Domain 7: Security Operations Flashcards
Process at an incident scene
Ensure you identify the scene, protect the environment, identify evidence and potential sources of evidence, collect evidence (hash) and minimise the degree of contamination
Locard’s Exchange Principle
Perpetrator of a crime will bring something into the crime scene and leave with something from it
Sufficient: Evidence
Persuasive enough to convince one of its validity
Reliable: Evidence
Consistent with fact, evidence has not been tampered with or modified
Relevant: Evidence
Relationship to the findings must be reasonable and sensible, proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts
Permissible: Evidence
Lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions
Techniques to Identify Evidence
Labeling, recording serial number. Evidence must be preserved and identifiable.
Evidence lifecycle
- Discovery
- Protection
- Recording
- Collection and identification
- Analysis
- Storage, preservation, transportation
- Present in court
- Return to owner
Witnesses that evidence is trustworthy, description of procedures, normal business methods collections, error precaution and correction
Best Evidence
Primary evidence is used at the trial because it is the most reliable. Original documents are used to document things such as contracts. This means NO COPIES. Further, oral evidence is not the best evidence, however, it can be used for interpretation of documents.
Secondary Evidence
Not as strong as best evidence, a copy is not permitted if the original is available. Further examples include, oral evidence like Witness testimony.
Direct Evidence
Can prove fact by itself and does not need any type of backup. Testimony from a witness - one of their five senses. Oral evidence is a type of secondary evidence so the case can’t simply stand on it alone. But it is Direct Evidence and does not need other evidence to substantiate.
Conclusive Evidence
Irrefutable and cannot be contradicted. Requires no other corroboration.
Circumstantial Evidence
Used to help assume another fact, however, cannot stand on its own to directly prove a fact
Corroborative Evidence
Supports or substantiates other evidence presented in a case
Hearsay Evidence
Something a witness hears another one say. Also business records are hearsay and all that’s printed or displayed. One exception to business records: audit trails and business records are not considered hearsay when the documents are created in the normal course of business.
Interviewing
Gather facts and determine the substance of the case
Interrogation
Evidence retrieval method, ultimately obtain a confession
The process - Due Care
- Prepare questions and topics, put witness at ease, summarise information - interview/interrogation plan
- Have one person as lead and 1-2 others involved aswell
- Never interrogate or interview alone
Opinion Rule
Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case
Expert Witnesses
Used to educate the jury, can be used as evidence
Six Principles of Digital Evidence
- Ensure you apply all of the general forensic and procedural principles
- Upon seizing digital evidence, ensure evidence is not changed
- When it is necessary for a person to access original digital evidence, that person should be trained for the purpose
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review
- An individual is responsible for all actions taken to the digital evidence while it is in their possession
- Any agency seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
Media Analysis
Involves the identification and extraction of information from storage media, such as hard disks and RAM. This may include recovery of deleted files or static analysis of forensic images of storage media.
Network Analysis
Analysis of network activity, such as network logs, packet captures. Focus is on collecting and correlating information from these disparate sources and produce as comprehensive a picture of network activity as possible.
Hardware/Embedded Device Analysis
Review the contents of hardware and embedded devices, such as phones and laptops.
Admissible Evidence
- Evidence must be relevant to determining a fact
- The fact that the evidence seeks to determine must be material (that is, related) to the case
- The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
Five rules of Evidence
- Be authentic; evidence tied back to scene
- Be accurate; maintain authenticity and veracity
- Be complete; all evidence collected, for and against view
- Be convincing; clear and easy to understand for jury
- Be admissible; be able to be used in court
Forensic Disk Controller
Intercepting and modifying or discarding commands sent to the storage device. This includes:
- Write blocking, intercepting write commands sent to the device and prevents them from modifying data on the device
- Return data requested by a read operation
- Returning access-significant information from device
- Reporting errors from device to forensic host
MOM: Investigation
Means, opportunity and motive. Determine suspects
Victimology
Why certain people are victims of crime and how lifestyle affects the changes that a certain person will fall victim to a crime investigation
Types of Investigation
- Operational
- Criminal
- Civil
- eDiscovery
Slack space
Slack space on a disk should be inspected for hidden data and should be included in a disk image
Common Law
Used in USA, UK, Australia and Canada (judges)
Civil Law
Europe, South America
Islamite and other Religious Laws
Middle East, Africa and Indonesia
USA’s 3 Branches of Law
- Legislative: writing laws (statutory laws)
- Executive: enforces laws (administrative laws)
- Judicial: interprets laws (makes common laws out of court decisions)
3 Categories of Laws
- Criminal Law
- Civil Law
- Administrative/Regulatory Laws
Criminal Law
Individuals that violate Government laws. Punishment is typically imprisonment
Civil Law
Wrongs against individual or organisation that result in a damage or loss. Punishment can include financial penalties. AKA tort law where jury decides liability
Administrative/Regulatory Laws
How the industries, organisations and officers have to act. Wrongs can be penalised with imprisonment or financial penalties.
