Domain 7, Security Operations Flashcards
BCP
Business continuity Plan. Long term plan to ensure the continuity of business ops.
Collusion
agreement between 2+ individuals to subvert sec system.
Continuity of Operations Plan - COOP
Plan to maintain ops during a disaster.
Disaster
Disruptive event that interrupts normal system operations
Disaster recovery plan DRP
Short term plan to recover from a disruptive event.
MTBF
Mean time between failures
MTTR
Mean time to repair/recover
Mirroring
RAID - Duplication of data to another disk
RAID
Redundant array of inexpensive disks
Striping
Spread data across multiple disks.
Slack space
Unused space that is leftover when a File of X-1 size was given space of X
Bad Blocks/Clusters
Unusable sectors
Live forensics
Seeing what’s in live memory
Meterpreter
Power metasploit payload
Network forensics
study of data in motion.
Forensic software analysis
deconstruct malware and software. Use a VM to detonate Malware
EMbedded Device Forensics
IoT and Other Handheld devices
Electronic Discovery
Help lawyers with discovery process via Electronic Discovery tools
CSIRT
Computer Security Incident Response Team
800-61r2
NIST Incident Handling Guide
4 step lifecycle
800-61r2 lifecycle Step 1
Prep
800-61r2 lifecycle Step 2
Detection and Analysis
800-61r2 lifecycle Step 3
Containment, Eradication, and recovery
800-61r2 Step 4
Post-incident Activity
IR MGMT Step 1
Prep
Training, policies, procedures, checklist
IR MGMT Step 2
Detection, AKA identification
Events—> Incident
IR MGMT Step 3
Response
IR MGMT Step 4
Mitigation, aka Eradication
Root Cause Analysis
Get rid of the bad things
IR MGMT Step 5
Reporting
Not really a step, this happens throughout the process
IR MGMT Step 6
Recovery
Restore systems and ops
Increase monitoring
IR MGMT Step 7
remediation - long term strategic activity designed to eradicate root cause for identified incidient.
IR MGMT Step 8
Lessons Learned. Shoudl be documented in a formal process, and assigned as action items with accountability
Intrusion Detection System
Detects intrusions
IDS True Positive
alerts on an actual issue
IDS True Negative
doesn’t alarm on something that it doesn’t need to alarm on.
IDS False positive
Trips on something that it shouldn’t on.
IDS False Negative
Doesn’t trip on something it should trip on.
NIDS NIPS
Network intrusion detection,
Network intrusion prevention system
HIDS HIPS
Host Intrusion detection
Host intrusion prevention
Knowledge-based IDS/IPS
AKA Signature based, AKA Pattern-matching
-compares events to static signatures of known attacks.
Behavior-based IDS/IPS
Creates a baseline for what activities/events are considered normal. Once baseline is determined, it can now detect ‘abnormal’ activities
Anomaly detection
Finds a baseline of normal traffic, then anomaly detection IDS ignores normal traffic.
Will alert when it sees odd traffic.
Continuous monitoring
ASsessing and reassessing as an ongoing process
DLP
data loss prevention.
class of solutions used to detect and prevent data from leaving the org
Application Whitelisting
Only run what is permitted
Sandboxing
Separate running programs, in an effort to mitigate system failures from spreading.
Test untested or untrusted programs.
Detonate malware in a VM.
Asset/Configuration management
Hardened baselines and configs.
Establishes the baseline of an information technology environment that includes a secure baseline
Baselining
Capture a snapshot of the current system security config. Establishes an easy means for capturing the current system config.
Vulnerability management
scan in a way to discover poor configs and missing patches in an environment, with an emphasis on managing those vulnerabilities.
Zero day vulnerability
no identified patch or workaround.
Zero day exploit
Exploit methods is/are available for a vulnerability which has yet to be patched.
Change management
Track and audit changes to configuration files. Assess risks of changes.
SLA
Service level agreement
Stipulate all expectations regarding behavior of the department or organizations.
Orgs must negotiate all secure terms of service lvl agreement
Full Backup
Complete copy. Duplicates every file regardless of the archive bit. Once complete, archive bit on every file is reset, turned off, or set to 0.
Incremental backup
archives files that have changes since last full or incremental backup. Only files that have the archive bit turned on (set to 1) are duplicated. Once complete, archive bit on every file is reset, turned off, or set to 0.
Differential Backup
archives files that have changes since last full (but NOT INCREMENTAL) backup. Only files that have the archive bit turned on (set to 1) are duplicated. DOES NOT CHANGE ARCHIVE BIT once done.
