Domain 7: Security Operations Flashcards
Incident Response Steps
Detection Response Mitigation Reporting Recovery Remediation Lessons Learned
Detection
.(aka Identification)
.what are all of the inputs into my incident response process
.Events > Incidents
Response
.(aka Containment)
.steps-by-steps,depending upon classification and severity
.Forensic response?
Mitigation
.(aka Eradication)
.Root cause analysis completed
.Get rid of bad things
Reporting
.More formal here
.Included incidents responders (technical and non technical)
Recovery
.Restore systems and operations
.Increase monitoring
Remediation
.Broader in context
Lessons Learned
.(aka Post-incident Activity, Post Mortem, Reporting
Operational Preventing and Detective Controls
.IDS/IPS .Firewall .Security Services .Anti-malware .Honeypot .Sandboxing
Positives and negatives
.True Positive: Conficker worm i spreading on a trusted network and NIDS alerts.
.True Negative: User surfs the web for an allowed site and NIDS is silent.
False Positive: User surfs the web to an allowed site, and NIDS alerts.
False Negative: Conflicker worm is spreading on a trusted network, and NIDS is silent
Continuous Monitoring
.Assessing and reassessing an ongoing process
.A modern improvement to legacy Certifications and Accreditations
Data Loss Prevention (DLP)
.Class of solutions used to detect and/or prevent data from leaving the organization
Host based, network based and application based solutions
Endpoint Security
HIDS/HIPS Antivirus Application Whitelisting (Most Effective) Removable Media Controls Disk Encryption Privileged Access
Sandboxing
.Security mechanism for separating running programs, usually in an effort to mitigate systems failures and/or software vulnerabilities from spreading.
.Used to execute untested or untrusted programs or code possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operation system.
Configuration management
.The goal is to move beyond the default systems configuration to on e that is both hardended and meets the operational requirements of the organization.
.Disabling unnecessary services
.Removing extraneous programs
.Enabling security capabilities
Baselining
.The process of capturing a point in time understanding of the current systems security configuration
.Continuing baselining is important
Change Management Process Steps
.Identifying a change .Proposing a change .Assessing the associated risk .Testing the change (backout plan) .Scheduling the change .Notifying the impacted parties .Implementing the change .Reporting the results
Backups
Full: a replica of all allocated data on a hard disk
Incremental: only archives files that have changed since the last backup of any kind was performed
Differential: backups any files that have changed since the last full backup.
Redundant Array of Inexpensive Disks
RAID Levels
RAID 0: Striped Set (No redendancy)
RAID 1: Mirrored Set
RAID 3: Byte level striping with dedicated parity
RAID 4: Block level striping with dedicated parity
RAID 5: Block level striping with distributed parity
RAID 6: Block level striping with double distributed parity
RAID 1+0 or RAID 10:
>Nested RAID or Multi-RAID (one standard RAID level is encapsulated into another
>Configuration is a striped set of mirrors
RAID - Mirroring
.Used to achieve full data redundancy by writing the same data to multiple disks
.Most costly
RAID - Striping
.Increases the read and write performance by spreading data across multiple hard disks.
>parallelization provides a performance increase but does not aid in data redundancy
RAID - Parity
Achieves data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance
Business Continuity Planning (BCP)
.Goal is ensuring that the business will continue to
operate before, throughout, and after a disaster event is experienced
• Focus on the business as a whole
• A long-term strategy
• Takes into account items such as people, vital records, and processes in addition to critical systems
Disaster Recovery Planning (DRP)
.more tactical in its approach
• Short-term plan for dealing with specific IT-oriented disruptions
• Provides a means for immediate response to disasters
• Does not focus on long-term business impact; short and medium-term disruption.
Error and omissions
.Considered the single most common sources of disruptive events.
.Inadvertently caused by humans
.Data entry mistakes are an example of the errors and omissions
Disaster Recovery Process Steps
.Respond .Activate Team .Communicate .Assess .Reconstitution
BCP/DCP Steps (NIST 800-34)
.Project Initiation .Scope the Project .Business Impact Analysis .Identify Preventative Controls .Recovery Strategy .Plan Design and Development .Implementation, Training, and Testing BCP/DRP Maintenance
Project Initiation
- Develop the contingency planning policy statement: Provides the authority and guidance necessary to develop and effective contingency plan
- Conduct the business impact analysis: Help identify and prioritize critical IT systems and components
- Identify preventative controls: measures taken to reduce the effects of systems disruptions
- Develop recovery strategies: ensure quick recovery
- Develop IT contingency plan: detailed guidance and procedures for recovering damaged systems
- Plan testing, training, and exercises
- Plan maintenance: plan should be updated regularly
Business Impact Analysis
.Formal method for determining how a disruption to the IT systems of as organization will impact the organization.
.Analysis to identify and prioritize critical IT systems and components
.Objective is to correlate IT systems components with the critical service it supports
.Aim is the quantify the consequence of a disruption to the system component and how that will affect the organization
.Determine the Maximum Tolerable Downtime (MTD) for and asset
.Also provides information to improve business processes and efficiencies because it details all of the organizations policies and implementation efforts
MTD -Maximum Tolerable Downtime
.Total time that a system van be inoperable before and organization is severely impacted.
.It is also the maximum time it takes to execute the reconstitution phase.
.Comprised of two metrics
>Recovery Time Objective (RTO)
>Work Recovery Time (WRT)
Failure and Recovery Metrics
.Used to quantify how frequently systems fail, how long a systems may exist in a failed state, and maximum time to recover from Failure
>Recovery Point Objective (RPO) >Recovery Time Objective (RTO) >Work Recovery Time (WRT) Mean Time Between Failures (MTBF) Mean Time To Repair (MTTR) Minimum Operating Requirements (MOR)
Recovery Point Objective (RPO)
.The amount of data loss or system inaccessibility (measured in time) that an organization can withstand.
.The maximum acceptable amount of data/work loss for a given process because of a disaster or disruptive event.
Recovery Time Objective (RTO)
Work Recovery Time (WRT)
.RTO: the maximum time allowed to recover business or IT systems (system recovery time)
.WRT: the time required to configure a recovered system.
MTD= RTO+WRT
