Chapter 7. Security Operations

This chapter covers the following topics:

Investigations: Concepts discussed include forensic and digital investigations and evidence.

Investigation Types: Concepts discussed include operations, criminal, civil, regulatory, and eDiscovery investigations.

Logging and Monitoring Activities: Concepts discussed include audit and review, intrusion detection and prevention, security information and event management, continuous monitoring, and egress monitoring.

Resource Provisioning: Concepts discussed include asset inventory, configuration management, physical assets, virtual assets, cloud assets, and applications.

Security Operations Concepts: Concepts discussed include security operations topics, including need to know/least privilege; managing accounts, groups, and roles; separation of duties; job rotation; sensitive information procedures; record retention; monitoring special privileges; information life cycle; and service-level agreements.

Resource Protection: Concepts discussed include protecting tangible and intangible assets and asset management.

Incident Management: Concepts discussed include event versus incident, incident response team and incident investigations, rules of engagement, authorization, scope, incident response procedures, incident response management, and the steps in the incident response process.

Preventive Measures: Concepts discussed include clipping levels, deviations from standards, unusual or unexplained events, unscheduled reboots, unauthorized disclosure, trusted recovery, trust paths, input/output controls, system hardening, vulnerability management systems, IDS/IPS, anti-malware/antivirus, firewalls, whitelisting/blacklisting, third-party security services, sandboxing, and honeypots/honeynets.

Patch Management: Concepts discussed include the enterprise patch management process.

Change Management Process: Concepts discussed include the change management process.

Recovery Strategies: Concepts discussed include redundant systems, facilities, and power; fault-tolerance technologies; insurance; data backup; fire detection and suppression; high availability; quality of service; system resilience; and creating recovery strategies.

Disaster Recovery: Concepts discussed include response, personnel, communications, assessment, restoration, and training and awareness.

Testing Recovery Plans: Concepts discussed include read-through test, checklist test, table-top exercise, structured walk-through test, simulation test, parallel test, full-interruption test, functional drill, and evacuation drill.

Business Continuity Planning and Exercises: Concepts discussed include business continuity planning and exercises.

Physical Security: Concepts discussed include perimeter security and building and internal security.

Personnel Privacy and Safety: Concepts discussed include duress, travel, and monitoring.

Security Operations includes foundational security operations concepts, investigations, incident management, and disaster recovery. It also covers physical and personnel security. Security practitioners should receive the appropriate training in these areas or employ experts in these areas to ensure that the organizations assets are properly protected.

Security operations involves ensuring that all operations within an organization are carried out in a secure manner. It is concerned with investigating, managing, and preventing events or incidents. It also covers logging activities as they occur, provisioning and protecting resources as needed, managing event and incidents, recovering from events and disasters, and providing physical security. Security operations involves day-to-day operation of an organization.

After a decision has been made to investigate a computer crime, you should follow standardized procedures, including the following:

Identify what type of system is to be seized.

Identify the search and seizure team members.

Determine the risk that the suspect will destroy evidence.

After law enforcement has been informed of a computer crime, the organization’s investigator’s constraints are increased. Turning the investigation over to law enforcement to ensure that evidence is preserved properly might be necessary.

When investigating a computer crime, evidentiary rules must be addressed. Computer evidence should prove a fact that is material to the case and must be reliable. The chain of custody must be maintained. Computer evidence is less likely to be admitted in court as evidence if the process for producing it must be documented.

Any forensic investigation involves the following steps:

1. Identification

2. Preservation

3. Collection

4. Examination

5. Analysis

6. Presentation

7. Decision

The forensic investigation process is shown in Figure 7-1.

The following sections cover these forensic investigation steps in detail as well as explain IOCE/SWGDE and NIST, the crime scene, MOM, the chain of custody, and interviewing.

Identifying the crime scene is also part of this step. In digital investigations, the attacked system is considered the crime scene. In some cases, the system from which the attack originated can also be considered part of the crime scene. However, fully capturing the attacker’s systems is not always possible. For this reason, you should ensure that you capture any data that can point to a specific system, such as capturing IP addresses, user names, and other identifiers.

Before collecting any evidence, consider the order of volatility. This order ensures that investigators collect evidence from the components that are most volatile first.

The order of volatility is as follows:

1. Memory contents

2. Swap files

3. Network processes

4. System processes

5. File system information

6. Raw disk blocks

To make system images, you need to use a tool that creates a bit-level copy of the system. In most cases, you must isolate the system and remove it from production to create this bit-level copy. You should ensure that two copies of the image are retained. One copy of the image will be stored to ensure that an undamaged, accurate copy is available as evidence. The other copy will be used during the examination and analysis steps. Message digests should be used to ensure data integrity.

Although the system image is usually the most important piece of evidence, it is not the only piece of evidence you need. You might also need to capture data that is stored in cache, process tables, memory, and the registry. When documenting a computer attack, you should use a bound notebook to keep notes.

Remember that using experts in digital investigations to ensure that evidence is properly preserved and collected might be necessary. Investigators usually assemble a field kit to help in the investigation process. This kit might include tags and labels, disassembly tools, and tamper-evident packaging. Commercial field kits are available, or you could assemble your own based on organizational needs.

The main principles as documented by IOCE are as follows:

The general rules of evidence should be applied to all digital evidence.

Upon seizing digital evidence, actions taken should not change that evidence.

When a person needs to access original digital evidence, that person should be suitably trained for the purpose.

All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.

An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in his possession.

Any agency that seizes, accesses, stores, or transfers digital evidence is responsible for compliance with IOCE principles.

NIST SP 800-86, “Guide to Investigating Forensic Techniques into Incident Response,” provides guidelines on the data collection, examination, analysis, and reporting related to digital forensics. It explains the use of forensic investigators, IT staff, and incident handlers as part of any forensic investigation. It discusses how cost, response time, and data sensitivity should affect any forensic investigation.

To establish an organizational forensic capability, NIST SP 800-86 provides the following guidelines:

Organizations should have a capability to perform computer and network forensics.

Organizations should determine which parties should handle each aspect of forensics.

Incident handling teams should have robust forensic capabilities.

Many teams within an organization should participate in forensics.

Forensic considerations should be clearly addressed in policies.

Organizations should create and maintain guidelines and procedures for performing forensic tasks.

NIST SP 800-86 provides guidelines for using data from data files, operating systems, network traffic, and applications. Organizations can use this standard to help ensure that personnel follow the appropriate guidelines in performing forensic investigations.

When responding to a possible crime, it is important to ensure that the crime scene environment is protected using the following steps:

1. Identify the crime scene.

2. Protect the entire crime scene.

3. Identify any pieces of evidence or potential sources of evidence that are part of the crime scene.

4. Collect all evidence at the crime scene.

5. Minimize contamination by properly securing and preserving all evidence.

Remember that there can be more than one crime scene, especially in digital crimes. If an attacker breaches an organization’s network, all assets that were compromised are part of the crime scene, and any assets that the attacker used are also part of the crime scene.

Access to the crime scene should be tightly controlled and limited only to individuals who are vital to the investigation. As part of the documentation process, make sure to note anyone who has access to the crime scene. After a crime scene is contaminated, no way exists to restore it to the original condition.

Understanding MOM can help any investigator narrow down the list of suspects.

The primary purpose of the chain of custody is to ensure that evidence is admissible in court. Law enforcement officers emphasize chain of custody in any investigations that they conduct. Involving law enforcement early in the process during an investigation can help to ensure that the proper chain of custody is followed.

If an employee is suspected of a computer crime, a representative of the human resources department should be involved in any interrogation of the suspect. The employee should only be interviewed by an individual who is senior to that employee.

All evidence must be tagged. When creating evidence tags, be sure to document the mode and means of transportation, a complete description of evidence including quality, who received the evidence, and who had access to the evidence.

Any investigator must ensure that evidence adheres to the five rules of evidence (see the following section). In addition, the investigator must understand each type of evidence that can be obtained and how each type can be used in court. Investigators must follow surveillance, search, and seizure guidelines. Finally, investigators must understand the differences among media, software, network, and hardware/embedded device analysis.

Be authentic.

Be accurate.

Be complete.

Be convincing.

Be admissible.

Because digital evidence is more volatile than other evidence, it still must meet these five rules.

The types of evidence that you should understand are as follows:

Best evidence

Secondary evidence

Direct evidence

Conclusive evidence

Circumstantial evidence

Corroborative evidence

Opinion evidence

Hearsay evidence

Best Evidence

The best evidence rule states that when evidence, such as a document or recording, is presented, only the original will be accepted unless a legitimate reason exists for why the original cannot be used. In most cases, digital evidence is not considered best evidence because investigators must capture copies of the original data and state.

