Domain_07: Security Operations
-
Administrative Management
-
Security and Network Personnel
-
tasks
-
• Implements and maintains security devices and software
-
• Carries out security assessments
-
• Creates and maintains user profiles and implements and maintains access control mechanisms
-
• Configures and maintains security labels in mandatory access control (MAC) environments
-
• Manages password policies
-
• Reviews audit logs
-
-
-
Accountability
-
Audit
-
Log Files
-
Monitoring
-
Audit Trails
-
Sampling
-
Sampling
-
Statistical sampling
-
Clipping
-
-
-
-
Foundational Security Operations Concepts
-
Need-to-Know Access
-
Least privilege principle
-
Separation of duties (SoD) (Preventive control)
-
Two-person control
-
Split knowledge
-
Job rotation (deterrent and detection)
-
Mandatory Vacations (deterrent and detection)
-
Privileged account management (PAM)
-
Service level agreement (SLA)
-
Duress systems
-
-
Physical Security
-
Facility Access Control
-
Locks
-
Mechanical Locks
-
the warded lock
-
the tumbler lock
-
three types of tumbler locks
-
Wafer tumbler locks
- (also called disc tumbler locks)
-
Combination locks
-
Cipher locks,
-
programmable locks
-
functionalities
-
• Door delay
-
• Key override
-
• Master keying
-
• Hostage alarm
-
-
-
-
-
Circumventing Locks
-
Device Locks
-
capabilities
-
• Switch controls
-
• Slot locks
-
• Port controls
-
• Peripheral switch controls
-
• Cable traps
-
-
-
-
Lock Strengths
-
• Grade 1 Commercial and industrial use
-
• Grade 2 Heavy-duty residential/light-duty commercial
-
• Grade 3 Residential/consumer
-
-
Electronic Locks
-
Keypad Locks
-
Biometric Locks
-
Smart Locks
-
-
-
-
Personnel Access Controls
-
Electronic access control (EAC) tokens
-
piggybacking
-
Identification and authentication can be verified by matching an anatomical attribute (biometric system), using smart or memory cards (swipe cards), presenting a photo ID to a security guard, using a key, or providing a card and entering a password or PIN
-
-
External Boundary Protection Mechanisms
-
control types
-
• Access control mechanisms Locks and keys, an electronic card access system, personnel awareness
-
• Physical barriers Fences, gates, walls, doors, windows,protected vents, vehicular barriers
-
• Intrusion detection Perimeter sensors, interior sensors,annunciation mechanisms
-
• Assessment Guards, CCTV cameras
-
• Response Guards, local law enforcement agencies
-
• Deterrents Signs, lighting, environmental design
-
-
Fencing
-
• Fences three to four feet high only deter casual trespassers.
-
• Fences six to seven feet high are considered too high to climb easily.
-
• Fences eight feet high (possibly with strands of barbed or razor wire at the top) means you are serious about protecting your property. They often deter the more determined intruder.
-
-
Bollards
-
Lighting
-
Surveillance Devices
-
Visual Recording Devices
-
closed-circuit TV (CCTV)
-
• The purpose of CCTV To detect, assess, and/or identify intruders
-
• The type of environment the CCTV camera will work in Internal or external areas
-
• The field of view required Large or small area to be monitored
-
• Amount of illumination of the environment Lit areas, unlit areas, areas affected by sunlight
-
• Integration with other security controls Guards, IDSs, alarm systems
-
-
charged-coupled devices (CCDs)
-
Two main types of lenses
-
fixed focal length
-
zoom (varifocal).
-
-
depth of field
-
-
-
Intrusion Detection Systems
-
IDSs can be used to detect changes
-
• Beams of light
-
• Sounds and vibrations
-
• Different types of fields (microwave,ultrasonic, electrostatic)
-
• Electrical circuit
-
• Motion
-
-
Electromechanical systems
-
A photoelectric system
- photometric system
-
passive infrared (PIR) system
-
acoustical detection system
-
Wave-pattern motion detectors
-
proximity detector,or capacitance detector
-
-
Patrol Force and Guards
-
Dogs
-
Auditing Physical Access
-
Internal Security Controls
-
-
The Incident Management Process
-
Reference Image
- Incident Management Steps
-
incident response team
-
• A list of outside agencies and resources to contact or report to.
-
• An outline of roles and responsibilities.
-
• A call tree to contact these roles and outside entities.
-
• A list of computer or forensic experts to contact.
-
• A list of steps to take to secure and preserve evidence.
-
• A list of items that should be included in a report for management and potentially the courts.
-
• A description of how the different systems should be treated in this type of situation.