RAID 0
Stripes two or more disks to improve performance, but NOT fault tolerance.
RAID 1
Mirrors, uses two disks both with the same exact data. Provides fault tolerance. Lower write speeds, but potentially higher read speeds.
RAID 3
NOT IN CBK. Byte level striping with dedicated parity
RAID 4
NOT IN CBK. Block lvl striping with dedicated parity
RAID 5
Striping with parity. Uses three or more disks, with one disk holding parity information. Parity allows reconstruction to occur after disk failure via mathematical calculations.
RAID 6
Same as RAID 5, but with two parity disks.
Mirroring
Writes same data to multiple hard disks.
Writes are slower read is faster. Costly
Striping
Spread data across multiple hard disks.
Reads and writes can be performed in parallel acros multiple disks
Performance increase on reads and writes
RAID 10
Nested RAID. Configuration is a striped set of mirrors. Uses at least 4 disks, but can support more as long as an even number of disks are added.
Can tolerate multiple disk failures, as long as one drive in each mirror continues to operate.
BCP
business continuity plan. Long term plan to ensure continuity of business ops
BCP
business continuity plan. Long term plan to ensure continuity of business ops
Business level scope
DRP
Disaster recovery plan
Short term plan to recover from a disruptive event.
DRP
Disaster recovery plan
Short term plan to recover from a disruptive event.
IT oriented scope
MTTR
Mean time to repair.
MTTR
Mean time to repair.
Natural disaster
Weather, earthquake
Human
Malware, assault, large portions of workforce leaving.
Environmental
HVAC fails, power outage
DRP Process - respond
Begin processing the damage
Initial assessment
DRP Process - Acticate team
Activate team
DRP Process - Communicate
comms must be out of band. Ensuretimely updates. Org should be prepared for external comms
DRP Process - Assess
More detailed and thorough assessment
Assess damage
Team could recommend ultimate restoration/reconstitution at different site
DRP Process -Reconstitution
Recover business ops at primary or secondary site.
Salvage team activated at primary facility
Develop a BCP/DRP
Project initiation scope the project business impact analysis identify preventive controls Recovery strategy Plan design, and develpment implementation, training, and testing BCP/DRP
NIST 800-34
NIST contigency planning guide.
BCP/DRP Planning Project Initiation Milestones
7
- Develop contigency plan
- Conduct business impact ianalysis
- Identify preventive controls
- develop recovery strategies
- Develop IT contigency plan
- Plan testing, training, excercises
- Plan maintenance of documents
Continuity planning project team
Team set up to determine responsibilities and objectives of continuity plan.
RTO
Recovery time objective. How quickly something a system can be brought back on line, but not integrity hasn’t been verified yet.
WRT
Work recovery time. After system is online, time to verify integrity of system.
Executive mgmt - Scoping the project
need exec support for
- initiating the scoping process,
- and also need to sign off on final approval.
- need to excercise due diligence and due care
assess teh critical state
process to determine which iniformation systems are critical. difficult to do because how important something is depends soley on who uses it.
when compilinng the critical state and asset list, the Project manager should not how assets impact the org
business impiact analysis BIA
correlate IT systems to critical services they support. Aims to quantify the consequence of disruption
BIA Steps
Business impact analysis
- Identify critical assets
- Conduct DRP/BCP focused risk assessment
MTD = ?
Max tolerable downtime = Recovery time objective + Work recovery time
MTD = RTO +WRT
RPO =
recovery point objective, how much data you can afford to lose
MOR =
Minimum operating requirements
usually applies to environmentals.
Redundant site
exact replica, very expensive.
no data loss in event of disaster at primary site
Hot site
Less than one hour of downtime.
Has all infrastructure for resuming normal business operations.
warm site
Most aspects of a hot site, but relies on backups to get systems up and running.
MTD of 1-3 days
Cold site
not equipment, no backup data. Typically just physical building.
1-3 weeks of MTD
Mutual Aid Agreement
Two businesses promise to cover each others’ business needs in event of disaster.
mobile site
data center on wheels.
COOP
Continutity of operastions plan. Focuses exclusively on operations.
BRP
Business recovery plan/ business resumption plan
details plan to resume normal operations AFTER recovering from disaster/disruptive event.
picks up after COOP is complete.
CSP
continuity of support plan.
Helpdesk/IT oriented continuity plan.