However, courts can apply the best evidence rule to digital evidence in a case-by-case basis, depending on the evidence and the situation. In this situation, the copy must be proved by an expert witness who can testify as to the contents and confirm that it is an accurate copy of the original.

Secondary Evidence

Secondary evidence has been reproduced from an original or substituted for an original item. Copies of original documents and oral testimony are considered secondary evidence.

Direct Evidence

Direct evidence proves or disproves a fact through oral testimony based on information gathered through the witness’s senses. A witness can testify on what he saw, smelled, heard, tasted, or felt. This is considered direct evidence. Only the witness can give direct evidence. No one else can report on what the witness told them because that is considered hearsay evidence.

Conclusive Evidence

Conclusive evidence does not require any other corroboration and cannot be contradicted by any other evidence.

Circumstantial Evidence

Circumstantial evidence provides inference of information from other intermediate relevant facts. This evidence makes a jury come to a conclusion by using a fact to imply that another fact is true or untrue. An example is implying that a former employee committed an act against an organization due to his dislike of the organization after his dismissal.

Corroborative Evidence

Corroborative evidence supports another piece of evidence. For example, if a suspect produces a receipt to prove he was at a particular restaurant at a certain time and then a waitress testifies that she waited on the suspect, then the waitress provides corroborating evidence through her testimony.

Opinion Evidence

Opinion evidence is based on what the witness thinks, feels, or infers regarding the facts. However, if an expert witness is used, that expert is able to testify on a fact based on his knowledge in a certain area. For example, a psychiatrist can testify as to conclusions on a suspect’s state of mind. Expert testimony is not considered opinion evidence because of the expert’s knowledge and experience.

Hearsay Evidence

Hearsay evidence is evidence that is secondhand where the witness does not have direct knowledge of the fact asserted but knows it only from being told by someone. In some cases, computer-based evidence is considered hearsay, especially if an expert cannot testify as to the accuracy and integrity of the evidence.

Two types of surveillance are used by investigators: physical surveillance and computer surveillance. Physical surveillance occurs when a person’s actions are reported or captured using cameras, direct observance, or closed-circuit TV (CCTV). Computer surveillance occurs when a person’s actions are reported or captured using digital information, such as audit logs.

A search warrant is required in most cases to actively search a private site for evidence. For a search warrant to be issued, probable cause that a crime has been committed must be proven to a judge. The judge must also be given corroboration regarding the existence of evidence. The only time a search warrant does not need to be issued is during exigent circumstances, which are emergency circumstances that are necessary to prevent physical harm, the evidence destruction, the suspect’s escape, or some other consequence improperly frustrating legitimate law enforcement efforts. Exigent circumstances will have to be proven when the evidence is presented in court.

Seizure of evidence can only occur if the evidence is specifically listed as part of the search warrant unless the evidence is in plain view. Evidence specifically listed in the search warrant can be seized, and the search can only occur in areas specifically listed in the warrant.

Search and seizure rules do not apply to private organizations and individuals. Most organizations warn their employees that any files stored on organizational resources are considered property of the organization. This is usually part of any no-expectation-of-privacy policy.

A discussion of evidence would be incomplete without discussing jurisdiction. Because computer crimes can involve assets that cross jurisdictional boundaries, investigators must understand that the civil and criminal laws of countries can differ greatly. It is always best to consult local law enforcement personnel for any criminal or civil investigation and follow any advice they give for investigations that cross jurisdictions.

The following types of media analysis can be used:

Disk imaging: Creates an exact image of the contents of the hard drive.

Slack space analysis: Analyzes the slack (marked as empty or reusable) space on the drive to see whether any old (marked for deletion) data can be retrieved.

Content analysis: Analyzes the contents of the drive and gives a report detailing the types of data by percentage.

Steganography analysis: Analyzes the files on a drive to see whether the files have been altered or to discover the encryption used on the file.

Software analysis techniques include the following:

Content analysis: Analyzes the content of software, particularly malware, to determine for which purpose the software was created.

Reverse engineering: Retrieves the source code of a program to study how the program performs certain operations.

Author identification: Attempts to determine the software’s author.

Context analysis: Analyzes the environment the software was found in to discover clues to determining risk.

Network analysis techniques include the following:

Communications analysis: Analyzes communication over a network by capturing all or part of the communication and searching for particular types of activity.

Log analysis: Analyzes network traffic logs.

Path tracing: Tracing the path of a particular traffic packet or traffic type to discover the route used by the attacker.

This type of analysis is used when mobile devices are analyzed. For performing this type of analysis, NIST makes the following recommendations:

Any analysis should not change the data contained on the device or media.

Only competent investigators should access the original data and must explain all actions they took.

Audit trails or other records must be created and preserved during all steps of the investigation.

The lead investigator is responsible for ensuring that all these procedures are followed.

All activities regarding digital evidence, including its seizure, access to it, its storage, or its transfer, must be documented, preserved, and available for review.

As an example of this type of investigation, say that a user is assigned inappropriate permissions based on her job role. If this was the result of criminal action, a criminal investigation should occur. However, this could have occurred simply through mistakes made by personnel. Because a security professional would not know the cause of the inappropriate permissions, he would need to start the investigation following proper forensic guidelines. However, once he determined that the incident was the result of an accident, it would no longer be necessary to follow those guidelines. Any individual who carries out this type of investigation must ensure that the appropriate changes are made to prevent such an incident from occurring again, including putting in place security controls. In the case of the inappropriate permissions example, the security professional might find that the user account template that was used to create the user account was assigned to an inappropriate group and must therefore ensure that the user account template is revised.

Are users accessing information or performing tasks that are unnecessary for their jobs?

Are repetitive mistakes (such as deletions) being made?

Do too many users have special rights and privileges?

The level and amount of auditing should reflect the security policy of the company. Audits can be either self-audits or be performed by a third party. Self-audits always introduce the danger of subjectivity to the process. Logs can be generated on a wide variety of devices including intrusion detection systems (IDSs), servers, routers, and switches. In fact, a host-based IDS makes use of the operating system logs of the host machine.

When assessing controls over audit trails or logs, address the following questions:

Does the audit trail provide a trace of user actions?

Is access to online logs strictly controlled?

Is there separation of duties between security personnel who administer the access control function and those who administer the audit trail?

Keep and store logs in accordance with the retention policy defined in the organization’s security policy. They must be secured to prevent modification, deletion, and destruction. When auditing is functioning in a monitoring role, it supports the detection security function in the technical category. When formal review of the audit logs takes place, it is a form of detective administrative control. Reviewing audit data should be a function separate from the day-to-day administration of the system.

Data leakage occurs when sensitive data is disclosed to unauthorized personnel either intentionally or inadvertently. Data loss prevention (DLP) software attempts to prevent data leakage. It does this by maintaining awareness of actions that can and cannot be taken with respect to a document. For example, it might allow printing of a document but only at the company office. It might also disallow sending the document through email. DLP software uses ingress and egress filters to identify sensitive data that is leaving the organization and can prevent such leakage.

Another scenario might be the release of product plans that should be available only to the Sales group. A security professional could set a policy like the following for that document:

It cannot be emailed to anyone other than Sales group members.

It cannot be printed.

It cannot be copied.

There are two locations where a DLP can be implemented:

Network DLP: Installed at network egress points near the perimeter, network DLP analyzes network traffic.

Endpoint DLP: Endpoint DLP runs on end-user workstations or servers in the organization.

You can use both precise and imprecise methods to determine what is sensitive:

Precise methods: These methods involve content registration and trigger almost zero false-positive incidents.

Imprecise methods: These methods can include keywords, lexicons, regular expressions, extended regular expressions, metadata tags, Bayesian analysis, and statistical analysis.

The value of a DLP system lies in the level of precision with which it can locate and prevent the leakage of sensitive data.

Security devices, such as firewalls, network address translation (NAT) devices, and IDSs and IPSs, should receive the most attention because they relate to physical and logical security. Beyond this, devices that can easily be stolen, such as laptops, tablets, and smartphones, should be locked away. If that is not practical, then consider locking these types of devices to stationary objects (for example, using cable locks with laptops).

When the technology is available, tracking of small devices can help mitigate the loss of both devices and their data. Many smartphones now include tracking software that allows you to locate a device after it has been stolen or lost by using either cell tower tracking or GPS. Deploy this technology when available.

Another useful feature available on many smartphones and other portable devices is a remote wiping feature. This allows the user to send a signal to a stolen device, instructing it to wipe out the data contained on the device. Similarly, these devices typically also come with the ability to be remotely locked when misplaced.