Uniform Computer Information Transactions Act (UCITA)
Federal law which provides common framework for conduct of computer related business transactions. Provides basis for software licensing.
Types of computer crime
- Unauthorised intrusion
- Unauthorised alteration or destruction
- Malicious code
Enticement
is the legal action of luring an intruder, like in a honeypot.
Entrapment
Is the illegal act of inducing a crime, the individual had no intent of committing the crime at first
Federal Sentencing Guidelines
Provides judges and courts procedures on the prevention, detection and reporting
Purpose of Security Incident and Event Management (SIEM)
Automating much of the routine work of log review. Provide real-time analysis of events occurring on systems throughout an organisation but don’t necessarily scan outgoing traffic
Intrusion
Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organisation’s resources
Intrusion Detection
Monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion
IDS
Intrusion detection system automates inspection of logs and real-time system events to detect intrusion attempts and system failures
IPS
Intrusion prevention system includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions.
DLP
Data Loss Prevention systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns.
Network Based DLP
Scans all outgoing data looking for specific data. Administrators would place it on the edge of the network to scan all data leaving the organisation. The system will scan, block and alert if a file was leaving the system.
Endpoint Based DLP
Can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organisation endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer
3 States of Information
- Data at Rest (storage)
- Data in Transit (moving through network)
- Data being processed (must be decrypted) / in use / end-point
Configuration item (CI)
Component whose state is recorded. Version: recorded state of the CI
Configuration
Collection of component CI’s that make another CI
Building
Assembling a version of a CI using component CI’s
Build list
Set of versions of component CI’s used to build a CI software library
CI Software Library
Controlled area only accessible for approved users
Artifacts
Configuration Management
Recovery Procedures
System should restart in secure mode, startup should occur in maintenance mode that permits access only by privileged users from privileged terminals
Fault-tolerant
Systems continue to function despite failure
Fail safe system
Program execution is terminated and system protected from compromise when hardware or software failure occurs
Fail Closed/secure
Most conservative from a security perspective. Denies all further access.
Fail Open
Permits all access
Fail Hard
Such as BSOD, where human intervention to see why it failed is required
Fail soft or resilient system
Reboot, selected, non-critical processing is terminated when failure occurs
Failover
Switches to hot backup
Fail Safe
Doors UNLOCK
Fail Secure
Doors LOCK
Trusted Path
Protected data between users and a security component. Channel established with strict standards to allow necessary communication to occur without exposing the TCB to security vulnerabilities. A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB interchange. This is the only way to cross security boundary appropriately.
Events
Anything that happens. Can be documented, verified and analysed
Incident
Event or series of events that adversely impact the ability of the organisation to do business.
Security Incident
This could be a suspected attack.
Security Intrusion
Evidence attacker attempted or gained access
Lifecycle of incident
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons Learned
It is all about response capability (policy, procedures a team) –> incident response and handling (triage, investigation, containment, and analysis of and tracking) –> Recovery (recovery/repair), –> debriefing/feedback (external communications) –> Mitigation: limit the effect or scope of an incident
RCA
Tree/Boolean - Fault Tree Analysis, such as:
- 5Ways
- Failure Mode and Effects Analysis
- Pareto Analysis
- Fault Tree Analysis
- Cause Mapping
HIDS: Firewalls
Host Based IDS, monitors activity on a single computer, including process calls and information recorded in firewall logs. Can examine events in more detail than NIDS. Benefits of HIDS include that it can detect anomalised on the host system that NIDS cannot detect
NIDS: Firewalls
Network based IDS, monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details.
