Domain 7 - Security Operations Flashcards
What is Exigent Circumstances?
Evidence can legally be collected if it is danger of being destroyed
During a forensic investigation, what is the difference in outcome between examination and analysis?
Examination provides data, analysis gives information.
What makes a copy backup different from a full backup?
The archive bit is not reset when performing a copy backup
Evidence process
Evidence must be: identified, preserved, collected, examined, analyzed. Findings must be presented and a decision made.
Forensic Investigation steps
- Identification
- Presentation
- Collection
- Examination
- Analysis
- Presentation
- Decision
Forensic investigation - Step 1: Identification
The computer system is a crime scene. Identify and secure the crime scene. Review audits, logs, monitoring systems, user complaints, and analysis detection. Preserve and retain all evidence. When the computer is unavailable, capture related information (IP address, user names, and other identifiers).
Forensic investigation - Step 2: Preservation
Make system images, start the Chain of Custody (CoC), document evidence, and record timestamps.
Forensic investigation - Step 3: Collect Evidence
- Note the order of volatility before collecting.
- Create bit level images.
- Remove system from production.
- Use MDs to ensure data integrity.
- Capture data stored in the cache, process tables, memory, and registry.
- Use a bound wire notebook to keep notes.
- Use an evidence field kit (tags, bags, labels, pens, and supplies).
Order of Volatility
- Memory contents
- Swap files
- Network processes
- System processes
- File system information
- Raw disk blocks
Forensic investigation - Step 4: Examine; Step 5: Analysis
Collect and analyze using scientific methods. Review characteristics like timestamps, identification properties. Reconstruct and document the crime scene evidence was collected
Forensic investigation - Step 6: Present Findings
Prepare the evidence to be presented in court. Keep details but avoid non-tech jargon so the jury can understand.
Step 7: Decision (forensics investigation)
After the verdict, conduct lessons learned. Determine what can be done better next time. Evidence is not retained after the verdict.
IOCE and SWGDE functions
Establishes standards for digital forensics on mobiles, computers, and other computing systems. International Organization on Computer Evidence and the Scientific Working Group on Digital Evidence.
NIST SP 800-86 Guide to Investigating Forensic Techniques into Incident Response.
Guidelines on data collection, examination, analysis, reporting, selecting team personnel, incident response handling, and processes to follow in investigations.
Crime Scene
Environment in which potential evidence exists; can be multiple environments. Should be secured, systems isolated, not powered down until image is created. Access should be tightly controlled.
Motive, Opportunity, Means (MOM) This helps investigators narrow down the suspects. Any suspect must have all parts of this construct.
Used by investigators to narrow down a suspect, who must have all parts of this construct.
Motive
Explains why a crime was committed and who committed the crime.
Opportunity
Explains where and when a crime occurred.
Means
Explains how a crime was carried out by a suspect.
Chain of Custody (CoC)
Document used to ensure integrity of evidence is maintained and admissibility of evidence in court. Records all persons who secured, obtained, and accessed controlled evidence.
Interviewing and interview
Controlled by one person, who ensures the suspect understands their rights and why they are going through the process, which is to gather evidence. Process should be recorded. HR and management reps should be present. Only an employee senior to the subject can conduct this meeting.
evidence concepts
relevant, reliable, preservation, tagging, and five rules of evidence
Relevant (relevance)
This proves admissible evidence is material related to a crime. It describes MOM and can verify when the crime occurred.
Reliable (reliability)
Admissible evidence meets the criterial that it has not been modified or tampered with.
Preserved (preservation)
Admissible evidence meets the criteria that it has not been damaged or destroyed.
tagging evidence
Documents how the evidence was transported from the crime scene to storage. Includes complete descriptions of the evidence condition when found and all who accessed the evidence.
Five Rules of Evidence
Digital evidence is volatile and must be: authentic, accurate, complete, convincing, an admissible.
Investigators
These roles should understand the types of evidence that can be obtained, used in court, media types, devices, hardware, embedded devices, and guidelines on surveillance.
What are the types of evidence?
Best, secondary, direct, conclusive, circumstantial, opinion, hearsay, and corroborative.
