D7: Security Operations Flashcards
Incident Scene
- ID the scene
- Protect the environment
- ID evidence and potential sources of evidence
- Collect evidence - hash +
- Minimize the degree of contamination
Locard’s Exchange Principle - perps leave something behind
Evidence Types
- Sufficient: persuasive enough to convince one of its validity
- Reliable: consistent with fact, evidence has not been tampered with or modified
- Permissible: lawful obtaining of evidence, avoid; unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
- Preserved and Identifiable: collection; reconstruction
Identification: labeling, recording serial number, etc.
Evidence must be preserved and identifiable
*Collection, documentation, classification, comparison, reconstruction
Evidence Lifecycle
- Discovery
- Protection
- Recording
- Collection and Identification
- Analysis
- Storage, preservation, transportation
- Present in Court
- Return to Owner
Witnesses that evidence are trustworthy - description of procedures, normal business method collections, error precaution and correction
Best Evidence
- Primary Evidence - is used at trial because it is the most reliable.
- original documents are used to document things such as contracts
- NO COPIES!!!!
- Oral is not the best evidence though it may provide interpretation of documents
Secondary Evidence
- Not as strong as Primary
- it is not permitted if the Best Evidence is available
- Oral evidence (like witness testimony)
Direct Evidence
- Direct evidence can prove a fact by itself and does not need any type of backup evidence.
- Does NOT need other evidence to substantiate.
- Testimony from a witness - one of their 5 senses.
- Oral evidence is a type of secondary evidence so the case can’t simply stand on this alone.
Conclusive Evidence
- irrefutable and cannot be contradicted
- requires no other corroboration
Circumstantial Evidence
- used to help assume another fact
- cannot stand on it’s own to directly prove a fact
Corroborative Evidence
- supports or substantiates other evidence presented in a case
Hearsay Evidence
- something a witness hears another one say.
- business records are hearsay and all that is printed or displayed
- EXCEPTION: audit trails and business records when the documents are created in normal course of business
Interviewing
Gather facts and determine the substance of the case
Interrogation
Evidence retrieval method, ultimately obtain a confession
The Process / Due Process
Involves:
- prep of questions and topics
- puts witness at ease
- summarize information or interview/interrogation plan
Other Notes:
- have one person as lead and 1-2 others involved as well
- never interrogate or interview alone
Opinion Rule
Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case
*context - Federal Rules of Evidence (FRE), a court will permit a person who isn’t testifying as an expert to testify in the form of an opinion if it’s both rationally based on their perception and helps to explain the witness’s testimony
Expert Witnesses
Used to educate the jury and can be used as evidence
Six Principles for Digital Evidence Technicians
- When dealing with digital evidence, all general forensic and procedural principles must be applied
- Upon seizing digital evidence, actions taken should not change the evidence
- When it is necessary for a person to access original digital evidence, that person should be trained for that purpose.
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review.
- An individual is responsible for all actions taken with respect to digital evidence while the evidence is in their possession
- Any agency responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.
Media Analysis
Identification and extraction of information from storage media. May include:
- Magnetic Media - hard disks, tapes
- Optical Media - CDs, DVDs, Blu-ray discs
- Memory - RAM, solid state storage
Techniques used for media analysis may include:
- recovery of deleted files from unallocated sectors of the physical disk
- the live analysis of storage media connected to a computer system (esp. useful when examining encrypted media)
- the static analysis of forensic images of storage media.
Software Analysis
Forensic review of applications or the activity that takes place within a running application.
May need to review and interpret log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.
When malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs or other vulns.
Hardware / Embedded Device Analysis
Forensic analysts often must review the contents of hardware and embedded devices.
This may include a review of personal computers & smartphones
Admissible Evidence
- The evidence must be relevant to determining a fact, and the fact must be material/related to the case
- Evidence must have been obtained legally aka competent
- Evidence that results from an illegal search would be inadmissible because it is not competent.
Five Rules of Evidence
- Be authentic - evidence ties back to the scene
- Be accurate - maintain authenticity and veracity
- Be complete - all evidence collection, for and against view
- Be convincing - clear & easy to understand for jury
- be admissible - be able to be used in court
Forensic Disk Controller
Write blocking - intercepts write commands sent to the device and prevents them from modifying data on the device
Return data requested by a read operation
Return access-significant information from device
Reporting errors from device to forensic device.
