Features
Features:

Product Tour >

Edraw AI >

Paid Plans:

Individuals >

Business >

Eduaction >
Resources
Blog

History

How-tos & Tips

Discovery

Biography

Business Analysis

Examples

AI concept Map

Free AI Mind Map Generator

Onenote Mind Map

Bcg Matrix Examples

Nike Marketing Strategy

Unilever SWOT Analysis

Make Mind Maps in Google Docs

Guide

FAQs

What's New

Resource Center
Templates
All Templates

Brain Storming Templates

Strategy and Planning Templates

Project Management Templates

Product Management Templates

Human Resources Templates

Agile Workflow Templates

Marketing Templates

Education Templates

Fun and Games Templates

User Gallery
Download
Pricing
Enterprise

EdrawMind

CISSP-7-Security Operations

MindMap Gallery CISSP-7-Security Operations

CISSP-7-Security Operations

CISSP-Information System Security Professional Certification security operations mind map, including: basic concepts, basic concepts of security operations, change management, configuration management, patch and vulnerability management, and incident management.

Edited at 2021-11-10 12:08:07

PlotWizard

Recent works View more works>>

CISSP-7-Security Operations

PlotWizard

Recent works View more works>>

Recommended to you
Outline

Safe operation

basic concept

Operational safety

Addresses the protection and control of information assets in centralized and distributed environments,

Operational security is a quality of other services and is itself a set of services

safe operation

The day-to-day tasks required to keep security services running efficiently and reliably

Business Continuity Plan and Disaster Recovery Plan

TOPICS

Investigations

Evidence collection handling

Reporting and documenting

Investigative techniques

Digital forensics

Investigation Types

Operational

Criminal

Civil

Regulatory

Electronic discovery (eDicsovery)

Logging and Monitoring

Intrusion detection and prevention

Continuous monitoring

Egress monitoring

Provisioning of Resources

Asset inventory

Configuration management

Physical assets

Virtual assets

Cloud assets

Applications

Foundational Security Operations Concepts

Need-to-know/least privilege

Separation of duties and responsibilities

Monitor special privileges

Job rotation

Information life cycle

Service-level agreements

Resource Protection Techniques

Media management

Hardware and software asset management

Incident Response

Detection

Response

Mitigation

Reporting

Recovery

Remediation

Lessons learned

Preventative Measures

Firewalls

Intrusion detection and prevention systems

Whitelisting/Blacklisting

Third-party security services

Sandboxing

Honeypots/Honeynets

Anti-malware

Patch and Vulnerability Management

Change Management Processes

Recovery Strategies

Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotating) a Recovery site strategies

Multiple processing sites (e.g., operationally redundant systems)

System resilience, high availability, quality of service, and fault tolerance

Disaster Recovery Processes

Response

Personnel

Communications

Assessment

Restoration

Training and awareness

Disaster Recovery Plans

Read through

Walkthrough

Simulation

Parallel

Full interruption

Business Continuity Planning and Exercising

Physical Security

Perimeter

Internal

Personnel Safety

Objectives

■ Understand and support investigations.

■ Understand requirements for investigation types.

■ Conduct logging and monitoring activities.

■ Secure the provisioning of resources.

■ Understand and apply foundational security operations concepts.

■ Employ resource protection techniques.

■ Conduct incident response.

■ Operate and maintain preventative measures.

■ Implement and support patch and vulnerability management.

■ Participate in and understand change management processes (e.g., versioning, baselining, security impact analysis).

■ Implement recovery strategies.

■ Implement disaster recovery processes.

■ Test disaster recovery plan.

■ Participate in business continuity planning and exercising.

■ Implement and manage physical security.