Strict control of the use of portable media devices can help prevent sensitive information from leaving the network. This includes CDs, DVDs, flash drives, and external hard drives. Although written rules should be in effect about the use of these devices, using security policies to prevent the copying of data to these media types is also possible. Allowing the copying of data to these drive types as long as the data is encrypted is also possible. If these functions are provided by the network operating system, you should deploy them.

It should not be possible for unauthorized persons to access and tamper with any devices. Tampering includes defacing, damaging, or changing the configuration of a device. Integrity verification programs should be used by applications to look for evidence of data tampering, errors, and omissions.

Encrypting sensitive data stored on devices can help prevent the exposure of data in the event of a theft or in the event of inappropriate access of the device.

The functions of configuration management are:

Report the status of change processing.

Document the functional and physical characteristics of each configuration item.

Perform information capture and version control.

Control changes to the configuration items, and issue versions of configuration items from the software library.

Examples of these types of changes are:

Operating system configuration

Software configuration

Hardware configuration

From a CISSP perspective, the biggest contribution of configuration management controls is ensuring that changes to the system do not unintentionally diminish security. Because of this, all changes must be documented, and all network diagrams, both logical and physical, must be updated constantly and consistently to accurately reflect the state of each configuration now and not as it was two years ago. Verifying that all configuration management policies are being followed should be an ongoing process.

In many cases it is beneficial to form a configuration control board. The tasks of the configuration control board can include:

Ensuring that changes made are approved, tested, documented, and implemented correctly.

Meeting periodically to discuss configuration status accounting reports.

Maintaining responsibility for ensuring that changes made do not jeopardize the soundness of the verification system.

In summary, the components of configuration management are:

Configuration control

Configuration status accounting

Configuration audit

Virtual storage occurs when physical storage from multiple network storage devices is compiled into a single virtual storage space. Block virtualization separates the logical storage from the physical storage. File virtualization eliminates the dependency between data accessed at the file level and the physical storage location of the files. Host-based virtual storage requires software running on the host. Storage device–based virtual storage runs on a storage controller and allows other storage controllers to be attached. Network-based virtual storage uses network-based devices, such as iSCSI or Fibre Channel, to create a storage solution.

Discretionary access control (DAC) and role-based access control (RBAC) are examples of systems based on a user’s need to know. To ensure least privilege requires that the user’s job be identified and each user be granted the lowest clearance required for their tasks. Another example is the implementation of views in a database. Need-to-know requires that the operator have the minimum knowledge of the system necessary to perform his task.

Security professionals should understand the following accounts:

Root or built-in administrator account: These are the most powerful accounts on the system. It is best to disable such an account after you have created another account with the same privileges because most of these account names are well known and can be used by attackers. If you decide to keep these accounts, most vendors suggest that you change the account name and give it a complex password. Root or administrator accounts should be used only when performing administrative duties, and use of these accounts should always be audited.

Service account: These accounts are used to run system services and applications. Therefore, security professionals can limit the service account’s access to the system. Always research the default user accounts that are used. Make sure that you change the passwords for these accounts on a regular basis. Use of these accounts should always be audited.

Regular administrator accounts: These administrator accounts are created and assigned only to a single individual. Any user who has an administrative account should also have a regular account to use for normal day-to-day operations. Administrative accounts should only be used when performing administrative-level duties, and use of these accounts should always be audited.

Power user accounts: These accounts have more privileges and permissions than normal user accounts. These accounts should be reviewed on a regular basis to ensure that only users who need the higher-level permissions have these accounts. Most modern operating systems limit the abilities of the power users or even remove this account type entirely.

Regular user accounts: These are the accounts users use while performing their normal everyday job duties. These accounts must strictly follow the principle of least privilege.

Trained backup in case of emergencies

Protection against fraud

Cross training of employees

Rotation of duties, separation of duties, and mandatory vacations are all administrative controls.

Regardless of whether the aim is to protect company data or personal data, the key is to apply the access control principles to both sets of data. When examining accessing access control procedures and policies, the following questions need to be answered:

Is data available to the user that is not required for his job?

Do too many users have access to sensitive data?

Most auditing systems allow for the configuration of data retention options. In some cases the default operation is to start writing over the older records in the log when the maximum log size is full. Regular clearing and saving of the log can prevent this from happening and avoid the loss of important events. In cases of extremely sensitive data, having a server shut off access when a security log is full and cannot record any more events is even advisable.

Although in a perfect world we would like to assume that we can expect this from all users, in the real world we know this is not always true. Therefore, one of the things to monitor is the use of these privileges. Although we should be concerned with the amount of monitoring performed and the amount of data produced by this monitoring, recording the exercise of special privileges should not be sacrificed, even if it means regularly saving the data as a log file and clearing the event gathering system.

The SLA should contain a description of the services to be provided and the expected service levels and metrics that the customer can expect. It also includes the duties and responsibilities of each party of the SLA. It lists the service specifics, exclusions, service levels, escalation procedures, and cost. It should include a clause regarding payment to the customers resulting from a breach of the SLA. While SLAs can be transferable, they are not transferable by law. Metrics that should be measured include service availability, service levels, defect rates, technical quality, and security. SLAs should be periodically reviewed to ensure that the business needs, technical environment, or workloads have not changed. In addition, metrics, measurement tools, and processes should be reviewed to see if they have improved.

Do doors close automatically, and does an alarm sound if they are held open too long?

Are the protection mechanisms of sensitive areas, such as server rooms and wiring closets, sufficient and operational?

Does the fire suppression system work?

Are sensitive documents shredded as opposed to being thrown in the dumpster?

Beyond the access issues, the main systems that are needed to ensure operations are not disrupted include fire detection/suppression, HVAC (including temperature and humidity controls), water and sewage systems, power/backup power, communications equipment, and intrusion detection.

From a management standpoint, these devices are typically managed remotely. Special care must be taken to safeguard access to these management features as well as protect the data and commands passing across the network to these devices. Some specific guidelines include:

Change all default administrator passwords on the devices.

Limit the number of users that have remote access to these devices.

Rather than Telnet (which sends commands in clear text) use an encrypted command-line tool such as Secure Shell (SSH).

Manage critical systems locally.

Limit physical access to these devices.

Moreover, closely monitoring the use of commercial applications and systems in the enterprise can prevent unintentional breach of licensing agreements. One of the benefits of only giving users the applications they require to do their job is that it limits the number of users that have an application, helping to prevent exhaustion of licenses for software.

In some cases redundancy is applied at the physical layer, such as network redundancy provided by a dual backbone in a local network environment or by using multiple network cards in a critical server. In other cases redundancy is applied logically such as when a router knows multiple paths to a destination in case one fails.

Fault tolerance countermeasures are designed to combat threats to design reliability. Although fault tolerance can include redundancy, it also refers to systems such as Redundant Array of Independent Disks (RAID) in which data is written across multiple disks in such a way that a disk can fail and the data can be quickly made available from the remaining disks in the array without resorting to a backup tape. Be familiar with a number of RAID types because not all provide fault tolerance. Regardless of the technique employed for fault tolerance to operate, a system must be capable of detecting and correcting the fault.

Another area to focus on is the control of the use of privileged accounts or accounts that have rights and permissions that exceed those of a regular user account. Although this obviously applies to built-in administrator, root, or supervisor accounts (which in some operating systems are called root accounts) that have vast permissions, it also applies to any account that confers special privileges to the user.

Moreover, maintain the same tight control over the numerous built-in groups that exist in Windows to grant special rights to the group members. When using these groups, make note of any privileges held by the default groups that are not required for your purposes. You might want to remove some of the privileges from the default groups to support the concept of least privilege.

RAID

Redundant Array of Independent Disks (RAID) refers to a system whereby multiple hard drives are used to provide either a performance boost or fault tolerance for the data. When we speak of fault tolerance in RAID, we mean maintaining access to the data even in a drive failure without restoring the data from a backup media. The following are the types of RAID with which you should be familiar.

RAID 0, also called disk striping, writes the data across multiple drives. Although it improves performance, it does not provide fault tolerance. Figure 7-2 depicts RAID 0.

RAID 1, also called disk mirroring, uses two disks and writes a copy of the data to both disks, providing fault tolerance in the case of a single drive failure. Figure 7-3 depicts RAID 1.

RAID 3, requiring at least three drives, also requires that the data is written across all drives like striping and then parity information is written to a single dedicated drive. The parity information is used to regenerate the data in the case of a single drive failure. The downfall is that the parity drive is a single point of failure if it goes bad. Figure 7-4 depicts RAID 3.