Best Evidence
Only original documents or recordings can be accepted as evidence unless there is a legitimate reason not to use the original or a judge rules a copy as admissible evidence.
Secondary Evidence
Evidence that has been reproduced from original or substituted for original items. Copies of oral testimony is considered this type of evidence.
Direct Evidence
Proves or disproves a fact through oral testimony based on information gathered through the witness’s sense of touch, sight, smell, or feeling.
Conclusive Evidence
Requires no other corroboration and cannot be contradicted.
Circumstantial Evidence
Infers information learned from other intermediate relevant factors. Used by a jury to conclude that another fact is true or untrue.
Corroborative Evidence
Supports another piece of evidence to verify a witness testimony as true or untrue.
Opinion Evidence
Based on what the witness thinks, feels, or infers regarding facts. Expert evidence from a doctor or etc. is not considered this type of evidence.
Hearsay Evidence
Second-hand; witnesses lacks direct knowledge of asserted facts but learned information from another person. When an expert cannot testify to the accuracy and integrity of the evidence, computer-based evidence can fall into this category.
Surveillance
Monitoring behavior, activities, or other changing information of either people or computers.
Physical Surveillance
Monitoring a person’s actions by CCTV or by direct observation.
Computer Surveillance
Monitoring a person’s actions captured on a computer using digital information such as logs.
Search
Activity that requires a judge-approved warrant, after using corroborative evidence to prove a crime has been committed. Activity is allowed in emergency situation without a warrant, but must provide reasons in court.
Seizure
Taking physical custody of digital components obtained with a warrant.
Media Analysis
Recovery of disk imaging, slack space analysis, content analysis, and steganography.
Disk Imaging
Performed during media analysis, the creation of an exact image of the contents of the hard drive.
Slack Space Analysis
A computer’s hard drive space that has been marked unusable, where data marked for deleting potentially resides and is still retrievable. Conducted during Media Analysis.
Content Analysis
Conducted during media analysis; provides details of the type of data by percentage contained in the hard drive.
Steganography
Process of hiding a message inside another object, such as a document in a picture. Media analysis is done to confirm if files have been altered or encrypted.
This involves the process of decompiling code. It looks at the content to determine why the software was created. It looks at reverse engineering to retrieve the source code of the program to see how it works and what the program can do. It looks at the author identification to discover who the author is. Last, it looks at the context and analyzes the environment the software was found in to discover clues.
software analysis allowed forensics techniques - concepts
Tools and techniques are used to preserve logs and activity for evidence. Communication analysis captures communication on the network and searches for particular types of activity. Log analysis is done to analyze network traffic. Last, the path traces a particular traffic packet or traffic type to discover the attacker’s route.
network analysis of communications, logs, and path tracing
A vendor can provide tools and assistance such as: log analysis, OS analysis, and memory inspections. NIST recommends the following:
- Don’t change data during analysis.
- Only trained investigators access data.
- Document all steps (leave an audit trail).
- The lead investigator is responsible for all persons involved to follow all steps.
- All activity needs to be available for review.
hardware/embedded device analysis
investigation types
operations, criminal, civil, regulatory, and eDiscovery
An investigation into an event or incident that does not result in any criminal, civil, or regulatory issue. It uses root cause analysis and lessons learned. It is used to ensure that the appropriate changes are made to prevent such an incident from occurring again, including putting in place security controls.
operations investigations
Part of operations investigations. The goal is determination of the root cause by breaking down the incident until only the answer remains. It is a type of investigation completed to determine what ultimately caused the issue so that stop can be taken to prevent this incident in the future.
root-cause analysis
An investigation that is carried out because a federal, state, or local law has been violated. Law enforcement should be brought in early with these types of investigations. The crime should be properly documented. The investigation could result in a criminal trial.
criminal investigation
An investigation that occurs when one organization or party suspects another organization of civil wrong doing. It can only be filed by a government prosecutor.
civil investigation
An investigation that occurs when a regulator body investigates and organization for a regulatory infraction. Failure to comply with a regulatory investigation can result in charges being files agains the organization and the personnel involved.
regulatory investigation
Litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process. It involves electronically stored information (ESI) such as email, files, websites, voicemail, audio files, database records, and etc., information that must be preserved to prevent spoilage and or tampering. ESI must be safely stored for later review.
electronic discovery (eDiscovery)
Audit and reviews; IDS and IPS; SIEM; continuous monitoring; egress monitoring
logging and monitoring activities
When asking questions log forms should be used for example: IDS, IPS, HIDS, SIEM, continuous monitoring and egress monitoring. The questions should consider:
- Are user’s accessing information or performing tasks unnecessary to their jobs?
