving memory.
Reports
Reports are the official descriptions of the forensic data. Reports can have a variety of elements—from pure descriptive information, such as machine/device identifiers (make, model and serial number), to information on the data, including size and hash values.
Risk Appetite
Risk appetite is the term used to describe a firm's tolerance for risk. Even within a sector, with companies of the same size, operating in roughly the same areas, there can be differences in the level of risk each feels comfortable in accepting.
Risk Awareness
Risk awareness is knowledge of risk and consequences. Risk awareness is essential for wide ranges of personnel, with the content tailored to their contributions to the enterprise.
Mitigation
Risk can also be mitigated through the application of controls that reduce the impact of an attack. Controls can alert operators so that the level of exposure is reduced through process intervention. When an action occurs that is outside the accepted risk profile, a second set of rules can be applied, such as calling the customer for verification before committing a transaction. Controls such as these can act to reduce the risk associated with potential high-risk operations. Risk Analysis
Risk Control Self-Assessment
Risk control self-assessment is a technique that employs management and staff of all levels to identify and evaluate risks and associated controls. This information is collected and analyzed to produce a more comprehensive map of risks and the controls in place to address it.
Risk Management Strategies
Risk management can best be described as a decision-making process. Risk management strategies include elements of threat assessment, risk assessment, and security implementation concepts, all positioned within the concept of business management.
Risk Management
Risk management is a core business function of an enterprise because it is through the risk management process that an enterprise can maximize its return on investments. Understanding the business impact of operations associated with the enterprise is key for business success. This can be accomplished using a business impact analysis. Using the data from the analysis, coupled with a threat analysis and a risk assessment process, the enterprise can come to an understanding of the sources of the risk elements it faces and their level of intensity.
Risk Types
Risks can come from a wide range of sources. One way to organize different risks is to categorize them into a series of types. CompTIA Security+ recognizes the following six risk types: external, internal, legacy systems, multiparty, IP theft, and software compliance/licensing. These different types are not exclusive and will be discussed in the following sections.
SIEM Dashboards
SIEM (security information and event management) dashboards are the windows into the SIEM datastore, a collection of information that can tell you where attacks are occurring and provide a trail of breadcrumbs to show how the attacker got into the network and moved to where they are now. SIEM systems act as the information repository for information surrounding potential and actual intrusions.
Session Initiation Protocol (SIP) Traffic
SIP traffic logs are typically in the SIP Common Log Format (CLF), which mimics web server logs and captures the details associated with a communication (such as to and from).
Safety
Safety is the condition of being protected from or unlikely to cause danger, risk, or injury. Safety makes sense from both a business risk perspective and when you consider the level of concern one places for the well-being of people.
Security
Security logs are logs kept by the OS for metadata associated with security operations.
Sensitivity
Sensitivity is the quality of being quick to detect or respond to slight changes, signals, or influences.
Sensor
Sensors are the devices that provide security data into the security datastore.
Separation of Duties
Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone. This means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened.
Service Accounts
Service accounts are special accounts that are used to provision permissions for service, or non-human-initiated system activity. Many computer systems have automated services that function as either part of, in addition to, the operating system to enable certain functionalities.
Platform/Vendor-Specific Guides
Setting up secure services is important to enterprises, and some of the best guidance comes from the manufacturer in the form of platform/vendor-specific guides. These guides include installation and configuration guidance, and in some cases operational guidance as well.
Software Compliance/Licensing
Software is everywhere; it forms the functional backbone of our systems. The source of this software is via licensing and in many cases trust. Copies of many software products can be made and used without licenses, and this creates software compliance/licensing risk. This form of risk is best battled using policies and procedures that prohibit the activity, followed by internal audits that verify compliance with the policies.Risk Management Strategies
SSAE SOC 2 Type I/II
Statement on Standards for Attestation Engagements (SSAE) is a set of auditing standards set by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. SOC stands for Service Organization Controls. An SOC 2 report focuses on the internal controls at an organization related to compliance or operations, wrapped around the five trust principles (security, confidentiality, processing integrity, availability, and privacy).