RAID 5, requiring at least three drives, also requires that the data is written across all drives like striping and then parity information is written across all drives as well. The parity information is used in the same way as in RAID 3, but it is not stored on a single drive so there is no single point of failure for the parity data. With hardware RAID level 5, the spare drives that replace the failed drives are usually hot swappable, meaning they can be replaced on the server while it is running. Figure 7-5 depicts RAID 5.

RAID 7, though not a standard but a proprietary implementation, incorporates the same principles as RAID 5 but enables the drive array to continue to operate if any disk or any path to any disk fails. The multiple disks in the array operate as a single virtual disk.

RAID 10, which requires at least four drives, is a combination of RAID 0 and RAID 1. First, a RAID 1 volume is created by mirroring two drives together. Then a RAID 0 stripe set is created on each mirrored pair. Figure 7-6 depicts RAID 10.

Although RAID can be implemented with software or with hardware, certain types of RAID are faster when implemented with hardware. When software RAID is used, it is a function of the operating system. Both RAID 3 and 5 are examples of RAID types that are faster when implemented with hardware. Simple striping or mirroring (RAID 0 and 1), however, tend to perform well in software because they do not use the hardware-level parity drives. Table 7-1 summarizes the RAID types.

SAN

Storage-area networks (SAN) are comprised of high-capacity storage devices that are connected by a high-speed private network (separate from the LAN) using storage-specific switches. This storage information architecture addresses the collection of data, management of data, and use of data.

NAS

Network-attached storage (NAS) serves the same function as SAN, but clients access the storage in a different way. In a NAS, almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use protocols such as NFS, CIFS, or HTTP to connect to a NAS and share files. In a SAN, only devices that can use the Fibre Channel SCSI network can access the data, so it is typically done though a server that has this capability. Figure 7-7 shows a comparison of the two systems.

HSM

A hierarchical storage management (HSM) system is a type of backup management system that provides a continuous online backup by using optical or tape “jukeboxes.” It operates by automatically moving data between high-cost and low-cost storage media as the data ages. When continuous availability (24 hours-a-day processing) is required, HSM provides a good alternative to tape backups. It also strives to use the proper media for the scenario. For example, a rewritable and erasable (CDR/W) optical disc is sometimes used for backups that require short time storage for changeable data but require faster file access than tape.

Track all instances of access to the media.

Track the number and location of backups.

Track age of media to prevent loss of data through media degeneration.

Inventory the media regularly.

Accurately and promptly mark all data storage media.

Ensure proper environmental storage of the media.

Ensure the safe and clean handling of the media.

Log data media to provide a physical inventory control.

The environment where the media will be stored is also important. For example, damage starts occurring to magnetic media above 100 degrees. The Forest Green Book is a Rainbow Series book that defines the secure handling of sensitive or classified automated information system memory and secondary storage media, such as degaussers, magnetic tapes, hard disks, and cards. The Rainbow Series is discussed in more detail in Chapter 3.

Data purging: Using a method such as degaussing to make the old data unavailable even with forensics. Purging renders information unrecoverable against laboratory attacks (forensics).

Data clearing: Renders information unrecoverable by a keyboard. This attack extracts information from data storage media by executing software utilities, keystrokes, or other system resources executed from a keyboard.

Remanence: Any data left after the media has been erased.

Redundant hardware: Failures of physical components, such as hard drives and network cards, can interrupt access to resources. Providing redundant instances of these components can help to ensure a faster return to access. In some cases, changing out a component might require manual intervention, but in many cases these items are hot swappable (they can be changed with the device up and running), in which case a momentary reduction in performance might occur rather than a complete disruption of access.

Fault-tolerant technologies: Taking the idea of redundancy to the next level are technologies that are based on multiple computing systems working together to provide uninterrupted access even in the event of a failure of one of the systems. Clustering of servers and grid computing are both great examples of this approach.

MTBF and MTTR: Although SLAs are appropriate for services that are provided, a slightly different approach to introducing predictability can be used with regard to physical components that are purchased. Vendors typically publish values for a product’s mean time between failure (MTBF), which describes how often a component fails on average. Another valuable metric typically provided is the mean time to repair (MTTR), which describes the average amount of time it will take to get the device fixed and back online.

Single point of failure (SPOF): Though not actually a strategy, it is worth mentioning that the ultimate goal of any of these approaches is to avoid an SPOF of failure in a system. All components and groups of components and devices should be examined to discover any single element that could interrupt access to resources if a failure occurs. Each SPOF should then be mitigated in some way.

As part of incident response, security professionals must understand the difference between events and incidents (see the following section). The incident response team must have the appropriate incident response procedures in place to ensure that the incident is handled, but the procedures must not hinder any forensic investigations that might be needed to ensure that parties are held responsible for any illegal actions. Security professionals must understand the rules of engagement and the authorization and scope of any incident investigation.

Events can only be detected if an organization has established the proper auditing and security mechanisms to monitor activity. A single negative event might occur. For example, the auditing log might show that an invalid login attempt occurred. By itself, this login attempt is not a security concern. However, if many invalid login attempts occur over a period of a few hours, the organization might be undergoing an attack. The initial invalid login is considered an event, but the series of invalid login attempts over a few hours would be an incident, especially if it is discovered that the invalid login attempts all originated from the same IP address.

When an incident has occurred, the primary goal of the team is to contain the attack and repair any damage caused by the incident. Security isolation of an incident scene should start immediately when the incident is discovered. Evidence must be preserved, and the appropriate authorities should be notified.

The incident response team should have access to the incident response plan. This plan should include the list of authorities to contact, team roles and responsibilities, an internal contact list, securing and preserving evidence procedures, and a list of investigations experts who can be contacted for help. A step-by-step manual should be created that the incident response team must follow to ensure that no steps are skipped. After the incident response process has been engaged, all incident response actions should be documented.

If the incident response team determines that a crime has been committed, senior management and the proper authorities should be contacted immediately.

The rules of engagement act as a guideline for the incident response team to ensure that they do not cross the line from enticement into entrapment. Enticement occurs when the opportunity for illegal actions is provided (luring) but the attacker makes his own decision to perform the action, and entrapment means to encourage someone to commit a crime that the individual might have had no intention of committing. Enticement is legal but does raise ethical arguments and might not be admissible in court. Conversely, entrapment is illegal.

For the CISSP exam, you need to remember the following steps:

1. Detect the incident.

2. Respond to the incident.

3. Report the incident to the appropriate personnel.

4. Recover from the incident.

5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.

6. Review the incident, and document all findings.

The actual investigation of the incident occurs during the respond, report, and recover steps. Following appropriate forensic and digital investigation processes during the investigation can ensure that evidence is preserved.

The incident response process is shown in Figure 7-8.

All detective controls, such as auditing, discussed in Chapter 1, “Security and Risk Management,” are designed to provide this capability. The worst sort of incident is the one that goes unnoticed.

Response involves containing the incident and quarantining the affected assets to reduce the potential impact by preventing other assets from being affected. Different methods can be used, depending on the category of the attack, the asset affected, and the data criticality or infection risk.

After an attack is contained or isolated, analysts should work to examine and analyze the cause of the incident. This includes determining where the incident originated. Security professionals should use experience and formal training to make the appropriate conclusions regarding the incident. After the root cause has been determined, security professionals should follow incident handling policies that the organization has in place.

Clipping levels are used to:

Reduce the amount of data to be evaluated in audit logs

Provide a baseline of user errors above which violations will be recorded

Operations security must ensure that trusted paths are validated. This occurs using log collection, log analysis, vulnerability scans, patch management, and system integrity checks.

Also, secure output of the system (printouts, reports, and so on). All sensitive output information should require a receipt before release and have proper access controls applied regardless of its format.

Remove unnecessary applications.

Disable unnecessary services.

Block unrequired ports.

Tightly control the connecting of external storage devices and media if it’s allowed at all.

Moreover, the log files of systems that are set to log certain events rather than take specific actions when they occur need to have those logs archived and analyzed on a regular basis. Spending large sums of money on software that gathers information and then disregarding that information makes no sense.

IDS and IPS are discussed in more detail earlier in this chapter and in Chapter 4.

Intrusion response is just as important as intrusion detection and prevention. Intrusion response is about responding appropriately to any intrusion attempt. Most systems use alarms and signals to communicate with the appropriate personnel or systems when an intrusion has been attempted. An organization must respond to alerts and signals in a timely manner.

Whitelisting, blacklisting, and graylisting are commonly used with spam filtering tools.

Some malware attempts to delay or stall code execution, allowing the sandbox to time out. A sandbox can use hooks and environmental checks to detect malware. These methods do not prevent many types of malware. For this reason, third-party security services are important.