- Are repetitive mistakes being made?
- Do too many users have special rights or privileges?
Questions to ask during audit and review.
- Does the audit trail provide a trace of user actions?
- Is access to online logs strictly controlled?
- Is there speration now duties between security personnel who administer the access control function and those who administer the audit trail?
Questions to ask when accessing controls over audit logs and audit trails.
A technical control, this is a system that sends an alert when unauthorized activity is detected (has logs for audit reviews).
Intrusion Detection Systems
A preventative technical control system that sends an alert when unauthorized activity is detected and works to fix the issue (has logs for audit review).
Intrusion Prevention Systems
Examines the operations on an individual system to detect intrusions. Alerts after infection and cannot prevent infection (has logs for audit reviews).
host intrusion detection system (HIDS)
A group of technologies that aggregates information about access controls and selected system activity to store (stores raw data) for analysis and correlation. As a result, this requires extensive protection because these are central repositories that attract hackers. This collects logs to comply with regulatory requirements, provide internal accountability, provide risk management, and perform monitoring (and trending).
Security Information and Event Management (SIEM)
This should be part of an organization’s monitoring program. It should be guarded as critical infrastructure of the organization. Activities should be recorded.
continuous monitoring and continuous monitoring as a service (CMaaS) for cloud services
A monitoring technique where all outbound information from various networks is monitored, usually through firewalls that can control any traffic leaving the system. Monitoring that occurs when an organization monitors the outbound flow of information from one network to another. It uses data loss prevention (DLP).
egress monitoring
Software that attempts to prevent data leakage. It does this by maintaining an awareness of actions that cannot be taken with a document. This uses egress filters to identify sensitive information to prevent leaks. It can be implemented in two locations: Network and Endpoint.
data loss prevention (DLP) software
Network DLP: installed at the network egress points near the perimeter. Endpoint DLP: Runs on end user workstations or servers. These determine sensitive using precise (content registration trigger almost like a false positive) and imprecise methods (keywords and such).
Locations where DLP can be implemented.
Asset inventory; configuration management; physical assets; virtual assets; cloud assets; and applications.
resource provisioning concepts
The process in security operation which ensures that the organization deploys only the assets that it currently needs. The organization must maintain accurate asset inventory and user appropriate configuration management processes.
resource provisioning
Any item of value to an organization, including physical devices, digital information, and personnel.
asset
Maintain an accurate inventory to know when theft has occurred. Fully document all asset information. Keep hard and electronic copies of the asset inventory. Lock away devices that can be stolen; track these with GPS. Use remote wiping and remote locking features. Guard media devices from unauthorized access and theft. Encrypt data on all devices.
Important practices regarding assets.
The process of identifying and documenting components, software, and their associated settings. The goal is to establish and maintain the integrity of the item on a recurring basis thought its lifecycle.
configuration management
Anything that can be “touched” (i.e. servers, desktops, laptops, mobile devices, and network devices). Track these in the asset inventory and decommission properly as part of the configuration management process.
physical assets
Software defined assets. This includes virtual storage-area networks (SANs), guest virtual machines (VMs), and virtual routers. (Other may include: virtual storage, block virtualization, file virtualization, host-base virtual storage, and storage-device-based virtual storage).
virtual assets
Configuration management ensures assets are being billed correctly, provisioned, monitored, and that monitoring policies are in place to ensure only needed resources are deployed.
cloud assets
These are locally installed as web services and SaaS. Configuration management of this ensures an appropriate number of licenses are maintained; periodically reviews licenses; ensure only personnel with a valid need of the software has access rights.
