Domain 7: Security Operations CISSP Cheat Sheet Series

Incident Scene Characteristics of Evidence Evidence Lifecycle Configuration Management (CM)

Assign ID to the scene • Incident environment protection • ID and possible Sufficient Validity can be acceptable. 1. Discovery An ITILv2 and an ITSM process that tracks all of the individual Configuration Items
sources of evidence • Collect evidence • Avoid or minimize evidence Reliable Consistent facts. Evidence not tampered or modified. 2. Protection (CI)
contamination Reasonable facts, with proof of crimes, acts and methods used, 3. Recording Configuration Version: state of the CI, Configuration - collection of component
Relevant Items (CI) CI’s that makes another CI
Locard’s event documentation 4. Collection and identification
In a crime the suspected person leaves something and takes
Exchange Permissible Evidence obtained lawfully Building Assembling a component with component CI’s Build list
something. The leftovers can be used to identify the suspect. 5. Analysis
Principle Recovery procedures. Eg. system restart. Should be accessed
6. Storage, preservation, transportation Artifacts
Interviewing and Interrogation by authorized users from authorized terminals.
Live Evidence Interviewing Collect facts to determine matters of the incident.
7. Present in court

• Most reliable and used by trial Obtain a confession by evidence retrieval method.
8. Return to owner
Incident Response
Primary Interrogation
• Original documents–Eg. Legal contracts Response Capability • Incident response and handling •
Evidence
• No copies or duplicates
• The Process: Prepare questions and topics, summarize information
Digital Evidence Lifecycle
Recovery • Feedback
Opinion Rule Witnesses test only the facts of the case, not used as evidence.
• Less powerful and reliable than primary evidence. Mitigation Limit the impact of an incident.
Expert Six principles to guide digital evidence
Secondary • Eg. Copies of originals, witness oral evidence. Can be used as evidence.
Witnesses technicians
Evidence • If primary evidence is available secondary of the same content
is not valid.
Root Cause Analysis (RCA)
Can prove without a backup support.
Network Analysis • All general forensic and procedural
principles apply. Fault tree analysis (FTA) Top down deductive failure analysis using boolean logic.
Direct Evidence Use of existing controls to inspect a security breach incident. Eg. IDS/IPS, firewall
• Eg. witness testimony by his/her own 5 senses.
logs • Upon seizure, all actions should not Review of as many components, assemblies, and
• Cannot contradict, conditional evidence, no other supportive Failure mode and
Conclusive • Software Analysis: Forensic investigation of applications which was running while change the data. subsystems as possible to identify potential failure
evidence requires effects analysis (FMEA)
Evidence the incident happened. modes.
• Cannot be used to directly prove a fact • All people accessing the data should
• Hardware/ Embedded Device Analysis: Eg. review of Personal computers & Looks at the predominant likely causes to deal with them
Corroborative be trained Pareto Analysis
• Use as substantiate for other evidence Smartphones first.
Evidence
• All actions performed on the data Connects individual cause-and-effect relationships to give
Cause mapping
Hearsay
• Something heard by the witness where another person told Governing Laws should be fully documented and insights into the system of causes within an issue.
Evidence
• Common law - USA, UK Australia, Canada accessible.
Asset Management • Civil law - Europe, South America Disaster Recovery Methods
• Islamic and other Religious laws – Middle East, Africa, Indonesia, USA • Anyone that possesses evidence is
A real-time mirror of your system and network activity
Preserve Availability • Authorization and Integrity • Redundancy and Fault Tolerance • responsible for all actions taken with it
• Legislative: Statutory law - Make the laws Hot Site running in sync. Allows for minimum disruption and
Backup and Recovery Systems • Identity and Access Management while in their possession.
The 3 Branches of Law • Executive: Administrative law - Enforce the laws downtime.
• Hierarchical Storage Management (HSM): continuous online • Juridical: Interpret the laws • Any agency that possesses evidence An alternative workspace with power and HVAC setup, but
backup system Using optical storage. Cold Site
Storage • Criminal law –violate government laws result in is is responsible for compliance with no hardware. All recovery efforts will be technician heavy.
• Media History: Media usage log
Management commonly imprisonment these principles. A middle-ground solution which includes skeletal hardware,
• Media Labeling and Storage: safe store of media after labeling Warm Site
Issues • Civil law – Wrong act against individual or organization software and connectivity to restore critical functionality.
sequentially
which results in a damage or loss. Result in financial
• Environment: Temperature and heat Eg. Magnetic media Categories of law
penalties. Media Analysis Service Bureau Contract with a service bureau to provide backup services.