■ Participate in personnel safety (e.g., duress, travel,

Basic concepts of safe operations

key themes

Maintain operational resiliency

Critical business resilience maintain continuity

Develop an emergency plan

Real-time monitoring and response

Protect valuable assets

Provide routine maintenance of various assets

Protect assets from damage

Control system account

Maintain controls over user access to business-critical systems

Provide checks and balances on various accounts, especially privileged accounts, to ensure they are legitimate business needs

Effectively manage security services

Change, configuration and problem management of IT services

Security-related programs, such as user allocation and help desk programs

Focus on reporting and service continuous improvement practices

Operations staff requirements

prudent man a responsible, prudent, wise and capable person

due care due care

Reasonable protective measures have been taken

due diligence due deligence

Fulfill responsibilities in daily management

Control privileged accounts

Strictly control the number and type of accounts

using these solutions most effectively while also ensuring that privileged accounts are carefully

Carefully monitor the system’s account management permissions

service account

The account that executes the script

Identity and access management (IAM) Identity and access management

the provisioning of usersuser configuration

managing their access across multiple systems managing their access across multiple systems

native access control systemslocal access control systems

Necessary knowledge and least privilege (complementary to each other)

need to know

Minimum scope of knowledge and access granted based on job or business needs

Operational safety is key

Commonly used in military

Least privilege least privilege

Require users or processes to perform work, tasks, and functions without unnecessary access privileges

Target

Restrict users and processes to access only the necessary resources and tools to complete designated tasks

limit

accessible resources

What users can do

Manage accounts using groups and roles

Different types of accounts

Privileged account

Root or built-in administrator account

All-purpose default account used to manage devices and systems

safely control

Make the name change as strict as possible

Default password needs to be changed

Logs record personal behavior using the root account

When logging in remotely using the root account

Sessions should be strongly encrypted and monitored

Use multi-factor authentication methods

service account

Privileged access used by system services and core applications

Passwords are complex and frequently changed

Have a strategy for reclaiming and closing compromised accounts

Administrator account

These accounts are assigned to designated individuals who require privileged access to the system to perform maintenance tasks

These accounts should be separate from the user's regular account

Account passwords should be distributed to individuals safely and reliably

Administrators should acknowledge receipt of accounts in writing and comply with organizational rules

Accounts that are no longer in use should be deleted immediately.

All activities should be audited

Deploy additional logging systems

Multi-factor authentication

root

These account permissions are granted beyond ordinary user permissions due to work requirements but do not require administrator permissions.

Superusers can install software on their own desktops

Acceptance of the account should be acknowledged in writing and abided by organizational rules, such as signing a security agreement

Normal or restricted user account

Most users

Based on the principle of least privilege or knowing what is necessary

Segregation of Duties

Definition: Breaking a key task into different parts, with each part being performed by a different person

accomplice

Fraud requires the collusion of many people

Purpose

Constraints to reduce the chance of vandalism

Supplement to reduce the chance of unintentional omissions and errors

reason

Different safety-related tasks require different skills

Separate administrator tasks into multiple roles to give different levels of trust

Prevent security-related functions from being delegated to a role or person

System administrator

least privilege

Determine necessary access and applications as needed

monitor

Behavior is audited by logs and sent to a separate auditing system

Prevent fraud

Administrators are incapable of engaging in malicious activity without colluding with others

background check

job rotation

operator

Job responsibilities

Carry out the daily operation of the host, ensure that scheduled work is carried out effectively and solve possible problems

Permission description

Operators have high privileges, but lower than those of system administrators. These privileges can circumvent the system's security policy. The use of these privileges should be monitored and log audited.

safely control

least privilege

monitor

Operator actions are recorded and sent to an independent system not controlled by the operator

Segregation of Duties

Administrators are incapable of engaging in malicious activities without colluding with others An

background check

security administrator

Function: Define system security settings and collaborate with administrators to perform related configurations, provide a check and balance of rights, and provide audit and review activities for system administrators

main duty

Account management

Assignment of sensitive labels

System security settings

Review of audit data

Help/Service Desk Personnel

Provide first-line support

Reset user password when needed

Conduct monitoring and background checks

general user

Requires access to information technology resources

Monitoring privileges

Licensing, suitability and background checks

Access should not be granted in the following situations (e.g., based on IDS and firewall logs, access to an IP should be blocked immediately, but is not; adjusting the clock or deleting logs, etc.)

There has been a serious lack of relevant judgment recently.

Repeated high-risk patterns of behavior regarding characters

The character's performance is related to illegal activities.