Strategic Intelligence/Counterintelligence
Strategic intelligence gathering is the use of all resources to make determinations. This can make a large difference in whether or not a firm is prepared for threats. The same idea fits into digital forensics. Strategic intelligence can provide information that limits the scope of an investigation to a manageable level.
Data
System integration with internal and third parties frequently involves the sharing of data. Data can be shared for the purpose of processing or storage. Control over data is a significant issue in third-party relationships. Numerous questions need to be addressed. For example, the question of who owns the data—both the data shared with third parties and subsequent data developed as part of the relationship—is an issue that needs to be established.
types of exercises
Tabletop: look up Walkthrough:look up Simulation: look up Parallel: an actual test of an IRP on a secondary, nonproduction system. Full-Scale An actual test on the production system. Not performed during peak production times or at the risk of data loss.
Center for Internet Security (CIS)
The Center for Internet Security (CIS) is a nonprofit organization that serves the cybersecurity community in a number of ways. It is the guardian of the CIS controls—a set of the top 20 security controls that should be implemented as a baseline of cybersecurity risk management.
Cloud Controls Matrix
The Cloud Controls Matrix (CCM) is a meta-framework of cloud-specific security controls, mapped to leading standards, best practices, and regulations. This document uses 16 domains to cover 133 security control objectives to address all key aspects of cloud security. The controls listed in this document are mapped to the main industry security standards, including ISO 2700X series, NIST SP 800-53, PCI DSS, ISACA COBIT, and many others.
Reference Architecture
The Cloud Security Alliance has an Enterprise Architecture Working Group (EAWG) that has developed the Enterprise Architecture for cloud deployments and services. This framework serves as both a methodology and a set of tools that can be utilized by security architects, enterprise architects, and risk management professionals. The objective of the framework is to develop and leverage a common set of solutions that enable the assessment of where internal IT operations and their cloud providers are in terms of security capabilities. The framework can also be used to plan a roadmap to meet the cloud security needs of the enterprise.
Cyber Kill Chain
The Cyber Kill Chain is a model developed by Lockheed Martin as a military form of engagement framework. 1. Reconnaissance Research and identify targets. 2. Weaponization Exploit vulnerabilities to enter. 3. Delivery Deliver the payload (evil content). 4. Exploitation Begin the payload attack on the system and gain entry. 5. Installation Implement backdoors, persistent access, bots, and so on. 6. Command and Control Communicate to outside servers for control purposes. 7. Action on Objective Obtain the objective of the attack (for example, steal intellectual property).
The Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis is a cognitive model used by the threat intelligence community to describe a specific event. It is based on the notion that an event has four characteristics, each comprising a corner of the diamond, as shown in Figure 27-2. Taken together, these elements describe an event.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR), which was a sweeping rewrite of European privacy regulations, went into effect in May of 2018. The GDPR requires significant consideration, including the following: • Assess personal data flows from the EU to the U.S. to define the scale and scope of the cross-border privacy-compliance challenge. • Assess readiness to meet model clauses, remediate gaps, and organize audit artifacts of compliance with the clauses. • Update privacy programs to ensure they are capable of passing an EU regulator audit. • Conduct EU data-breach notification stress tests. • Monitor changes in EU support for model contracts and binding corporate rules.
MITRE ATT&CK
The MITRE ATT&CK framework is a comprehensive matrix of attack elements, including the tactics and techniques used by attackers on a system. This framework can be used by threat hunters, red teamers, and defenders to better classify attacks and understand the sequential steps an adversary will be taking when attacking a system.
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/Cybersecurity Framework (CSF)
The National Institute of Standards and Technology (NIST) provides recommended strategies to the U.S. government and others on how to handle a wide range of issues, including risk from cybersecurity issues. The approach taken by NIST is one built around the management of organizational risk through a risk management framework (RMF) associated with cybersecurity activities. The NIST RMF is composed of more than 10 publications, spanning virtually every activity associated with cybersecurity.