-
-
Computer Emergency Response Team (CERT)
-
The Cyber Kill Chain
-
- Reconnaissance
-
- Weaponization
-
- Delivery
-
- Exploitation
-
- Installation
-
- Command and Control (C&C)
-
- Actions on the Objective
-
-
Detection
-
Response
-
Mitigation
-
Reporting
-
• Summary of the incident
-
• Indicators
-
• Related incidents
-
• Actions taken
-
• Chain of custody for all evidence (if applicable)
-
• Impact assessment
-
• Identity and comments of incident handlers
-
• Next steps to be taken
-
-
Recovery
-
Remediation
-
-
Personal Safety Concerns
-
Emergency Management
-
OEP
- occupant emergency plan (OEP)
-
fail-safe device
-
Duress
-
Travel
-
best practices
-
Ask for a room on the second floor.
-
• Ask for and keep a hotel business card on your person at all times in case you have to call the local police or embassy and provide your location in an emergency.
-
• Secure valuables in the in-room safe.
-
• Always use the security latch on the door when in the room.
-
• Keep your passport with you at all times when in a foreign country.
-
-
-
Training
-
-
-
Network and Resource Availability
-
keeping that information available
-
• Redundant hardware
-
• Fault-tolerant technologies
-
• Service level agreements (SLAs)
-
• Solid operational procedures
-
-
Mean Time Between Failures
-
(MTBF)
-
is a measure of how long we expect a piece of equipment to operate reliably.
-
implies that the device or component is repairable
-
-
mean time to failure(MTTF)
-
-
Mean time to repair (MTTR)
- is the expected amount of time it will take to get a device fixed and back into production after its failure
-
Single Points of Failure
-
Redundant array of independent disks (RAID)
-
Direct access storage device (DASD)
-
massive array of inactive disks (MAID)
-
Redundant Array of Independent Tapes
- Redundant array of independent tapes (RAIT)
-
storage area network (SAN)
-
Clustering
-
Grid Computing
-
-
Backups
- Hierarchical storage management HSM)
-
Contingency Planning
-
Summary of Technologies that Improve Resource Availability
-
• Redundant servers
-
• RAID, MAID, RAIT
-
• Direct access storage device
-
• Storage area networks
-
• Clustering
-
• Grid computing
-
• Backups
-
-
-
Incident Management Framework
-
Detection
- Identify -Monitoring tools, IPs, firewalls, users, notifications
-
Response
- Triage - is it really an incident? (decision to declare incident)
-
Mitigation
- Correction & containment
(Malware disconnect device)
- Correction & containment
-
Reporting
- to relevant stakeholders , customers, legal, and regulatory
-
Recovery
- Return to normal
operations
- Return to normal
-
Remediation
- Root cause
is addressed
Helps the
- Root cause
-
Lessons Learned
- Helps the org deal with
recurrence , improves the IR process
- Helps the org deal with
-
DRMRRRL
-
-
Information Lifecycle
-
Create
-
Classify
-
Store
-
Use
-
Archive
-
Destroy
-
-
Evidence gathering Steps (Ediscovery)
-
Information Governance
-
Identification
-
Preservation
-
Collection
-
Processing
-
Review
-
Analysis
-
Production
-
Presentation
-
-
Liability and Its Ramifications
-
Liability
-
Due Care
-
Due Diligence
-
-
Liability Scenarios
-
Personal Information
-
Hacker Intrusion
-
-
Third-Party Risk
-
Contractual Agreements
-
• Outsourcing agreements
-
• Hardware supply
-
• System maintenance and support
-
• System leasing agreements
-
• Consultancy service agreements
-
• Website development and support
-
• Nondisclosure and confidentiality agreements
-
• Information security management agreements
-
• Software development agreements
-
• Software licensing
-
-
Procurement and Vendor Processes
-
vendor management governing process
-
Request for Proposals (RFP)
-
-
-
Preventing and Detecting
-
Vulnerability Management
-
Vulnerability Scanner
-
Vulnerability Assessements
-
-
Penetration tests
-
Patch Management
-
Unmanaged Patching
-
• Credentials
-
• Configuration management
-
• Bandwidth utilization
-
• Service availability
-
-
Centralized Patch Management
-
• Agent based
-
• Agentless
-
• Passive
-
-
-
Blocking Malicious Code
-
Anti malware software
-
Policies
-
Education
-
-
Sandboxing
-
Honeypots and Honeynets
-
Egress Monitoring
-
Security information and event management (SIEM)
-
Secure Provisining
-
Outsourced Services
-
managed security services providers (MSSPs)
-
• Requirements
-
• Understanding
-
• Reputation
-
• Costing
-
• Liability
-
-
-
-
Investigations
-
Computer Forensics and Proper Collection of Evidence
-
Scientific Working Group on Digital Evidence (SWGDE)
-
attributes
-
• Consistency with all legal systems
-
• Allowance for the use of a common language
-
• Durability
-
• Ability to cross international and state boundaries
-
• Ability to instill confidence in the integrity of evidence
-
• Applicability to all forensic evidence
-
• Applicability at every level, including that of individual,agency, and country
-
-
principles
-
- When dealing with digital evidence, all of the general forensic and procedural principles must be applied.