Full: Backup Type
All files, archieve bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming
Incremental: Backup Type
Only backups modified files, archieve bit cleared. Advantage: least time and space, Disadvantage: first restore full then all incremental backups, thus less reliable because it depends on more components
Differential: Backup Type
Backups only modified files, doesn’t clear archive bit. Advantage: full and only last difference needed, intermediate time between full and diff
Redundant Servers
Applies RAID 1 mirroring concept to servers. On error servers can do a fail-over. This AKA server fault tolerance
Server clustering
Group of independent servers which are managed as a single system. All servers are online and take part in processing service requests. Individual computing devices on a cluster vs. a grid system - cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem
Tape Rotation Schemes
Grandfather/Father/Son, Tower of Hanoi, Six Cartridge Weekly
RAIT
Robotic mechanisms to transfer tapes between storage and drive mechanisms
Mutual Aid Agreement: DRP
Arrangement with another similar corporation to take over processes. Advantage: cheap, disadvantage, must be exact same, is there enough capability, only for short term, and what if disaster affects both corporations. Is not enforceable.
Subscription Service
Third party, commercial services provide alternate backups and processing facilities. Most common of implementaitons.
Redundant Site
Mirrored site, potential 0 downtime
Hot Site - Internal/External
Fully configured computer facility. All applications are installed, up-to-date mirror of the production system. For extremely urgent critical transaction processing. Advantage: 24/7 availability and exclusive use are assured. Disadvantage: Very costly
Warm Site
Cross between hot and cold site. The computer facility is available but the applications may not be installed or need to be configured. External connections and other data elements that take log time to order are present. Advantages: less costly, however, disadvantages include: more time to setup (could be 12 hours).
Cold Site
Least ready but most commonly used. Has no hardware installed only power and HVAC. Advantage: cheap, however, disadvantages include: very lengthy time of restoration.
Service Bureau
Contract with a service bureau to fully provide alternate backup processing services. Advantage: quick response and availability.
Multiple Centres (AKA Dual Sites)
Processing is spread over several computer centres. Can be managed by same corporation (in-house) or with another organisation (reciprocal agreement). Advantage: costs, multiple sites will share resources and support. Disadvantage: a major disaster could affect both sites; multiple configurations have to be administrered.
Other data centre backup alternatives
- Rolling/mobile sites: mobile homes or HVAC trucks. Could be considered a cold site.
- In-house or external: Supply of hardware replacements. Stock of hardware either onsite or with a vendor. May be acceptable for warm site but not for hot site.
Prefabricated Buildings
A very cold site
RTO
Recovery Time Objectives. Refers to business processes, not hardware.
Hot Site RTO: In minutes or hours
Warm Site RTO: 1-2 days
Mobile Site RTO: 3-5 Days
Cold Site: RTO 1-2 weeks
RAID 0: Striped
One large disk out of several physical disk. Improved performance but no fault tolerance
RAID 1: Mirrored
Mirrored drives. Fault tolerance from disk errors and single disk failure. Expensive, and offers redundancy only, with no improvement to speed.
RAID 2
Not used commercially. Hammering code parity/error
RAID 3
Striped on a byte level with extra parity drive - improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives
RAID 4
Same as RAID 3 but striped on a block level. 3 or more drives
RAID 5
Striped on block level, parity distributed over all drives - requires all drives but one to be present to operate hot swappable. Interleave parity
RAID 6
Dual Parity, parity distributed overall drives. Requires all drives but two to be present to operate hot-swappable drives.
RAID 7
Same as RAID 5 but all drives act as one single virtual disk
Tape: Storage Media
Sequential, slow read, fast write (200GB an hour), historically cheaper than disk (now changing), robotic libraries
Disk: Storage Media
Fast read/write, less robust than tape
Optical Drive
CD/DVD. Inexpensive
MTTF
Mean Time to Failure
MTTR
Mean Time to Repair
MTBF
Mean Time between Failures (Useful Life) = MTTF + MTTR
JBOD
Most basic type of storage
Electronic Vaulting
Transfer of backup data to an offsite storage location via communication lines
Remote Journaling
Parallel processing of transactions to an alternative site via communication lines
Database Shadowing
Live processing of remote journaling and creating duplicates of the database sets to multiple servers
Object Reise
Use after initial use
Data Remanence
Remaining data after erasure. Format magnetic media 7 times (orange book)
Clearing
Overwriting media to be reused
Purging
Degaussing or overwriting to be removed
Destruction
Completely destroy preferably by burning
End Goal: DRP
Restore normal business operations.