To ensure that all devices have the latest patches installed, deploy a formal system to ensure that all systems receive the latest updates after thorough testing in a non-production environment. It is impossible for the vendor to anticipate every possible impact a change might have on business critical systems in the network. The enterprise is responsible for ensuring that patches do not adversely impact operations.

The patch management life cycle includes the following steps:

1. Patch prioritization and scheduling: Determine the priority of the patches and schedule the patches for deployment.

2. Patch testing: Test the patches prior to deployment to ensure that they work properly and do not cause system or security issues.

3. Patch installation: Install the patches in the live environment.

4. Patch assessment and audit: After patches are deployed, ensure that the patches work properly.

Many organizations deploy a centralized patch management system to ensure that patches are deployed in a timely manner. With this system, administrators can test and review all patches before deploying them to the systems they affect. Administrators can schedule the updates to occur during non-peak hours.

All changes should be formally requested. Change logs should be maintained.

Each request should be analyzed to ensure that it supports all goals and polices. This includes baselining and security impact analysis.

Prior to formal approval, all costs and effects of the methods of implementation should be reviewed. Using the collected data, changes should be approved or denied.

After they’re approved, the change steps should be developed.

During implementation, incremental testing should occur, and it should rely on a predetermined fallback strategy if necessary. Versioning should be used to effectively track and control changes to a collection of entities.

Complete documentation should be produced and submitted with a formal report to management.

One of the key benefits of following this method is the ability to make use of the documentation in future planning. Lessons learned can be applied and even the process itself can be improved through analysis.

The following sections discuss the primary preventive controls that organizations can implement as part of business continuity and disaster recovery, including redundant systems, facilities, and power; fault-tolerant technologies; insurance; data backup; and fire detection and suppression.

Redundant facilities ensure that the organization maintains a facility at whatever level it chooses to ensure that the organizational services can continue when a disruptive event occurs. Redundant facilities are discussed in more depth elsewhere in this chapter.

Power redundancy is implemented using uninterruptible power supplies (UPSs) and power generators.

Redundancy on individual components can also be provided. The spare components are either cold spares, warm spares, or hot spares. A cold spare is not powered up but can be inserted into the system if needed. A warm spare is in the system but does not have power unless needed. A hot spare is in the system and powered on, ready to become operational at a moment’s notice.

By implementing fault-tolerant technologies, an organization can ensure that normal operation occurs if a single fault-tolerant component fails.

Keep in mind that recovery efforts from a disruptive event can often incur large financial costs. Even some of the best estimates might still fall short when the actual recovery must take place. By purchasing insurance, the organization can ensure that key financial transactions, including payroll, accounts payable, and any recovery costs, are covered.

Insurance actual cost valuation (ACV) compensates property based on the value of the item on the date of loss plus 10 percent. However, keep in mind that insurance on any printed materials only covers inscribed, printed, or written documents, manuscripts, or records. It does not cover money and securities. A special type of insurance called business interruption insurance provides monetary protection for expenses and lost earnings.

Organizations should annually review insurance policies and update them as necessary.

Data recovery, including backup types and schemes and electronic backup, is covered in more detail later in this chapter.

High-availability terms and techniques that you must understand include the following:

Redundant Array of Independent Disks (RAID): A hard-drive technology in which data is written across multiple disks in such a way that a disk can fail and the data can be quickly made available from remaking disks in the array without restoring from a backup tape or other backup media.

Storage-area network (SAN): High-capacity storage devices that are connected by a high-speed private network using storage-specific switches.

Failover: The capacity of a system to switch over to a backup system if a failure in the primary system occurs.

Failsoft: The capability of a system to terminate non-critical processes when a failure occurs.

Clustering: Refers to a software product that provides load-balancing services. With clustering, one instance of an application server acts as a master controller and distributes requests to multiple instances using round-robin, weighted round-robin, or least-connections algorithms.

Load balancing: Refers to a hardware product that provides load-balancing services. Application delivery controllers (ADCs) support the same algorithms but also use complex number-crunching processes, such as per-server CPU and memory utilization, fastest response times, and so on, to adjust the balance of the load. Load-balancing solutions are also referred to as farms or pools.

Disaster recovery tasks include recovery procedures, personnel safety procedures, and restoration procedures. The overall business recovery plan should require a committee to be formed to decide the best course of action. This recovery plan committee receives its direction from the BCP committee and senior management.

All decisions regarding recovery should be made in advance and incorporated into the DRP. Any plans and procedures that are developed should refer to functions or processes, not specific individuals. As part of the disaster recovery planning, the recovery plan committee should contact critical vendors ahead of time to ensure that any equipment or supplies can be replaced in a timely manner.

When a disaster or disruptive event has occurred, the organization’s spokesperson should report the bad news in an emergency press conference before the press learns of the news through another channel. The DRP should detail any guidelines for handling the press. The emergency press conference site should be planned ahead of time.

When resuming normal operations after a disruptive event, the organization should conduct a thorough investigation if the cause of the event is unknown. Personnel should account for all damage-related costs that occur as a result of the event. In addition, appropriate steps should be taken to prevent further damage to property.

The commonality between all recovery plans is that they all become obsolete. For this reason, they require testing and updating.

This section includes a discussion of categorizing asset recovery priorities, business process recovery, facility recovery, supply and technology recovery, user environment recovery, data recovery, and training personnel.

In developing the recovery strategy, the recovery plan committee takes the RTO, WRT, and RPO value and determines the recovery strategies that should be used to ensure that the organization meets these BIA goals.

Critical devices, systems, and applications need to be restored earlier than devices, systems, or applications that do not fall into this category. Keep in mind when classifying systems that most critical systems cannot be restored using manual methods. The recovery plan committee must understand the backup/restore solutions that are available and implement the system that will provide recovery within the BIA values and cost constraints. The window of time for recovery of data-processing capabilities is based on the criticality of the operations affected.

For example, if the organization determines that an accounting system is a critical application and the accounting system relies on a database server farm, the DRP needs to include the database server as a critical asset. Although restoring the entire database server farm to restore the critical accounting system might not be necessary, at least one of the servers in the farm is necessary for proper operation.

Workflow documents should be provided to the recovery plan committee for each business process. As part of recovering the business processes, the recovery plan committee must also understand the process’s required roles and resources, input and output tools, and interfaces with other business processes.

The DRP should include not only how to bring the alternate location to full operation, but also how the organization will return from the alternate location to the primary facility after it is restored. Also, for security purposes, the DRP should include details on the security controls that were used at the primary facility and guidelines on how to implement these same controls at the alternate location.

The most important factor in locating an alternate location during the development of the DRP is to ensure that the alternate location is not affected by the same disaster. This might mean that the organization must select an alternate location that is in another city or geographic region. The main factors that affect the selection of an alternate location include the following:

Geographic location

Organizational needs

Location’s cost

Location’s restoration effort

Testing an alternate location is a vital part of any DRP. Some locations are easier to test than others. The DRP should include instructions on when and how to periodically test alternate facilities to ensure that the contingency facility is compatible with the primary facility.

The alternate locations that security professionals should understand for the CISSP exam include the following:

Hot site

Cold site

Warm site

Tertiary site

Reciprocal agreements

Redundant sites

Hot Site

A hot site is a leased facility that contains all the resources needed for full operation. This environment includes computers, raised flooring, full utilities, electrical and communications wiring, networking equipment, and UPSs. The only resource that must be restored at a hot site is the organization’s data, often only partially. It should only take a few hours to bring a hot site to full operation.

Although a hot site provides the quickest recovery, it is the most expensive to maintain. In addition, it can be administratively hard to manage if the organization requires proprietary hardware or software. A hot site requires the same security controls as the primary facility and full redundancy, including hardware, software, and communication wiring.

Cold Site

A cold site is a leased facility that contains only electrical and communications wiring, air conditioning, plumbing, and raised flooring. No communications equipment, networking hardware, or computers are installed at a cold site until it is necessary to bring the site to full operation. For this reason, a cold site takes much longer to restore than a hot or warm site.

Although a cold site provides a slowest recovery, it is the least expensive to maintain. It is also the most difficult to test.

Warm Site

A warm site is a leased facility that contains electrical and communications wiring, full utilities, and networking equipment. In most cases, the only devices that are not included in a warm site are the computers. A warm site takes longer to restore than a hot site but less than a cold site.

A warm site is somewhere between the restoration time and cost of a hot site and cold site. It is the most widely implemented alternate leased location. Although testing a warm site is easier than testing a cold site, a warm site requires much more effort for testing than a hot site.