-
- Upon the seizing of digital evidence, actions taken should not change that evidence.
-
- When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
-
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
-
- An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
-
- Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
-
-
-
-
Motive, Opportunity,and Means
-
Computer Criminal Behavior
-
Incident Investigators
-
Different Types of Assessments an Investigator Can Perform
-
Network analysis
-
• Traffic analysis
-
• Log analysis
-
• Path tracing
-
-
Media analysis
-
• Disk imaging
-
• Timeline analysis (modify, access,create times)
-
• Registry analysis
-
• Slack space analysis
-
• Shadow volume analysis
-
-
Software analysis
-
• Reverse engineering
-
• Malicious code review
-
• Exploit review
-
-
Hardware/embedded device analysis
-
• Dedicated appliance attack points
-
• Firmware and dedicated memory inspections
-
• Embedded operating systems, virtualized software, and hypervisor analysis
-
-
-
Types of Investigations
-
Administrative
-
Criminal
-
Civil
-
Regulatory
-
-
The Forensic Investigation Process
-
• Identification
-
• Preservation
-
• Collection
-
• Examination
-
• Analysis
-
• Presentation
-
• Decision
-
-
Forensics Field Kits
-
• Documentation tools Tags, labels, and time-lined forms
-
• Disassembly and removal tools Antistatic bands, pliers,tweezers, screwdrivers, wire cutters, and so on
-
• Package and transport supplies Antistatic bags, evidence bags and tape, cable ties, and others
-
-
Surveillance, Search,and Seizure
-
Surveillance
-
Physical surveillance
-
Computer surveillance
-
-
-
-
Attacks
-
Common DoS Attacks
-
SYN flood attack
- which disrupts the TCP three
way handshake.
- which disrupts the TCP three
-
Smurf attack
- employs an amplification network to send numerous response packets to a victim.
-
Ping of death attack
- send numerous oversized ping packets to the victim, causing the victim to freeze, crash, or reboot.
-
-
Botnets
-
a collection of compromised computing devices
(often called bots or zombies). -
Bot Herder
- criminal who uses a command and control server
to remotely control the zombies often use the botnet to launch attacks on other
- criminal who uses a command and control server
-
-
Espionage & Sabotage
-
Espionage (External)
- malicious insiders can perform
sabotage against an org if they
become disgruntled for some reason
- malicious insiders can perform
-
Sabotage (Insider)
- when a competitor tries to steal
information, and they may use an
internal employee.
- when a competitor tries to steal
-
-
Zero-Day exploits
- an attack that uses a vulnerability that is either
unknown to anyone but the attacker or known unknown to anyone but the attacker or known only to a limited group of people.
- an attack that uses a vulnerability that is either
-
Computer Crime
-
Categories of computer crime
-
Military and intelligence attacks
-
Business attacks
-
Financial attacks
-
Terrorist attacks
-
Grudge attacks
-
Thrill attacks
-
-
-
-
Types of Evidence
-
Real Evidence
- Which can be brought into the court (Murder Weapon)
-
Documentary
-
Written Evidence - Agreement
-
Best - Original copy
-
Parol - Written Agreement
-
Secondary Evidence - copy of original document
-
-
-
Testimonial
- Verbal Witness
-
Hearsay
- Indirect (Whisper, computer log)
-
-
Insurance
-
Cyber insurance
-
business interruption insurance
-
-
Disaster Recovery
-
Concept
-
maximum tolerable downtime(MTD)
-
recovery time objective (RTO)
-
work recovery time (WRT)
-
-
Relation
-
Business Process Recovery
-
• Required roles
-
• Required resources
-
• Input and output mechanisms
-
• Workflow steps
-
• Required time for completion
-
• Interfaces with other processes
-
-
Recovery Site Strategies
-
• Hot site
-
• Warm site
-
• Cold site
-
Reciprocal Agreements
-
Redundant Sites
-
-
Supply and Technology Recovery
-
Hardware Backups
-
Software Backups
-
-
Backup Storage Strategies
-
Online backup
-
full backup
-
differential process backup
-
incremental process backup
-
-
Electronic Backup Solutions
-
Remote Mirroring
-
Electronic vaulting
- takes place in batches and moves the entire file that has been updated.