application
Need-to-know/least privilege; managing accounts, groups, and roles; separation of duties; job rotation; sensitive information procedures; records retention; monitor special privileges; information life cycle; and service level agreement (SLA).
security center operations - concepts
A security principles that defines the minimum for each job or business function. The default setting is “no access.” It is used in Role-based access control (RBAC) and discretionary access control (DAC).
need-to-know
This manages users, groups, and roles that pertain to the following: root/built-in admin account, service account, regular admin account, power user account, and regular user accounts. For example, every user has one account. Group accounts have permissions configured to access resources. Users are assigned to a group and inherit the group’s permissions (the user can only do what the group as a whole can do). Users are also assigned to roles. Roles are used by applications.
managing accounts, groups, and roles
This is the most powerful account type. It is best to disable this account as it is often attacked by hackers. If keeping the account is needed, then change the user name and use a complex password. This account should only be used when performing account duties. The use of this account should always be audited.
root account / built-in account
This account is used to run system services and applications. This account’s access should be limited to system(s). Research the default user accounts that are being used. Regularly change the passwords on these accounts. Use of this type of account should always be audited.
service account
This account is created and or assigned to an individual. A suer with an admin account should also have a day-to-day normal account. Use this account only for admin-level duties. Always audit this type of account.
regular administration account
This account has more privileges and permissions than normal accounts. It is for users with higher-level permissions. It is best to entirely remove these types of accounts. Modern operating systems limit this type of user’s account abilities.
power user account
This account is used for daily accounts. It has limited permissions and should be set at least privilege.
regular user accounts
This grants users only the access that is required to perform their job functions. It is also referred to as need-to-know.
least privilege
This is a preventative security control (dual control). This is the concept of having a single task that requires at least two people to complete. This security measure involves dividing sensitive operations among multiple users so that no one user has rights/access to carry out the operation alone. It ensures no one person can compromise the organization’s security. It is also used as an internal control to prevent fraud by distributing the tasks, rights, and privileges of users.
separation of duties
This is an administrative control, implemented to reduce the risk of collusion and fraud between individuals. Implementing this control may uncover activities that an individual is performing outside of normal operating procedures, revealing errors, or fraudulent behaviors. This may be difficult to implement in smaller companies because of the cost or lack of the required skills. It requires mandatory vacations employees.
job rotation
Users are trained in back-up procedures in case of emergencies. It provides protection agains fraud and collusion. It results in a cross-training of employees.
Benefits of using job rotation.
This is an administrative control used to detect potential illicit activities by requiring employees to be aware for a set period of time. It is used in conjunction with job rotation controls.
mandatory vacation
Customer and employee data needs to be protected. Access controls can prevent unauthorized access sensitive data. Questions to ask when reviewing procedures and policies regarding sensitive data should include:
1) Is data available to the user that is not required for his or her job?
2) Do too many users have access to sensitive data?
sensitive information procedures
Proper access control requires auditing. Monitor the most sensitive activities and retain and review all records. Laws and regulations require records to be retained. Configure automatic logs not to overwrite data. It is advisable to have a server shut down if the logs are full.
record retention
Users such as the Help Desk or IT, may need special privileges, such as changing passwords on accounts. These positions require high ethics and accountability. Monitoring and recording of these activities should also be logged and reviewed due to human-type vulnerabilities and risk.
monitoring special privileges
Creation, distribution, usage, maintenance, and disposal of information. After information is gathered it must be classified to ensure that only authorized personnel can access the information.
information life-cycle
A document describing the level of service expected by a customer from a supplier, laying out the metrics by which that service is measured, and the remedies or penalties should the agreed upon levels not be achieved. It reviews service metrics that are transferable (not as in law) and can be internal or external. It defines the ability and the timeframes to respond to problems as defined within agreement levels.
service level agreement (SLA)
Protecting tangible and intangible assets; asset management; backup and recovery systems; identity and access management; media management; media history; media labeling; sanitizing and disposing of media; network and resource management.
resource protection: concepts
These are assets such as intellectual property, data, and organizational mutation that are vital to a comply but are not physical assets. They can include company secret recipes, formulas, and trade secrets. These should be included in a comprehensive protection plan.
resource protection: intangible assets
These types of assets can be physical touched and include computers (hardware and software to run the hardware), facilities, supplies, information), and personnel.
resource protection: tangible assets
Most often this is the largest asset. It should also be included in vulnerability testing. The HVAC, fire detection, water, sewage, term control, power and backup power, communications equipment, and intrusion detection should all be protected and regularly tested. Vulnerability testing addresses the following questions regarding this type of asset:
1) Do the doors close automatically, does the alarm sound if the door are help open for too long?