LOGS TAKEN IN NORMAL COURSE OF BIZ
MOM
Means, opportunity and motive
Victimology
Why certain people are victims of a crime, and how lifestyle affects the chances that a certain person will fall victim to a crime investigation
Investigation Types
Operational
Criminal
Civil
eDiscovery
Slack Space
Slack space on a disk should be inspected for hidden data and should be included in Disk Image
3 Branches of Law
Legislative: writing laws (statutory laws)
Executive: enforces laws (administrative laws)
Judicial: Interpret laws (common laws from court decisions)
Criminal Law
Individuals that violate government law
Punishment mostly imprisonment
Civil Law
Wrongs against individual or organization that result in a damage or loss.
Punishment can include financial penalties
Tort Law (I’ll Sue You!) Jury will decide liability
Administrative/Regulatory Law
How the industries, organizations and officers have to act.
Wrongs can be penalized with imprisonment or financial penalties
Uniform Computer Information Transactions Act (UCITA)
Federal Law that provides a common framework for the conduct of computer-related business transactions.
UCITA contains provisions that address software licensing
The terms of UCITA give legal backing to the previously questionable practivies of shrink–wrap licensing by giving them status as legally binding contracts
Uniform Computer Information Transactions Act (UCITA)
Federal Law that provides a common framework for the conduct of computer-related business transactions.
UCITA contains provisions that address software licensing
The terms of UCITA give legal backing to the previously questionable practices of shrink–wrap licensing by giving them status as legally binding contracts
3 Types of Harm of Computer Crimes
- Unauthorized intrusion
- Unauthorized alteration or destruction
- Malicious Code
Admissible evidence
relevant, sufficient, reliable, does not have to be tangible
Enticement
the legal action of luring an intruder, like in a honeypot
Entrapment
the illegal act of inducing a crime, the individual had no intent of committing the crime at first
Federal Sentencing Guidelines
provides judges and courts procedures on the prevention, detection and reporting
Security Incident and Event Management (SIEM)
Automating much of the routine work of log review
Provides real-time analysis of events occurring on systems throughout an organization but don’t necessarily scan outgoing traffic.
Intrusion
Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources.
Intrusion Detection
A specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.
Intrusion Detection System (IDS)
Automates the inspection of logs and real-time
system events to detect intrusion attempts and system failures.
An effective method of detecting many DoS and DDoS attacks
Can recognize external attacks e.g. from the internet or attacks that spread internally like a malicious worm.
Detections will trigger alarms and alerts, and sometimes will modify the environment to stop an attack
IDS is part of defense-in-depth security plan - it will work with, and complement other security mechs like firewalls, but it does not replace them.
Intrusion Prevention System IPS
Intrusion prevention system includes all capabilities of an IDS, but can also take additional steps to stop or prevent intrusions - admins can disable the features of an IPS, and it becomes an IDS
Data Loss Prevention (DLP)
Data loss prevention systems attempt to detect and block data exfiltration attempts.
The systems have the capability of scanning data looking for keywords and data patterns.
Can look for sensitive information stored on hard drives
Network-based DLP
Scans all outgoing data looking for spec ific data.
Admin would place it on the edge of the negative to scan all data leaving the organization
If a user sends out a file containing restricted data, the DLP system will detect and prevent it from leaving the organization
The DLP system will send an alert such as an email to an administrator
Endpoint-based DLP
Can scan files stored on a system as well as files sent to external devices such as printers
An organization endpoint-based DLP can prevent users from copying sensitive data to USNB flash drives or sending sensitive data to a printer
3 states of information
Data at rest (storage)
Data in transit (the network)
Data being processed (must be decrypted) / in use / end point
Configuration Item (CI)
Component whose state is recorded
Version: recorded state of the CI
Configuration
Collection of component CI’s that make another CI
Building
Assembling a version of a CI using component CI’s
Building list
Set of versions of component CI’s used to build a CI software library CI software library
CI Software Library
Controlled area only accessible for approved users
Recovery Procedures
System should restart in secure mode
Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals
Fault-tolerant
Continues to function despite failure
Fail Safe System
Program execution is terminated and system protected from compromise when hardware or software failure DOORS usually
Fail Closed/Secure
The most conservative from a security perspective
Fail Open
????
Fail Hard - BSOD
Human to see why it failed??
Fail Soft or Resilient System
Reboot, selected, non-critical processing is terminated when failure occurs
Failover
Switches to hot backup
Fail Safe vs. Fail Secure
FAIL SAFE: doors UNLOCK
FAIL SECURE: doors LOCK
Trusted Path
Protects data between users and a security component
Channel established with strict standards to allow necessary communication to occur without exporing the TCB to security vulnerabilities
A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB intechange
ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY
Security Events vs. Security Incidents vs. Security Intrusion
Events: anything that happens; can be documented verified and analyzed.
Incidents: event(s) that adversely impact the ability of an organization to do business. A suspected attack
Intrusion: evidence attacker attempted or gained access to