Figure 7-9 is a chart that compares the components deployed in these three sites.

Tertiary Site

A tertiary site is a secondary backup site that provides an alternate in case the hot site, warm site, or cold site is unavailable. Many large companies implement tertiary sites to protect against catastrophes that affect large geographic areas.

For example, if an organization requires a data center that is located on the coast, the organization might have its primary location in New Orleans, Louisiana, and its hot site in Mobile, Alabama. This organization might consider locating a tertiary site in Miami, Florida, because a hurricane can affect both the Louisiana and Alabama Gulf coast.

Reciprocal Agreements

A reciprocal agreement is an agreement between two organizations that have similar technological needs and infrastructures. In the agreement, both organizations agree to act as an alternate location for the other if either of the organization’s primary facilities are rendered unusable. Unfortunately in most cases, these agreements cannot be legally enforced.

A disadvantage of this site is that it might not be capable of handling the required workload and operations of the other organization.

Redundant Sites

A redundant or mirrored site is a site that is identically configured as the primary site. A redundant or mirrored site is not a leased site but is usually owned by the same organization as the primary site. The organization is responsible for maintaining the redundant site. Multiple processing sites can also be configured to serve as operationally redundant sites.

Although redundant sites are expensive to maintain, many organizations today see them as a necessary expense to ensure that uninterrupted service can be provided.

The DRP must include recovery information on the following assets that must be restored:

Hardware backup

Software backup

Human resources

Heating, ventilation, and air conditioning (HVAC)

Supplies

Documentation

Hardware Backup

Hardware that must be included as part of the DRP includes client computers, server computers, routers, switches, firewalls, and any other hardware that is running on the organization’s network. The DRP must include not only guidelines and procedures for restoring all the data on each of these devices, but also information regarding restoring these systems manually if the systems are damaged or completely destroyed. Legacy devices that are no longer unavailable in the retail market should also be identified.

As part of preparing the DRP, the recovery plan team must determine the amount of time that it will take the hardware vendors to provide replacements for any damaged or destroyed hardware. Without this information documented, any recovery plans might be ineffective due to lack of resources. Organizations might need to explore other options, including purchasing redundant systems and storing them at an alternate location, if vendors are unable to provide replacement hardware in a timely manner. When replacement of legacy devices is possible, organizations should take measures to replace them before the disaster occurs.

Software Backup

Even if an organization has every device needed to restore its infrastructure, those devices are useless if the applications and software that run on the devices is not available. The applications and software include any operating systems, databases, and utilities that need to be running on the device.

Many organizations might think that this requirement is fulfilled if they have a backup on either tape, DVD, flash drive, hard drive, or other media of all their software. But all software that is backed up usually requires at least an operating system to be running on the device on which it is restored. These data backups often also require that the backup management software is running on the backup device, whether that is a server or dedicated device.

All software installation media, service packs, and other necessary updates should be stored at an alternate location. In addition, all license information should be documented as part of the DRP. Finally, frequent backups of applications should be taken, whether this is through the application’s internal backup system or through some other organizational backup. A backup is only useful if it can be restored so the DRP should fully document all the steps involved.

In many cases, applications are purchased from a software vendor, and only the software vendor understands the coding that occurs in the applications. Because there are no guarantees in today’s market, some organizations might decide that they need to ensure that they are protected against a software vendor’s demise. A software escrow is an agreement whereby a third party is given the source code of the software to ensure that the customer has access to the source code if certain conditions for the software vendor occur, including bankruptcy and disaster.

Human Resources

No organization is capable of operating without personnel. An occupant emergency plan specifically addresses procedures for minimizing loss of life or injury when a threat occurs. The human resources team is responsible for contacting all personnel in the event of a disaster. Contact information for all personnel should be stored onsite and offsite. Multiple members of the HR team should have access to the personnel contact information. Remember that personnel safety is always the primary concern. All other resources should be protected only after the personnel is safe.

After the initial event is over, the HR team should monitor personnel morale and guard against employee stress and burnout during the recovery period. If proper cross-training has occurred, multiple personnel can be rotated in during the recovery process. Any DRP should take into consideration the need to provide adequate periods of rest for any personnel involved in the disaster recovery process. It should also include guidelines on how to replace any personnel who is a victim of the disaster.

The organization must ensure that salaries and other funding to personnel continue during and after the disaster. Because funding can be critical both for personnel and for resource purchases, authorized, signed checks should be securely stored offsite. Lower-level management with the appropriate access controls should have the ability to disperse funds using these checks in the event that senior management is unavailable.

An executive succession plan should also be created to ensure that the organization follows the appropriate steps to protect itself and continue operation.

Supplies

Often disasters affect the ability to supply an organization with its needed resources, including paper, cabling, and even water. The organization should document any resources that are vital to its daily operations and the vendors from which these resources can be obtained. Because supply vendors can also be affected by the disaster, alternative suppliers should be identified.

Documentation

For disaster recovery to be a success, the personnel involved must be able to complete the appropriate recovery procedures. Although the documentation of all these procedures might be tedious, it is necessary to ensure that recovery occurs. In addition, each department within the organization should be asked to decide what departmental documentation is needed to carry out day-to-day operations. This documentation should be stored in a central location onsite, and a copy should be retained offsite as well. Specific personnel should be tasked with ensuring that this documentation is created, stored, and updated as appropriate.

The actual user environment recovery should occur in stages, with the most critical functions being restored first. User requirements should be documented to ensure that all aspects of the user environment are restored. For example, users in a critical department might all need their own client computer. These same users might also need to access an application that is located on a server. If the server is not restored, the users will be unable to perform their job duties even if their client computers are available.

Finally, manual steps that can be used for any function should be documented. Because we are so dependent on technology today, we often overlook the manual methods of performing our job tasks. Documenting these manual methods might ensure that operations can still occur, even if they occur at a decreased rate.

This section discusses the data backup types and schemes that are used as well as electronic backup methods that organizations can implement.

Data Backup Types and Schemes

To design an appropriate data recovery solution, security professionals must understand the different types of data backups that can occur and how these backups are used together to restore the live environments.

For the CISSP exam, security professionals must understand the following data backup types and schemes:

Full backup

Differential backup

Incremental backup

Copy backup

Daily backup

Transaction log backup

First in, first out rotation scheme

Grandfather/father/son rotation scheme

The three main data backups are full backups, differential backups, and incremental backups. To understand these three data backup types, you must understand the concept of archive bits. When a file is created or updated, the archive bit for the file is enabled. If the archive bit is cleared, the file will not be archived during the next backup. If the archive bit is enabled, the file will be archived during the next backup.

With a full backup, all data is backed up. During the full backup process, the archive bit for each file is cleared. A full backup takes the longest time and the most space to complete. However, if an organization only uses full backups, then only the latest full backup needs to be restored. Any backup that uses a differential or incremental backup will first start with a full backup as its baseline. A full backup is the most appropriate for offsite archiving.

In a differential backup, all files that have been changed since the last full backup will be backed up. During the differential backup process, the archive bit for each file is not cleared. A differential backup might vary from taking a short time and a small amount of space to growing in both the backup time and amount of space it needs over time. Each differential backup will back up all the files in the previous differential backup if a full backup has not occurred since that time. In an organization that uses a full/differential scheme, the full backup and only the most recent differential backup must be restored, meaning only two backups are needed.

An incremental backup backs up all files that have been changed since the last full or incremental backup. During the incremental backup process, the archive bit for each file is cleared. An incremental backup usually takes the least amount of time and space to complete. In an organization that uses a full/incremental scheme, the full backup and each subsequent incremental backup must be restored. The incremental backups must be restored in order. If your organization completes a full backup on Sunday and an incremental backup daily Monday through Saturday, up to seven backups could be needed to restore the data. Figure 7-10 compares the different types of backups.

Copy and daily backups are two special backup types that are not considered part of any regularly scheduled backup scheme because they do not require any other backup type for restoration. Copy backups are similar to normal backups but do not reset the file’s archive bit. Daily backups use a file’s time stamp to determine whether it needs archiving. Daily backups are popular in mission-critical environments where multiple daily backups are required because files are updated constantly.

Transaction log backups are only used in environments where capturing all transactions that have occurred since the last backup is important. Transaction log backups help organizations to recover to a particular point in time and are most commonly used in database environments.

Although magnetic tape drives are still used to back up data, many organizations today back up their data to optical discs, including CD-ROMs, DVDs, and Blu-ray discs; high-capacity, high-speed magnetic drives; flash-based media; or other media. No matter the media used, retaining backups both onsite and offsite is important. Store onsite backup copies in a waterproof, heat-resistant, fire-resistant safe or vault.