Statement of Actions
Actions that have to be taken before, during and after a disruptive event that causes a singificant loss
Information Goal
Provide organised way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster
Disaster
Any event, natural or manmade, that can disrupt normal IT operations. A disaster is not over until all operations have been returned to their normal location and function. It will be officially over when the data has been verified at the primary site, as accurate
Recovery Team: DRP Teams
Mandated to implement recovery after the declaration of the disaster
Salvage Team
Goes back to the primary site to bring normal processing environmental conditions. Clean, repair, salvage. Can declare when primary site is available again.
Normal Operations Resume Plan
Has all procedures on how the company will return processing from the alternate site
Other recovery issues
Interfacing with other groups: everyone outside the corporation.
Employee relations: responsibility towards employees and families
Fraud and crime: like vandalism, looting and people grabbing the opportunity
DRP Key Points
- Make sure to get communications up first, then most critical business functions
- Documenting the plan
- Activation and recovery procedures
- Plan management
- HR involvement
- Costs
- Required documentation
- Internal/external communications
- Detailed Plans by team members
Desk Check: DRP Test
Deskcheck simply reviews the plans contents on paper
Table-top Exercise
Members of the DRP team gather in a large conference room and role-play a disaster scenario
Simulation Tests
More comprehensive and may impact one or more noncritical business units of the organisation, all support personnel meet in a practice room
Parallel Tests
Involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also
Full-interruption tests
Involve relocating personnel to the alternate site and shutting down operations at the primary site
BCP
Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation.
BCP Process
- Scope and Plan Initiation: consider amount of work required, resources required, management practice
- BIA: helps to understand impact of disruptive processes
- BCP Development: Use BIA to develop BCP (strategy development phase bridges the gap between the BIA and the continuity planning phases of BCP development). Also includes testing of BCP.
- Plan approval and implementation: Management approval, and creating awareness
BCP Testing Frequency
Should be atleast once a year
DRP vs BCP
DRP has a heavy IT focus, allows the execution of the BCP, needs planning and testing
BCP Development
Is about defining the continuity strategy. Computing strategy to preserve the elements of hardware/software/communication lines/applications/data
Facilities
Use of main buildings or remote facilities
People
Operators, management, technical support persons
Supplies and equipment
Paper, HVAC
BCP Committee: Roles and Responsibilities
- Senior Staff (ultimate responsibility, due care/diligence)
- Various business units (identify and prioritise time critical systems)
- Information Systems
- Security Administrator
- People who will carry out the plan (execute)
- Representatives from all departments
CCTV
Enables you to compare the audit trails and access logs with a visual recording. Attacks include: replay attacks. Recording = detective control
Glare Protection: Lighting
Against blinding by lights
Continuous Lighting
Evenly distributed lighting
Standby Lighting
Timers
Responsive Areas Illumination
IDS detects activities and turns on lighting
NIST guidance on lighting
For critical areas the area should be illuminated 8 feet in height with 2 foot candle power
Fences: Guidance
Small mesh and high gauge is most secure.
3-4 feet deters casual trespasser
6-7 feet too hard to climb easily
8 feet + wires deters intruders, and difficult to climb
However, no one STOPS a determined intruder
Local Alarms
Audible alarm for at least 4000 feet far
Central Stations
Less than 10 minutes travel time for a private security firm
Proprietary Systems
Owned and operated by the customer. System provides many of the features in-house
Auxiliary Station Systems
On alarm ring out to lcoal fire or police
Line supervision check
If no tampering is done with the alarm wires
Power supplies
Alarm systems needs separate circuitry and backup power
Electromechanical: Physical Perimeter Detection
Detect a break or change in a circuit magenets pulled lose, wire door, pressure pads
Photoelectric
Light beams interrupted (such as in store entrance)
Passive Infrared
Detects changes in temperature
Acoustical Detection
Microphones, vibrations sensors
Wave Pattern Motion Detecters
Detects motions
Proximity or Capcitance Detector
Magnetic field detects presence around an object
Warded lock
Hanging lock with a key
Tumbler lock
Cylinder slot
Combination lock
3 digits with wheels
Cipher Lock
Electrical lock
Device Lock
Bolt down hardware
Preset Lock
Ordinary door lock
Programmable Lock
Combination or electrical lock
Raking
Circumvent a pin tumbler lock
Audit Trails
Ensure to collect date and time stamps, successful or not attempt, where the access was granted, who granted access, and who modified access privileges at supervisor level
Photo ID Card
Dumb digital coded ID cards, such as swipe cards and smartcards
Wireless Proximity CArds
User activated, system sensing. These can be passive or field powered.