• Data Purging: degaussing Archived data not usable for • Administrative/Regulatory law – how the industries, Multiple centers /
Sanitizing and Process between multiple data centers
forensics organizations and officers should act. Punishments can Part of computer forensic analysis sites
Disposing of
• Data Clearing: Cannot recover using keyboard be imprisonment or financial penalties used for identification and extraction
Data Rolling / mobile sites Mobile homes or HVAC trucks.
• Remanence: Data left in media deleted of information from storage media.
Uniform Computer
• Redundant hardware Common framework for the conduct of computer-related Eg. Magnetic media, Optical media, • Hot site RTO: 5 minutes or hours
Information
Network and • Fault-tolerant technologies business transactions. A federal law Eg. Use of software Memory (e.g., RAM) Recovery Time • Warm site RTO: 1-2 days
Transactions Act
Resource • Service Level Agreements (SLA’s) licensing Objectives (RTOs) • Mobile site RTO: 3-5 days
(UCITA)
Management • MTBF and MTTR
• Unauthorized intrusion Admissible Evidence • Cold site RTO: 1 to 2 weeks
• Single Point of Failure (SPOF) Computer Crime Laws
Incident 3 types of harm
• Unauthorized alteration or destruction
Relevant to the incident. The evidence RAID, SAN, & NAS
1. Detect • 2. Respond • 3. Report • 4. Recover • 5. Remediate • 6. • Malicious code
Response - must be obtained legally. RAID Redundant Array of Independent / Inexpensive Disks
Review • Relevant, sufficient, reliable, does not have to be
steps Admissible evidence Writing the same data across multiple hard disks, slower as
tangible Disk Mirroring
• Changes should be formally requested
Hearsay • Second hand data not admissible in court Digital Forensics data is written twice, doubles up on storage requirements
• Analyze requests against goals to ensure validity Writes data across multiple disks simultaneously, provides
Change • Cost and effort estimation before approval • Is the legal action of luring an intruder, like in a Five rules of evidence: Disk Striping
Enticement higher write speed.
Management • Identify the change steps after approval honeypot Be authentic • Be accurate • Be complete
• Be convincing • Admissible • Writes files in stripes across multiple disks without using
• Incremental testing during implementation • Is the illegal act of inducing a crime, the individual had
Entrapment parity information
• Complete documentation no intent of committing the crime at first RAID 0
• Clipping levels: Define a baseline for normal user errors, Investigation - To • 2 or more disks required
• Fast reading and writing but no redundancy
Threats and • Modification from Standards Eg. DDOS Data Loss Prevention (DLP) Determine Suspects • Creates identical copies of drives - has redundancy
Preventative • Unusual patterns or events Scans data for keywords and data patterns. Protects before an incident occurs.
Types: • Space is effectively utilized, since half will be given to
Measures • Unscheduled reboots: Eg. Hardware or operating system issue RAID 1
Network-bas Data in motion. Scans all outbound data looking for anomalies. Place Operational • Criminal • Civil • eDiscovery another disk
• Input/output Controls
ed DLP in edge of the network to scan all outgoing data. • Expensive
Endpoint-bas Data in use. Scans all internal end-user workstations, servers and Security Incident and RAID 3 Byte level data striping across multiple
Intrusion Detection & Prevention Systems (IDS & ed DLP devices. RAID 4 Block level data striping across multiple
Event Management
IPS) Digital Data States RAID 5
Data and parity Information is striped together across all
(SIEM) drives
Automated inspection of logs and real-time system events Data at Rest Data that is stored on a device or a backup medium. Stripes data across available drives and mirrors to a seperate
IDS (Intrusion Log review automating RAID 0+1
to detect intrusion attempts and system failures. IDSs are an Data in Data that is currently travelling across a network or on a device's Real‐time analysis of events occurring set of disks
Detection System)
effective method of detecting many DoS and DDoS attacks. Motion RAM ready to be read, updated, or processed. on systems Each drive in a set is mirrored to an equivalent drive in
RAID 1+0 (RAID 10)
Data in Use Data that is being inputted, processed, used or altered. another set
IPS (Intrusion
A IDS with additional caabilities to stop intrusions. Transaction Redundancy Storage Area Typically use Fibre Channel and iSCSI. High speed blick level
Prevention System)
Backup Types Implementations
Network (SAN) storage.