As part of any backup plan, an organization should also consider the backup rotation scheme that it will use. Cost considerations and storage considerations often dictate that backup media is reused after a period of time. If this reuse is not planned in advance, media can become unreliable due to overuse. Two of the most popular backup rotation schemes are first in, first out and grandfather/father/son.

In the first in, first out (FIFO) scheme, the newest backup is saved to the oldest media. Although this is the simplest rotation scheme, it does not protect against data errors. If an error in data exists, the organization might not have a version of the data that does not contain the error.

In the grandfather/father/son scheme (GFS), three sets of backups are defined. Most often these three definitions are daily, weekly, and monthly. The daily backups are the sons, the weekly backups are the fathers, and the monthly backups are the grandfathers. Each week, one son advances to the father set. Each month, one father advances to the grandfather set.

Figure 7-11 displays a typical 5-day GFS rotation using 21 tapes. The daily tapes are usually differential or incremental backups. The weekly and monthly tapes must be a full backup.

Electronic Backup

Electronic backup solutions back up data quicker and more accurately than the normal data backups and are best implemented when information changes often.

For the CISSP exam, you should be familiar with the following electronic backup terms and solutions:

Electronic vaulting: Copies files as modifications occur. This method occurs in real time.

Remote journaling: Copies the journal or transaction log offsite on a regular schedule. This method occurs in batches.

Tape vaulting: Creates backups over a direct communication line on a backup system at an offsite facility.

Hierarchical storage management (HSM): Stores frequently accessed data on faster media and less frequently accessed data on slower media.

Optical jukebox: Stores data on optical disks and uses robotics to load and unload the optical disks as needed. This method is ideal when 24/7 availability is required.

Replication: Copies data from one storage location to another. Synchronous replication uses constant data updates to ensure that the locations are close to the same, whereas asynchronous replication delays updates to a predefined schedule.

Many companies use cloud backup or replication solutions. Any organization considering a cloud solution should research the full security implications of this type of deployment.

Training should be obtained from both internal and external sources. When job duties change or new personnel are hired, policies should be in place to ensure the appropriate transfer of knowledge occurs.

During any disaster recovery, financial management is important. Financial management usually includes the chief financial officer and any other key accounting personnel. This group must track the recovery costs and assess the cash flow projections. They formally notify any insurers of claims that will be made. Finally, this group is responsible for establishing payroll continuance guidelines, procurement procedures, and emergency costs tracking procedures.

Organizations must decide which teams are needed during a disaster recovery and ensure that the appropriate personnel are placed on each of these teams. The disaster recovery manager directs the short-term recovery actions immediately following a disaster.

Organizations might need to implement the following teams to provide the appropriate support for the DRP:

Damage assessment team

Legal team

Media relations team

Recovery team

Relocation team

Restoration team

Salvage team

Security team

A credible, informed spokesperson should deliver the organization’s response. When dealing with the media after a disaster, the spokesperson should report bad news before the media discovers it through another channel. Anyone making disaster announcements to the public should understand that the audience for such announcements includes the media, unions, stakeholders, neighbors, employees, contractors, and even competitors.

During recovery, security professionals should work closely with the different teams to ensure that all assets remain secure. All teams involved in the process should also communicate often with each other to update each other on the progress.

Most organizations include business continuity and disaster recovery awareness training as part of the initial training given to personnel when they are hired. Organizations should also periodically update personnel to ensure that they do not forget about disaster recovery.

Testing the BCP and DRP prepares and trains personnel to perform their duties. It also ensures that the alternate backup site can perform as needed. When testing occurs, the test is probably flawed if no issues with the plan are found.

The types of tests that are commonly used to assess the BCP and DRP include the following:

Read-through test

Checklist test

Table-top exercise

Structured walk-through test

Simulation test

Parallel test

Full-interruption test

Functional drill

Evacuation drill

Version control of the plans should be managed to ensure that the organization always uses the most recent version. In addition, the BCP should be stored in multiple locations to ensure that it is available if a location is destroyed by the disaster. Multiple personnel should have the latest version of the plans to ensure that the plans can be retrieved if primary personnel are unavailable when the plan is needed.

In this section, we’ll look at implementing this concept in detail.

Barriers (Bollards)

Barriers called bollards have become quite common around the perimeter of new office and government buildings. These are short vertical posts placed at the building’s entrance way and lining sidewalks that help to provide protection from vehicles that might either intentionally or unintentionally crash into or enter the building or injure pedestrians. They can be made of many types of materials. The ones shown in Figure 7-13 are stainless steel.

Fences

Fencing is the first line of defense in the concentric circle paradigm. When selecting the type of fencing to install, consider the determination of the individual you are trying to discourage. Use the following guidelines with respect to height:

Fences 3 to 4 feet tall deter only casual intruders.

Fences 6 to 7 feet tall are too tall to climb easily.

Fences 8 feet and taller deter more determined intruders, especially when augmented with razor wire.

A geo-fence is a geographic area within which devices are managed using some sort of radio frequency communication. For example, a geo-fence could be set up in a radius around a store or point location or within a predefined set of boundaries, such as around a school zone. It is used to track users or devices entering or leaving the geo-fence area. Alerts could be configured to message the device’s user and the geo-fence operator of the device’s location.

Gates

Gates can be weak points in a fence if not handled correctly. Gates are rated by the Underwriters Laboratory in the following way. Each step up in class requires additional levels of protection:

Class 1: Residential use

Class 2: Commercial usage

Class 3: Industrial usage

Class 4: Restricted area

Walls

In some cases walls might be called for around a facility. When that is the case, and when perimeter security is critical, intrusion detection systems can be deployed to alert you of any breaching of the walls. These types of systems are covered in more detail in the next section.

Infrared Sensors

Passive infrared systems (PIR) operate by identifying changes in heat waves in an area. Because the presence of an intruder would raise the temperature of the surrounding air particles, this system alerts or sounds an alarm when this occurs.

Electromechanical Systems

Electromechanical systems operate by detecting a break in an electrical circuit. For example, the circuit might cross a window or door and when the window or door is opened the circuit is broken, setting off an alarm of some sort. Another example might be a pressure pad placed under the carpet to detect the presence of individuals.

Photoelectric Systems

Photometric, or photoelectric, systems operate by detecting changes in the light and thus are used in windowless areas. They send a beam of light across the area and if the beam is interrupted (by a person, for example) the alarm is triggered.

Acoustical Detection Systems

Acoustical systems use strategically placed microphones to detect any sound made during a forced entry. These systems only work well in areas where there is not a lot of surrounding noise. They are typically very sensitive, which would cause many false alarms in a loud area, such as a door next to a busy street.

Wave Motion Detector

These devices generate a wave pattern in the area and detect any motion that disturbs the wave pattern. When the pattern is disturbed, an alarm sounds.

Capacitance Detector

These devices emit a magnetic field and monitor that field. If the field is disrupted, which will occur when a person enters the area, the alarm will sound.

CCTV

Closed-circuit television system (CCTV) uses sets of cameras that can either be monitored in real time or can record days of activity that can be viewed as needed at a later time. In very high security facilities, these are usually monitored. One of the main benefits of using CCTV is that it increases the guard’s visual capabilities. Guards can monitor larger areas at once from a central location. CCTV is a category of physical surveillance, not computer/network surveillance.

Camera types include outdoor cameras, infrared cameras, fixed position cameras, pan/tilt cameras, dome cameras, and Internet Protocol (IP) cameras. When implementing cameras, organizations need to select the appropriate lens, resolution, frames per second (FPS), and compression. In addition, analysis of the lighting requirements of the different cameras must be understood; a CCTV system should work in the amount of light that the location provides. In addition, an organization must understand the different type of monitor displays, including single-image display, split-screen, and large-format displays.

Types of Systems

The security professional must be familiar with several types of lighting systems:

Continuous lighting: An array of lights that provide an even amount of illumination across an area

Standby lighting: A type of system that illuminates only at certain times or on a schedule

Movable lighting: Lighting that can be repositioned as needed

Emergency lighting: Lighting systems with their own power source to use when power is out

Types of Lighting

A number of options are available when choosing the illumination source or type of light. The following are the most common choices:

Fluorescent: A very low-pressure mercury-vapor gas-discharge lamp that uses fluorescence to produce visible light.

Mercury vapor: A gas-discharge lamp that uses an electric arc through vaporized mercury to produce light.

Sodium vapor: A gas-discharge lamp that uses sodium in an excited state to produce light.

Quartz lamps: A lamp consisting of an ultraviolet light source, such as mercury vapor, contained in a fused-silica bulb that transmits ultraviolet light with little absorption.

