CISSP Module 07 – Security Operations




prevent cyberattack

Congratulations! We came to the Module 07! We are done with more than a half, and are coming to an end with CISSP online training! In Module 06, you’ve learned about vulnerability and pen testing, NIDS vs HIDS, analysis engines, honeypots, and then your exam the Security Assessments & Testing Skill Certification. I hope you’re enjoying the CISSP course Syllabus and that you understand everything we’re talking about and the CISSP course material we’re representing. So, let’s go back to work!

In Module 07 we’re going to talk about 7 security operation objectives, which include incident response, forensics (evidence collection, admissibility issues and types of evidence) and fault tolerance and discovery strategies.

Incident response

So, let’s start with the first one-the incident response. For computer’s security and informational technology, it is important to have the computer security incident management. It monitors and detects the security events on the computer or the network, and executes the proper responses to such events.

There are different types of incident:

-DoS/DDoS (attacking the vulnerability of the system);

-Malicious Code (it may be a virus, a worm, logic bomb…);

-Unauthorized access (when a subject gains access to the restricted object);

-Inappropriate usage (violation of the acceptable use of a system).

The incident needs to respond, and it does it through six phases, which are:

-preparation (educating users and IT staff of the importance of updated security measures and training them to respond to the computer or the network security incidents properly);

-identification (the team now needs to decide if the event is a security incident, or they may contact the CERT Coordination Center to help them identify the viruses, bugs etc);

-containment (determining how far the problem spread, and if it is too far, they need to disconnect the other not damaged devices);

-eradication (now the team investigates to discover the origin of the incident, and all the traces of malicious code should be removed);

-recovery (restoring the data and the software from the clean backup files, of course with ensuring that no vulnerabilities will remain);

-lessons learned (analyzing the incident and learning how to prevent it next time it appears).

Okay, hope this was clear, now we’re going to take a look at the problem management. It is an incident with an unknown cause.

There are also the steps for solving such problems, which are incident notification, root cause analysis, solution determination, request for change, implement solution and monitoring and report.

Intro to Forensics

Now, we’re going to talk about the forensics. Let us give you an introduction. Computer forensics is the discipline of using proven methods toward the collection, preservation, validation, identification, analysis, interpretation, documentation and presentation of digital evidence.

There are two entities that provide forensics and those are IOCE and SWGDE. They provide guidance and principles, and those are:

-all of the forensics principles must be applied to digital evidence;

-that evidence should not be altered as a result of collection;

-the person who has the access to a digital device must be trained for that purpose;

-all of the activities relating to the seizure, access, storage, or transfer, must be documented and reviewed.

Also, there are five rules of digital evidence:

1.digital evidence must be authentic;

2.be accurate;

3.be complete;

4.be convincing;

5.be admissible.

Forensic Investigation Process

This process goes through seven steps:

-identification;

-preservation;

-collection;

-examination;

-analysis;

-presentation;

-decision.

 

Identification. The principle of exchange (as we talked about it). What the attacker leaves behind is something that will help us in the future.

Preservation. Great documentation is half of a work. History about the evidence needs to be collected, analyzed, transported and preserved.

Collection.It minimizes handling or corrupting the evidence. Keeps detailed logs of your action. Always comply with the five rules of digital evidence. It also captures an accurate system of the image and ensures actions are repeatable.

Examination and analysis. Examination looks for a signature of known attacks and reviews audit logs, also as the hidden data recovery. The analysis compares the primary image to the working image, figuring out the root of the cause.

The presentation is interpreting the results of the investigation while the decision phase says about the result of that investigation.

Types of Evidence

There are three types of evidence. The direct evidence, which can prove a fact by itself without needing the backup information. The real evidence or physical evidence, and the best evidence, which is the most reliable one, and it’s a signed contract.

Among these three that are of most importance, there are other types of evidence. The secondary evidence. It is not strong enough for itself but can be supported with other evidence. Corroborative evidence is a support evidence. It backs up other information that is presented. Circumstances. Proving one fact which can be used reasonably to suggest the other. Demonstrative. It’s a photo of a crime scene or x-ray, for an example.

Okay, now, let’s take a look at the suspect’s actions and intent. There is the enticement (tempting a potential criminal, it’s legal and ethical, a Honeypot (for an example-we talked about the Honeypots in the previous module). Also, there is the entrapment. It’s tricking a person into committing a crime, illegal and unethical, pointing the user to a site and saying they trespassed.

Spared and RAID

Spares are the redundant hardware, available in the event that primary device becomes unusable. It’s often associated with hard drives RAID comes in three types. RAID-0 provides performance improvement for reading and write functions. RAID-1 provides redundancy but is often considered to be the least efficient use of space. RAID-5 has fault tolerance and speed.

Clustering and Web Farms

We’re going to talk here about the redundant servers. The primary server mirrors data to a secondary server. If the primary fails, it rolls over to secondary. Clustering is a group of servers that are managed as a single system. It has higher availability, greater scalability, is easier to manage instead of individual systems. It may provide redundancy or load balancing. Cluster always looks like a single server to the user (server farm).

Backups

Backing up the software and having a backup hardware is a huge part of network availability. It is always important to be able to restore data. What if the hard drive fails, or a disaster takes place, or some type of software corruption?

Then we have full backup (where the archive bit is reset), incremental backup (which backs up all files that have been modified since the last backup, and also the archive bit is reset), differential backup (the same as incremental, with a full backup, but the archive is not reset here), and the copy backup (same as full backup, but also archive is not reset).

Additional Data Redundancy

It considers database shadowing, remote journaling, and electronic vaulting. Database shadowing is disk shadowing, updating one or more copies of data at the same time. Then, the data is saved to two media types for redundancy. Electronic vaulting is when the copy of modified file is sent to a remote location where the original backup is stored. Remote journaling – moving the journal or transaction log to a remote location, not the actual files.

Now it’s the time for your next exam. It is called the Security Operation Skill Certification Test. The skill level is the beginner, it has 33 questions and the time limit is 49 minutes.

Hope you’ve learned a lot from this module, talk to you in Module 08!