Operating System (OS)
The OS, or operating system, is a base computer program that acts as the manager of all activity on a system.
Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a set of contractual rules governing how credit card data is to be protected (see the sidebar "PCI DSS Objectives and Requirements"). The current version is 3.2, which was released in April 2016. The next version, 4.0, was expected in late 2020, but has been delayed due to the worldwide COVID-19 pandemic. PCI DSS is a voluntary, private sector initiative that is proscriptive in its security guidance. 1. Build and Maintain a Secure Network Requirement 1 Install and maintain a firewall configuration to protect cardholder data. Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters. 2. Protect Cardholder Data Requirement 3 Protect stored cardholder data. Requirement 4 Encrypt transmission of cardholder data across open, public networks. 3. Maintain a Vulnerability Management Program Requirement 5 Protect all systems against malware and regularly update antivirus software or programs. Requirement 6 Develop and maintain secure systems and applications. 4. Implement Strong Access Control Measures Requirement 7 Restrict access to cardholder data by business need-to-know. Requirement 8 Identify and authenticate access to system components. Requirement 9 Restrict physical access to cardholder data. 5. Regularly Monitor and Test Networks Requirement 10 Track and monitor all access to network resources and cardholder data. Requirement 11 Regularly test security systems and processes. 6. Maintain an Information Security Policy Requirement 12 Maintain a policy that addresses information security for all personnel.
Web
The Web provides a means of moving information between browsers and servers. There are a variety of protocols involved and a variety of sources of metadata.
Annualized Rate of Occurrence (ARO)
The annualized rate of occurrence (ARO) is a representation of the frequency of the event, measured in a standard year. If the event is expected to occur once in 20 years, then the ARO is 1/20. Typically, the ARO is defined by historical data, either from a company's own experience or from industry surveys. Continuing our example, assume that a fire at this business's location is expected to occur about once in 20 years. Given this information, the ALE is
Asset Value
The asset value (AV) is the amount of money it would take to replace an asset. This term is used with the exposure factor (EF), a measure of how much of an asset is at risk, to determine the single-loss expectancy (SLE).
cyber incident response team (CIRT)
The cyber incident response team (CIRT) is composed of the personnel who are designated to respond to an incident. The incident response plan should identify the membership and backup members, prior to an incident occurring.
Chain of Custody
The following are the critical steps in a chain of custody: 1. Record each item collected as evidence. 2. Record who collected the evidence along with the date and time it was collected or recorded. 3. Write a description of the evidence in the documentation. 4. Put the evidence in containers and tag the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container. 5. Record all message digest (hash) values in the documentation. 6. Securely transport the evidence to a protected storage facility. 7. Obtain a signature from the person who accepts the evidence at this storage facility. 8. Provide controls to prevent access to and compromise of the evidence while it is being stored. 9. Securely transport the evidence to court for proceedings.
Impact
The impact of an event is a measure of the actual loss when a threat exploits a vulnerability. Federal Information Processing Standard (FIPS) 199 defines three levels of impact using the terms high, moderate, and low. The impact needs to be defined in terms of the context of each organization, as what is high for some firms may be low for much larger firms.
Incident Response Process
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are broad and varied, as they have to deal with numerous causes and consequences.
On-premises vs. Cloud
The issues associated with on-premises versus cloud with respect to forensics is one dominated by access. When storage or computing is happening on another party's computing platform, as in the cloud, whether physically at another site or on premises, access is governed by the contracts and agreements covering the relationship.
Likelihood of Occurrence
The likelihood of occurrence is the chance that a particular risk will occur. This measure can be qualitative or quantitative, as just discussed. For qualitative measures, the likelihood of occurrence is typically defined on an annual basis so that it can be compared to other annualized measures. If defined quantitatively, it is used to create rank-order outcomes.
Right to Audit Clauses
The only rights the customer has are detailed in the service level agreements/contracts with the cloud provider. This makes the Right to Audit clause a critical requirement of any service level agreement, and its specificity needs to match the operational and regulatory scope of the cloud engagement.