CIRP
Cyber Incident Response Plan
OEP
Occupant emergency plan
CMP
Crisis Management Plan
Details actions required of management in a disaster.
CCP
crisis communications plan - Plan for communicating to staff in event of a disaster.
Component of CMP
Call trees
each employee is responsible for calling a small number of other employees in event of a disaster.
EOC
emerency ops center
Vital records
vital documentation needed for normal operations. Licenses, checkbooks, contracts
forensic media analysis
analysis of binary disk images
root-cause analysis root cause
attempts to determine the underlying weakness or vulnerability.
executive succession plan
determines line of succession in event an executive is unable to lead.
executive succession plan
determines line of succession in event an executive is unable to lead.
Tape rotation
method to ensure you have long backup windows, but don’t require too much tape.
Electronic vaulting
batch process of electronically transmitting data that is backed up on a routine. Offsite facility
Remote journaling
log of all database transactions.
Database Shadowing
Updates a backup DB automatically when live DB is changes. Two or more backup DBs
Software Escrow
source code is held by an impartial 3rd party in case software vendor goes out of business.
Hardcopy data
on paper data. In hurricane prone areas, businesses often develop a paper-only DRP
DRP Testing
Plan is only as effective as the last time it was updated and tested.
Should be performed at least yearly.
DRP Testing - Read-Through AKA Checklist testing
Review the plan, read the whole thing.
AKA consistency testing. Lists all necessary components. Ensures they’re readily available in event of disaster.
DRP Test, partial and complete business integration
Intentional outage. Can actually cause a real disaster. More common in fully redundant, load balanced operation.
DRP training
DRP specific training to bring employees up to speed.
DRP training
DRP specific training to bring employees up to speed.
BCP/DRP Maintenance
must be kept up to date. Must keep pace with all critical IT/Business changes.
Change management
NIST SP 800-34
BCP/DRP Framework from NIST
ISO/IEC 27031
BCP Framework from ISO
ISO/IEC 27031
BCP Framework from ISO
ICT
ISO Acronym, Information and Comms Technology
ISMS
ISO Acronym, Information security mgmt system.
ISO/IEC 24762:2008
ISO guide for disaster recovery DRP
BS 25999
Part 1, code of practice
Part 2, Specifications for business continuity
BCI
Business continuity institute
Security Operations
concerned with threats to a production operating environment.
Least Privilege AKA Minimum Necessary Access
Persons should have no more access than is necessary for the performance of their duties.
Need to Know
Even if you have access, if you do not need to know, then you should not access the data. Example, in a MAC environment, even if you have the clearance - if the information isn’t relevant to you then you aren’t ‘need to know’ and shouldn’t have access.
Separation of Dties
Multiple people are required to complete critical or sensitive transactions. Idea is to require multiple people acting un-ethically for something bad to happen. i.e. the payroll administrator can’t also audit accounting logs. Idea
Rotation of Duties/Job Rotation
Ensures there’s more depth to the organizational skillset. Simply requires that no one person perform critical functions for too long.
Mandatory Leave/Forced Vacation
Prevents an operator from having exclusive use of a system. If they’re doing anything shady - then it will potentially/probably be discovered while they’re out.
NDA
Nondisclosure Agreement.
Legally binds a user to confidentiality.
Background Checks
Helps ensures quality of candidate.
Forensic - Allocated space
portions of disk partition marked as containing active data
Forensics - unallocated space
portions of disk that do not contain active date.
Could have never had data - or simply been marked as unallocated but still contains old information.
Forensics - Slack Space
When the minimum sized block of information isn’t fully used by a piece of information - the remaining space that isn’t usable is called slack space.
Slack space may contain old/unused information, or might be used by attackers.
Forensics - bad blocks/clusters/sectors
Physically unusable space. Attacker might mark space as ‘bad’ in order to use for themselves.
Removable Media controls
Put controls on PCs/routers to bar un-known peripherals (USB drives, keyboards, mice, monitors etc)
DRP Testing - walkthrough/tabletop
virtual/tabletop simulation of DRP to conceptually run through the whole process. Goal to find any gaps or redundancies, erroneous assumptions, etc.
DRP Testing - Simulation test, physical walkthrough drill
Simulate a disaster and have all teams go through the physical motions of response.
DRP Test - Parallel processing
Test recovery at another facility and restore data from a backup. Regular systems are not impacted
DRP Test- partial business interruption AKA Cutover test
Stop activities at main location, start at backup location