-
remote journaling
- takes place in real time and transmits only the file deltas
-
-
Choosing a Software Backup Facility
-
Documentation
-
Human Resources
-
-
End-User Environment
-
Availability
-
High availability (HA)
-
technology terms
-
• Facility (cold, warm, hot, redundant, rolling, reciprocal sites)
-
• Infrastructure (redundancy, fault tolerance)
-
• Storage (RAID, SAN, mirroring, disk shadowing,cloud)
-
• Server (clustering, load balancing)
-
• Data (tapes, backups, vaulting, online replication)
-
• Business processes
-
• People
-
-
-
-
-
User entitlements & access reviews
-
Implementing Disaster Recovery
-
a goal must contain certain key information
-
• Responsibility
-
• Authority
-
• Priorities
-
• Implementation and testing
-
-
Personnel
-
• Damage assessment team
-
• Recovery team
-
• Relocation team
-
• Restoration team
-
• Salvage team
-
• Security team
-
-
Assessment
-
procedures
-
• Determine the cause of the disaster.
-
• Determine the potential for further damage.
-
• Identify the affected business functions and areas.
-
• Identify the level of functionality for the critical resources.
-
• Identify the resources that must be replaced immediately.
-
• Estimate how long it will take to bring critical functions back online.
-
• If it will take longer than the previously estimated MTD values to restore operations, then a disaster should be declared and the BCP should be put into action.
-
-
criteria
-
• Danger to human life
-
• Danger to state or national security
-
• Damage to facility
-
• Damage to critical systems
-
• Estimated value of downtime that will be experienced
-
-
-
Restoration
-
to the alternate site
-
• Ensuring the safety of employees
-
• Ensuring an adequate environment is provided (power, facility infrastructure, water, HVAC)
-
• Ensuring that the necessary equipment and supplies are present and in working order
-
• Ensuring proper communications and connectivity methods are working
-
• Properly testing the new environment
-
-
salvage team
-
• Back up data from the alternate site and restore it within the new facility.
-
• Carefully terminate contingency operations.
-
• Securely transport equipment and personnel to the new facility.
-
-
-
Communications
-
emergency communications plan
- Primary, Alternate, Contingency, and Emergency (PACE) communications plans
-
-
Training
-
-
BCP_DR
-
Plan
-
Initiation Phase
-
Activation Phase
-
Recovery Phase
-
Reconstruction Phase
-
Appendices
-
-
Tests
-
Checklist
-
Structured Walkthrough / Tabletop
-
Simulation
-
Parallel
-
Full Interruption- (Most Disruptive ,Risky)
-
-
Recovery
-
Hot
-
Fully Configures with HW,SW
-
Data, Security
-
Only Missing Staff
-
where MTD - Critical & Urgent
-
Most expensive
-
-
Warm
-
Power, HVAC & Communications
-
Procure additional HW
-
MTD - Important & Normal
-
-
Cold
-
Power & HVAC
-
Procure HW
-
Procure Communications
-
Cheapest but longest recovery
-
MTD - Nonessential
-
Most Common- False Sense of security
-
-
Rolling/ Mobile
-
Reciprocal Agreement
-
-
Steps
-
NIST-800-14
-
- Develop BCP
-
- Conduct BIA
-
- Select Interviewees
-
- Create data gathering Technigues
-
- Identify critical business functions
-
- Identify Dependent resources
-
- Calc MTD - Max Tolerable Downtime
-
- Identify Vulnerabilities
-
- Calculate Risks
-
Document findings & Reports
-
- ID Preventative Controls
-
- Develop recovery strategies
-
- Develop Contingency Plan
-
- Test w/training & Exercise
-
- Maintain Plan
-
-
-
-
New technologies
-
threat Intelligence
- threat feeds
-
user and entity behavior analytics (UEBA)
-
next generation firewalls
-
web application firewalls
-
use of machine learning and artificial intelligence
-
-
Power
-
Clean
- Nonfluctuating Pure power
-
Generator
- Long term source
-
UPS
- Short Term Battery
-
Spike
- Momentary High Voltage
-
Surge
- Prolonged High Voltage
-
Brownout
- Prolonged Low Voltage
-
Sag
- Momentary Low Voltage
-
Fault
- Momentary Loss of Power
-
Blackout
- Complete loss of power
-