2) Are the protection methods of sensitive areas working? Are they sufficient?
3) Does the fire suppression system work?
4) Are sensitive documents being shredded?
resource protection: facilities
This type of tangible asset includes all device and all infrastructure devices (i.e., routers, switches, and firewall appliances). These are managed remotely but need to be protected (to include the data contained) as commands go through the network. Guidelines for protecting this type of asset includes:
1) Change the default admin password on devices.
2) Limit the number of users with access to remote devices.
3) Use encrypts SSH rather than cleartext or Telnet.
4) Manage critical systems locally.
5) Limit physical access to these devices.
resource protection: hardware
This type of tangible asset includes all proprietary applications, scripts, or batch files that are developed in-house and are critical to the organization’s operations. Secure the codes and the access to the software used to write the codes. Monitor the use of software to include commercial applications to prevent an unintentional breach of license.
resource protection: software
This type of asset includes recipes, processes, trade secrets, and anoint other plan that helps the organization be competitive in markets and industry. Principles of data classification and access control apply to these type os assets. The dollar value of these assets may be difficult to determine (and may be based on what they are worth to the company in terms of what it would cost to replace these assets).
information assets
The activities that support continual (daily basis) maintenance of the security of a system. The primary purpose of this type of security is to safeguard information assets that are resident in the system.
operations security
Redundancy, fault tolerance, back-up and recovery; identity and access; media and media history. Access to assets must be controlled to prevent deletion, theft, corruption (of data), and physical damage. Must meet the Availability standard of CIA Triad.
asset management - concepts
This refers to the providing of multiple instances of either a physical or logical component such that a second component is available if the first fails. Must meet the Availability standard of the CIA Triad.
redundancy
This is the ability of a system to continue to operating in the even of a component failures (for processes/system to continue running). Must meet the Availability standard of the CIA Triad.
fault tolerance
A fault tolerance counter measure desired to combat threats and to improve reliability. Data is written across multiple disks (arrays) for quick access without need to use back-ups. Not all types of these arrays provide redundancy. The systems must be capable of detecting and correction faults.
Redundant Array of Independent Disks (RAID)
RAID, SAN, NAS, and HSM. This type of management is important to operation security because media is where the data is stored.
media management - concepts
RAID can be implemented with either software or hardware. When software RAID is used, it is a function of the operating system. RAID 0 and RAID 1 provide simple striping with mirroring and performs well in software because hardware-level parity is not used. RAID 3 and RAID 5 work faster with the hardware.
types of RAID levels
This type of RAID has no added redundancy for disk failures. If one disk fails, all the disks will be lost. This RAID allows for increased read/write speeds. It should be used for systems with high availability needs/requests. It is the fastest of the RAID configurations and is the most suitable for temporary storage. It is also a method that writes the data across multiple drives but while is improves performance it does not improve fault tolerance (no redundancy).
RAID 0 with Disk Striping w/out mirroring (parity bits)
This RAID type creates mirrored drives without using striping or a parity bit. Redundancy is provide at this level. The array will operate as long as at least one drive is functioning. This is a method that uses at least two disks and write a copy of the data to both disks, providing fault tolerance in the case of a single drive failure.
RAID 1 with Disk Mirroring
In this RAID, data is striped across all drives at the bit level and uses a hamming code for error detection. Hamming codes can detect up to two-bit errors or correct one-bit errors without detection of uncorrected errors.
RAID 2 with Striping
This RAID method requires at least three drives. The data is written across all drives like striping, and then parity information is written to a single dedicated drive. The “parity information” is used to regenerate the data in the case of a single drive failure. The parity drive is a single point of failure (SPOF) if it goes bad.
RAID 3 with Dedicated Parity Disk