OS
The operating system (OS) is the interface for the applications that we use to perform tasks and the actual physical computer hardware.
Continuity of Operation Planning (COOP)
The overall goal of continuity of operation planning (COOP) is to determine which subset of normal operations needs to be continued during periods of disruption.
Residual Risk
The presence of risks in a system is an absolute—they cannot be removed or eliminated. As mentioned previously in this chapter, four actions can be taken to respond to risk: accept, transfer, avoid, and mitigate. Whatever risk is not transferred, mitigated, or avoided is referred to as residual risk and, by definition, is accepted. You cannot eliminate residual risk, but you can manage risk to drive residual risk to an acceptable level.
Change Management
The purpose of change management is to ensure proper procedures are followed when modifications to the IT infrastructure are made. These modifications can be prompted by a number of different events, including new legislation, updated versions of software or hardware, implementation of new software or hardware, and improvements to the infrastructure.
Social Media Analysis
The rise of social media networks and applications has changed many aspects of business. Whether used for marketing, communications, customer relations, or some other purpose, social media networks can be considered a form of third party. One of the challenges in working with social media networks and/or applications is their terms of use. While a relationship with a typical third party involves a negotiated set of agreements with respect to requirements, there is no negotiation with social media networks. The only option is to adopt their terms of service, so it is important to understand the implications of these terms with respect to the business use of the social network.
Single-Loss Expectancy (SLE)
The single-loss expectancy (SLE) is the value of a loss expected from a single event. It is calculated using the following formula: SLE = asset value (AV) × exposure factor (EF) Exposure factor (EF) is a measure of the magnitude of loss of an asset. For example, to calculate the exposure factor, assume the asset value of a small office building and its contents is $2 million. Also assume that this building houses the call center for a business, and the complete loss of the center would take away about half of the capability of the company. Therefore, the exposure factor is 50 percent, and the SLE is calculated as follows: $2 million × 0.5 = $1 mi
Swap/Pagefile
The swap or pagefile is a structure on a system's disk to provide temporary storage for memory needs that exceed a system's RAM capacity. The operating system has provisions to manage the RAM and pagefile, keeping in RAM what is immediately needed and moving excess to the pagefile when RAM is full.
Recovery Time Objective (RTO)
The term recovery time objective (RTO) is used to describe the target time that is set for the resumption of operations after an incident. This is a period of time that is defined by the business, based on the needs of the business. A shorter RTO results in higher costs because it requires greater coordination and resources. This term is commonly used in business continuity and disaster recovery operations.
Syslog/Rsyslog/Syslog-ng
Three variations of syslog which all permit the logging of data from different types of systems in a central repository. Syslog stands for System Logging Protocol and is a standard protocol used in Linux systems to send system log or event messages to a specific server, called a syslog server. Rsyslog is an open source variant of syslog that follows the syslog specifications but also provides additional features such as content-based filtering. Syslog-ng is another open source implementation of the syslog standard. Syslog-ng also extends the original syslog model with elements such as content filtering.
Timestamps
Timestamps are metadata entries associated with artifacts in a computer system. While a log entry may have a timestamp, some items can have multiple timestamps, stored in multiple locations.
Risk Analysis
To effectively manage anything, there must be appropriate measurements to guide the course of actions. In the case of risk, this is also true. To manage risk, there needs to be a measurement of loss, and potential loss, and much of this information comes by way of risk analysis. Risk analysis is performed via a series of specific exercises that reveal presence and level of risk across an enterprise. Then, through further analysis, the information can be refined to a workable plan to manage the risk to an acceptable level.
Phishing Simulations
To help users learn and identify phishing attacks, there are methods of running phishing simulations against users. A phishing attempt is sent to a user, and should they fall prey to it, the system notifies the user that this was only a drill and that they should be more cautious. This also creates a teachable moment where the user can receive training detailing exactly why they should have spotted the phishing attempt.