Regardless of the light source, it will be rated by its feet of illumination. When positioning the lights, you must take this rating into consideration. For example, if a controlled light fixture mounted on a 5-meter pole can illuminate an area 30 meters in diameter, for security lighting purposes, the distance between the fixtures should be 30 feet. Moreover, there should be extensive exterior perimeter lighting of entrances or parking areas to discourage prowlers or casual intruders.

The patrol force can be internally hired, trained, and controlled or can be outsourced to a contract security company. An organization can control the training and performance of an internal patrol force. However, some organizations outsource the patrol force to ensure impartiality.

Date and time

Specific entry point

User ID employed during the attempt

An Occupant Emergency Plan (OEP) provides coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat. In a disaster of any type, personnel safety is the first concern.

The organization is responsible for protecting the privacy of each individual’s information, especially as it relates to personnel and medical records. Although this expectation of privacy does not necessarily and usually does not extend to their activities on the network, both federal and state laws hold organizations responsible for the release of this type of information with violations resulting in heavy fines and potential lawsuits that result if the company is found liable.

Organizations should develop policies for dealing with employee duress, travel, and monitoring.

For any monitoring to be effective, organizations should capture baseline behavior for users.

acoustical systems

asset

best evidence rule

blacklisting

bollards

chain of custody

circumstantial evidence

civil investigation

Class 1 gate

Class 2 gate

Class 3 gate

closed circuit television (CCTV) system

cold site

conclusive evidence

content analysis

copy backup

corroborative evidence

crime scene

criminal investigation

daily backup

data clearing

data loss prevention (DLP) software

data purging

differential backup

direct evidence

disk imaging

dual control

duress

egress monitoring

electronic discovery (eDiscovery)

electronic vaulting

emergency lighting

event

failover

failsoft

fault tolerance

feet of illumination

fluorescent

full backup

full-interruption test

hearsay evidence

hierarchical storage management (HSM) system

high availability

honeynet

honeypot

hot site

incident

incremental backup

intangible assets

job rotation

least privilege

means

mercury vapor

motive

movable lighting

need to know

network-attached storage (NAS)

operations investigation

operations security

opinion evidence

opportunity

passive infrared (PIR) system

photometric system

QoS

quality of service (QoS)

quartz lamp

parallel test

RAID 0

RAID 1

RAID 2

RAID 3

RAID 5

read-through test

reciprocal agreement

redundancy

redundant site

regulatory investigation

remanence

resource provisioning

root-cause analysis

sandboxing

search

secondary evidence

separation of duties

service-level agreement (SLA)

simulation test

slack space analysis

sodium vapor

standby lighting

steganography analysis

storage-area network (SAN)

structured walk-through test

surveillance

system resilience

tangible assets

tertiary site

transaction log backup

trusted path

trusted recovery

warm site

whitelisting

a. Respond to the incident.

b. Detect the incident.

c. Report the incident.

d. Recover from the incident.

2. What is the second step of the forensic investigations process?

a. identification

b. collection

c. preservation

d. examination

3. Which of the following is NOT one of the five rules of evidence?

a. Be accurate.

b. Be complete.

c. Be admissible.

d. Be volatile.

4. Which of the following refers to allowing users access only to the resources required to do their jobs?

a. job rotation

b. separation of duties

c. need to know/least privilege

d. mandatory vacation

5. Which of the following is an example of an intangible asset?

a. disc drive

b. recipe

c. people

d. server

6. Which of the following is not a step in incident response management?

a. detect

b. respond

c. monitor

d. report

7. Which of the following is NOT a backup type?

a. full

b. incremental

c. grandfather/father/son

d. transaction log

8. Which term is used for a leased facility that contains all the resources needed for full operation?

a. cold site

b. hot site

c. warm site

d. tertiary site

9. Which electronic backup type stores data on optical discs and uses robotics to load and unload the optical disks as needed?

a. optical jukebox

b. hierarchical storage management

c. tape vaulting

d. replication

10. What is failsoft?

a. the capacity of a system to switch over to a backup system if a failure in the primary system occurs

b. the capability of a system to terminate non-critical processes when a failure occurs

c. a software product that provides load-balancing services

d. high-capacity storage devices that are connected by a high-speed private network using storage-specific switches

11. What investigation type specifically refers to litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process?

a. data loss prevention (DLP)

b. regulatory

c. eDiscovery

d. operations

12. An organization’s firewall is monitoring the outbound flow of information from one network to another. What specific type of monitoring is this?

a. egress monitoring

b. continuous monitoring

c. CMaaS

d. resource provisioning

13. Which of the following are considered virtual assets? (Choose all that apply.)

a. software-defined networks

b. virtual storage-area networks

c. guest OSs deployed on VMs

d. virtual routers

14. Which of the following describes the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption?

a. quality of service (QoS)

b. recovery time objective (RTO)

c. recovery point objective (RPO)

d. system resilience

15. Which of the following are the main factors that affect the selection of an alternate location during the development of a DRP? (Choose all that apply.)

a. geographic location

b. organizational needs

c. location’s cost

d. location’s restoration effort

1. Detect the incident.

2. Respond to the incident.

3. Report the incident to the appropriate personnel.

4. Recover from the incident.

5. Remediate all components affected by the incident to ensure that all traces of the incident have been removed.

6. Review the incident and document all findings.

2. c. The steps of the forensic investigation process are as follows:

1. Identification

2. Preservation

3. Collection

4. Examination

5. Analysis

6. Presentation

7. Decision

3. d. The five rules of evidence are as follows:

Be authentic.

Be accurate.

Be complete.

Be convincing.

Be admissible.

4. c. When allowing access to resources and assigning rights to perform operations, the concept of least privilege (also called need to know) should always be applied. In the context of resource access, this means the default level of access should be no access. Give users access only to resources required to do their jobs, and that access should require manual implementation after the requirement is verified by a supervisor.

5. b. In many cases, some of the most valuable assets for a company are intangible ones, such as secret recipes, formulas, and trade secrets.

6. c. The steps in incident response management are:

1. Detect

2. Respond

3. Report

4. Recover

5. Remediate

6. Review

7. c. Grandfather/father/son is not a backup type; it is a backup rotation scheme.

8. b. A hot site is a leased facility that contains all the resources needed for full operation.

9. a. An optical jukebox stores data on optical discs and uses robotics to load and unload the optical discs as needed.

10. b. Failsoft is the capability of a system to terminate non-critical processes when a failure occurs.

11. c. Electronic discovery (eDiscovery) refers to litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process. It involves electronically stored information (ESI) and includes emails, documents, presentations, databases, voicemail, audio and video files, social media, and websites. Data loss prevention (DLP) software attempts to prevent data leakage. It does this by maintaining awareness of actions that can and cannot be taken with respect to a document. A regulatory investigation occurs when a regulatory body investigates an organization for a regulatory infraction. Operations investigations involve any investigations that do not result in any criminal, civil, or regulatory issue. In most cases, this type of investigation is completed to determine the root cause so that steps can be taken to prevent this incident in the future.

12. a. Egress monitoring occurs when an organization monitors the outbound flow of information from one network to another. The most popular form of egress monitoring is carried out using firewalls that monitor and control outbound traffic. Continuous monitoring and Continuous Monitoring as a Service (CMaaS) are not specific enough to answer this question. Any logging and monitoring activities should be part of an organizational continuous monitoring program. The continuous monitoring program must be designed to meet the needs of the organization and implemented correctly to ensure that the organization’s critical infrastructure is guarded. Organizations may want to look into CMaaS solutions deployed by cloud service providers. Resource provisioning is the process in security operations that ensures that the organization only deploys the assets that it currently needs.

13. a, b, c, d. Virtual assets include software-defined networks, virtual storage-area networks (VSANs), guest operating systems deployed on virtual machines (VMs), and virtual routers. As with physical assets, the deployment and decommissioning of virtual assets should be tightly controlled as part of configuration management because virtual assets, like physical assets, can be compromised.

14. d. System resilience is the ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or other disruption. It involves the use of redundant components or facilities. Quality of service (QoS) is a technology that manages network resources to ensure a predefined level of service. It assigns traffic priorities to the different types of traffic on a network. A recovery time objective (RTO) stipulates the amount of time an organization needs to recover from a disaster, and a recovery point objective (RPO) stipulates the amount of data an organization can lose when a disaster occurs.

15. a, b, c, d. The main factors that affect the selection of an alternate location during the development of a disaster recovery plan (DRP) include the following:

Geographic location

Organizational needs

Location’s cost

Location’s restoration effort