Full All files backed up, archive bit and modify bit will be deleted Network-Attached Typically an NFS server, file-level computer data storage
Firewalls Incremental Backup files changed after last full backup, archive bit deleted.
Electronic Vaulting • Remote Journaling Storage (NAS) server connected to a computer network.
• Database shadowing
Only modified files are backed up, do not delete archive bit.
HIDS
Monitor and analyze the internals of a computing system, Disaster Recovery Terminology & Concepts
(Host-based IDS)
including its network connection points. Eg. Mainframe Differential Need last full backup and last incremental backup for a full System Hardening
computer restore. MTTF Mean Time To Failure
" • Uninstall unnecessary applications
Redundant servers Eg. RAID, adding disks for increased fault tolerance. MTTR Mean Time To Repair
Hardware based device or software applications used to • Disable unnecessary services
NIDS Server clustering Set of servers that process traffic simultaneously. MTBF Mean Time Between Failures, MTTF + MTTR
monitor and analyse network activity, specifically scanning • Deny unwanted ports
(Network-based IDS)
for malicious activities and policy violations. • External storage device restriction Transaction Redundancy Electronic Vaulting • Remote Journaling • Database
• Monitoring and Reporting Implementations shadowing
Disaster Recovery Test • Vulnerability Management System
Hierarchical Recovery Types of System Failure • IDP/IPS: Attack signature engine
Desk Check Review contents of the plan
should be updated regularly Business Continuity Planning
Types Table-top exercise
Disaster recovery team members gather and roleplay a
• System reboot disaster scenario Concerns the preservation and recovery of business in the
• Emergency restart More intense than a roleplay, all support and tech staff meet
System Recovery Business Continuity
event of
1. Manual Simulation test Plan (BCP)
• System cold start and practice against disaster simulations 1. Rebooting system in single user outages to normal business operations.
2. Automatic Recovery
mode, recovery console
Personnel are taken to an alternative site and commence Business Impact The process of assessing the impact of an IT disruption.
2. Recovering all file systems active
Parallel tests operations of critical systems, while original site continues Analysis (BIA) BIA is part of BCP
Data Destruction and Reuse operating
before crash
3. Restore missing / damaged files A framework of steps and actions that need to be taken
Object reuse Use after initial use Full-implementation Personnel are taken to an alternative site and commence
4. Recover security and access to achieve business continuity and disaster recovery
Remaining data after erasure Format magnetic media 7 tests operations of all systems, main site is shut down
Data remanence controls Disaster Recovery Plan goals.
times (orange book (DRP) End Goal – Revert back to normal operations - planning
Clearing Overwriting media to be reused BCP Plan Development and development must be done before the disaster - BIA
Purging Degaussing or overwriting to be removed • Computing: strategy to protect - hardware, software, communication links, applications, data should be complete
Destruction Complete destruction, preferably by burning Define the continuity • Facilities: use of primary or alternate/remote site buildings 1. Scope and plan initiation
strategy • People: operational and management 2. BIA - assess impact of disruptive processes
• Supplies and equipment
Disaster Recovery Planning Business Continuity
3. Business Continuity Plan development - Use BIA to
Roles and • BCP committee: senior staff, business units, information systems, security administrator, officials from all develop BCP -
Disaster Steps
Teams responsible for DR implementation - Salvage team - Work responsibilities departments Testing
recovery
on normal /primary site to make suitable for normal operations • CCTV 4. Plan approval and implementation - management
process
• Fences-Small mesh and high gauge approval
• Interfacing with other groups • Alarms
• Fraud and Crime: Eg. vandalism, looting
• Financial disbursement
• Intrusion detection: electromechanical, photoelectric, passive infrared, acoustical detection Trusted Recovery
• Motion: wave pattern motion detectors, proximity detector
• Documenting the Plan - Required documentation Physical security • Locks: warded lock, combination lock, cipher lock, device lock, preset / ordinary door lock, programmable Breach Confirmation Confirm security breach not happen during system failure.
Other recovery • Activation and recovery procedures locks, raking lock
issues • Plan management • Audit trails: date and time stamps, successful/unsuccessful attempts, who attempted, who Failure Preparation Backup critical information to enable recovery
• HR involvement granted/modified access controls After a failure of operating system or application, the
• Costs • Security access cards: Photo ID card, swipe cards, smartcards System Recovery system should work enough to have the system in a
• Internal /external communications • Wireless proximity cards: user activated or system sensing field powered device secure state
• Detailed plans by team members