Transference
Transference of risk is when the risk in a situation is covered by another entity. As mentioned previously in this book surrounding issues such as cloud computing, contracts and legal agreements will denote which parties are assuming which risks.
Trends
Trends are a series of data points that indicate a change over time. Trends can be increasing, decreasing, cyclical, or related to variability.
User Training
User training is important to ensure that users are aware of and are following appropriate policies and procedures as part of their workplace activities. As in all personnel-related training, two elements need attention. First, retraining over time is necessary to ensure that personnel keep proper levels of knowledge. Second, as people change jobs, a reassessment of the required training basis is needed, and additional training may be required. Maintaining accurate training records of personnel is the only way this can be managed in any significant enterprise.
Personnel
Users, or personnel, require credentials to access specific system resources as part of their job duties. Management of who gets what credentials is part of the access and authorization management system and should be managed via a credential policy. The details behind credentials and policies for access control are covered in Chapter 24, "Implement Authentication and Authorization."
Vendors
Vendors are firms or individuals that supply materials or services to a business. These items are purchased as part of a business process and represent some form of a value proposition for the firm purchasing them. But with the value can also come risk. For instance, if an item has embedded code to make it operate, what if the embedded code has vulnerabilities? What if an item that is purchased for a specific purpose fails to meet its specifications? There's a wide range of risks that can be introduced by vendors, and these need to be examined and handled in accordance with standard risk management processes.
System
Virtually every operating system creates system logs. These logs can provide a very detailed history of what actions were performed on a system.
VoIP and Call Managers
Voice over IP (VoIP) solutions and call manager applications enable a wide range of audio and video communication services over the Internet. These systems can log a variety of data, including call information
Vulnerability Scan Output
Vulnerability scans find weakness in security. Nessus is an example.
Walkthroughs
Walkthroughs examine the actual steps that take place associated with a process, procedure, or event. Walkthroughs are in essence a second set of eyes, where one party either explains or demonstrates the steps to perform a task while a second person observes.
Web
Web servers respond to specific, formatted requests for resources with responses, whether in the form of a web page or an error. And all of this activity can be logged. Web servers are specifically deployed to do this task, but they are also targets of attacks—attacks that try to run malicious scripts, perform DDoS attacks, perform injection and cross-site scripting attacks, and more. Web log files can help identify when these activities are occurring.
Disk
When collecting digital evidence, it is important to use proper techniques and tools. Some of the key elements are the use of write blockers when making forensic copies, hashing and verifying hash matches, documenting handling and storage, and protecting media from environmental change factors. Of particular note is that the data present on a system can be a function of both the file system and the hardware being employed. A physical hard disk drive (HDD) will persist data longer than a solid state drive (SSD). And the newer file systems with journaling and shadow copies can have longer persistence of information than older systems such as File Allocation Table-based (FAT-based) systems. Raw disk blocks can be recovered in some file systems long after data has been rewritten or erased, due to the nature of how the file systems manage the data.
Acceptance
When you're analyzing a specific risk, after weighing the cost to avoid, transfer, or mitigate a risk against the probability of its occurrence and its potential impact, the best response is to accept the risk. For example, a manager may choose to allow a programmer to make "emergency" changes to a production system (in violation of good separation of duties) because the system cannot go down during a given period of time. The manager accepts that the risk that the programmer could possibly make unauthorized changes is outweighed by the high-availability requirement of that system. However, there should always be some additional controls, such as a management review or a standardized approval process, to ensure the assumed risk is adequately managed.
Regulatory/Jurisdiction
Whether on premises or in the cloud, there will be cases where regulatory or law enforcement actions raise jurisdictional issues. If you have your software development data in the cloud, and the servers/storage elements are in a foreign country, whose laws will apply? It is important to consult with the company's legal counsel to understand the ramifications of data location with respect to forensics and subsequent data use.