Passive, Field Powered and Transponders
Passive: no battery, uses power of the field
Field Powered: active electronics, transmitter but gets power form the surrounding field from the reader.
Transponders; Both card and receiver holds power, transmitter and electronics
Trusted Recovery
Ensures that the security is not breached when a system crash or failure occurs. only required for B3 and A1 level systems.
Failure Preperation
Backup critical information thus enabling data recovery.
System recovery after a system crash
- Rebooting system in single user mode or recovery console, so no user access is enabled
- Recovering all file systems that were active during failure
- Restoring missing or damaged files
- Recovering the required security characteristic, such as file security labels
- Checking security-critical files such as system password file
Manual: Reocvery Type
System admin intervention is required to return the system to a secure state
Automatic: Recovery type
Recovery to a secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures)
Automatic without Undo Loss: Recovery Type
Higher level of recovery defining prevention against the undue loss of protected objects
Function: Recovery Type
System can restore functional processes automatically
System Reboot: Types of System Failure
System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources
Emergency Restart: Types of System Failure
when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments
System Cold Start: Types of System Failure
When an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.
Hackers and crackers: Types of Attackers
Want to verify their skills as intruders
Entitlement
Refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges.
Aggregation
Privilege creep, accumulate privilege
Hypervisor
Software component that manages the virtual components. The hypervisor adds an additional attack surface, so its important to ensure it is deployed in a secure state and kept up-to-date with patches, controls access to physical resources
Exigent circumstances
Allows officials to seize evidence before it is destroyed. Police is called in.
Data haven
Is a country or location has no laws or poorly enforced laws
Chain of custody
Collection, analysis and preservation of data. Forensics uses bit-level copy of the disk
Darknet
Unused network space that may detect unauthorised activity
Pseduo Flaw
False vulnerability in a system that may attract an attacker
Fair information practices
Openness, collection limitation, purpose specification, use limitation, data quality, individual participation, security safeguards, and accountability.
Noise and perturbation
Inserting bogus information to hope to mislead an attacker
First step of change process
Management approval. When a question is about processes, there must always be management’s approval as first step
Prototyping
Customer view taken into account
SQL - SUDIGR
6 basic SQL commands: Select, Update, Delete, Insert, Grant, Revoke
Bind Variables
Placeholders for literal values in SQL query being sent to the database on a server. Bind variables in SQL used to enhance performance of a database
Gantt and PERT Charts
Project management and monitor progress and planning of projects
Piggybacking
Looking over someone’s shoulder to see how someone gets access
Datacentre Secure Feautres
Walls from floor to ceiling, concrete floor slab of 150 pounds per square foot, no windows, and air conditioning should have own emergency power off
Electronic Access Control (EAC)
Proximity readers, programmable locks or biometric systems
CPTED Crime Prevention Through Environmental Design
Natural access control: guidance of people by doors, fences bollards lighting. Secure zones defined.
- Natural surveillance: cameras and guards
- Territorial Reinforcements: walls, fences, flags
- Hardening: focus on locks, cameras, guards
Facility site
Core of building (thus with 6 stores, on 3rd floor)
Hacktivists
Combination of hacker and activist, often combine political motivations with the thrill of hacking
Thrill attacks
Attacks launched only for the fun of it. Pride, bragging rights
Script kiddies
Attackers who lack the ability to devise their own attacks will often download programs that do their work for them, such as website defacements
Business attacks
Focus on illegally obtaining an organisation’s confidential information
Financial attacks
Carried out to unlawfully obtain money or services
Terrorist Attacks
Purpose of a terrorist attack is to disrupt normal life and instill fear
Military or inteliigence attack
Designed to extract secret information
Grudge attacks
Attacks that are carried out to damage an organisation or a person.
Sabotage
Criminal act of destruction or disruption committed against an organisation by an employee.
Espionage
Malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organisation. Countermeasures include: strict access control measures to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.
Integrity breaches
Unauthorised modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances
Confidentiality breaches
Theft of sensitive information