Cloud Security Alliance
born in 2008 and incorporated in 2009, the Cloud Security Alliance issued the first comprehensive best-practice document for secure cloud computing, "Security Guidance for Critical Areas of Focus for Cloud Computing," and has become the industry body for frameworks, benchmarks, and standards associated with cloud computing worldwide. Some of the key documents developed include the Cloud Controls Matrix (CCM), the user credential Certificate of Cloud Security Knowledge (CCSK), the Certified Cloud Security Professional (CCSP) credential (developed jointly with ISC2), and a security framework for government clouds.
Business Continuity Plan
business continuity plan (BCP) represents the planning and advanced policy decisions to ensure the business continuity objectives are achieved during a time of obvious turmoil.
E-Discovery
e-discovery, is the term used for the document and data production requirements as part of legal discovery in civil litigation.
IP Theft
f you ask an IT technician about cybersecurity risk, you might get an answer involving data loss, ransomware, viruses, malware, or fraud. These are mostly technical issues, for this is the world most cybersecurity professionals live in. But ask a CEO the same question, and business items such as intellectual property (IP) theft come up right away. IP theft can seriously damage a company's future health. If a firm spends a lot of resources developing a product or a market and then is undercut by other parties that don't have to spend those resources, sales can disappear and future revenue streams can dry up. Unlike physical assets, digital assets can be stolen merely through copying, and this is the pathway attackers use for IP data. The attacker will attempt to gain access and copy the data, all the while trying to leave no trace, making the theft not at all obvious until a competitor uses the information and fields a "stolen" product in the form of a copy.
Timelines of Sequence of Events
it is common to produce a timeline of specific events that fall within the scope and time boundaries. This timeline will have the specifics, including the metadata to document it, demonstrating the sequence of events as recorded by the computer.
Legal Hold
once you realize your organization needs to preserve evidence, you must use a legal hold, or litigation hold, which is the process by which you properly preserve any and all digital evidence related to a potential case.
Order of Volatility
you should pay attention to the order of volatility, or lifetime of the data, so that you can prioritize your collection efforts after a security incident to ensure you don't lose valuable forensic evidence. In some cases, you may have only one chance to collect volatile data, after which it becomes lost forever. Following is the order of volatility of digital information in a system: 1. CPU, cache, and register contents (collect first) 2. Routing tables, ARP cache, process tables, kernel statistics 3. Live network connections and data flows 4. Memory (RAM) 5. Temporary file system/swap space 6. Data on hard disk 7. Remotely logged data 8. Data stored on archival media/backups (collect last)
Admissibility
• Sufficient evidence The evidence must be convincing or measure up without question. • Competent evidence The evidence must be legally qualified and reliable. • Relevant evidence The evidence must be material to the case or have a bearing on the matter at hand. • Best evidence rule Courts prefer original evidence rather than a copy, to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred. In some instances, an evidence duplicate can be accepted, such as when the original is lost or destroyed by a natural disaster or in the normal course of business. A duplicate is also acceptable when a third party beyond the court's subpoena power possesses the original. Copies of digital records, where proof of integrity is provided, can in many cases be used in court. • Exclusionary rule The Fourth Amendment to the U.S. Constitution precludes unreasonable search and seizure. Therefore, any evidence collected in violation of the Fourth Amendment is not admissible as evidence. Additionally, if evidence is collected in violation of the Electronic Communications Privacy Act (ECPA) or other related violations of the U.S. Code, or other statutes, it may not be admissible to a court. For example, if no policy exists regarding the company's intent to monitor network traffic or systems electronically, or if such a policy exists but employees have not been asked to acknowledge it by signing an agreement, sniffing employees' network traffic could be a violation of the ECPA. • Hearsay rule Hearsay is secondhand evidence—evidence offered by the witness that is not based on the personal knowledge of the witness but is being offered to prove the truth of the matter asserted. Hearsay is inadmissible unless it falls under one of the many recognized exceptions (such as those delineated in FRE 803). Typically, computer-generated evidence is considered hearsay evidence, as the maker of the evidence (the computer) cannot be interrogated. Exceptions are being made where items such as logs and headers (computer-generated materials) are being accepted in court. Computer evidence is typically brought into a case by an expert witness who can speak for the data and what it means.