Account ValidationAccount Validation

Determine existing inactive accounts (e.g. accounts for retired/retired personnel, accounts for personnel on temporary leave)

Job rotationsJob rotations

Reduce the risk of collusive activities between individuals

Two-person operation

On-site mutual supervision

compulsory leave

Information life cycle management

Information has a life that consists of creation, use, and finally destruction Information life cycle includes generation, distribution, use, maintenance, disclosure, disposal (transfer, secure processing)

information owner information owner

■ Determine the impact the information has on the mission of the organization.

■ Understand the replacement cost of the information (if it can be replaced)Understand the replacement cost of the information (if it can be replaced).

■ Determine who in the organization or outside of it has a need for the information and under what circumstances the information should be released.Determine who in the organization or outside of it has a need for the information and under what circumstances the information should be released.

■ Know when the information is inaccurate or no longer needed and should be destroyed.Know when the information is inaccurate or no longer needed and should be destroyed.

Classification and categorizationClassification and classification

Classification is concerned primarily with access

military or government information. Military or government information (secret, secret, top secret)

categorization is primarily concerned with impact.

determining the impact of the loss of confidentiality integrity, or availability of the information (high, medium, low, for example: externally released public information vs. risk assessment report)

standardize the defense baselines to standardize the baselines

retention plan

■ Reduce storage costs

■ Save only relevant information to speed up searching and indexing

■Litigation holds and electronic disclosures are less likely to encounter errors, pre-decisions or negotiated information

(SLAs) Service Level Agreements

What

An SLA is a simple document that describes the level of service a customer receives from a supplier, showing service measurements, remediation, or penalties if agreement requirements are not met.

If the SLA is not met due to the customer's fault, there should be no penalty

SLA

external

OLA (Operational Level Agreements

internal

Why

Make sure both parties understand the requirements

Ensure that the agreement has not been misinterpreted intentionally or unintentionally

Who

Different levels have different prices

starting point for negotiation

Important section

Service elements

Provide specific services

Service availability status

Service standards (time window)

Upgrade procedure

Responsibilities of all parties

Cost/service trade-off

Management elements

Measurement Standards and Methods Definition\Reporting Process\Content and Frequency\Dispute Resolution Process

SLAs kept updated

Changes in supplier capabilities and service needs

compensation

The supplier will have to pay the customer any third party costs resulting from the breach of warranty

SLA is not transferable

How to verify SLA

statistics

measurement standard

Service Availability

Defect RatesDefect Rate

Technical Quality

Security

What Uptime Provisions Are Typical for Network Service Providers

99 percent availability (which allows for over 7 hours of unplanned downtime per month

99.9 percent (43.8 minutes per month)

99.99percent (4.4 minutes per month).

When to Review SLA

Change management

change management process

Requests

Impact AssessmentImpact Assessment

Approval/Disapproval Approval/Disapproval

Build and TestBuild and Test

NotificationNotification

ImplementationImplementation

ValidationVerification

Documentation record

Configuration management

Target

Establish and maintain integrity throughout the lifecycle of products, systems and projects

include

identifying configuration items for the software project identifying configuration items for the software product

controlling these configuration items and changes to them, controlling configuration items and changes to them

recording and reporting status and change activity for these configuration items, recording and reporting status and change activity for these configuration items, and conducting audits

Configuration management

Manage components from initial concept through design, implementation, testing, baseline, build, release and maintenance

Make inevitable changes controllable

Policies and standards

■ Component sets are subject to configuration management

■ How components are named

■How components enter and leave control sets

■How components under CM are allowed to change.

■How different versions of components under CM are available

■Under what circumstances can each of them be used?

■How CM tools enable and enhance configuration management

The CMMI steps for CM

1. Identify the configuration items, components and related work that will be placed under configuration management.

2. Establish and maintain configuration management and change management systems to control work products

3. Establish and publish baselines for internal use and baselines for delivery to customers.

4. Track configuration item change requests.

5. Control changes in configuration item content.

6. Establish and maintain records describing configuration items

7. Perform configuration audits to maintain the integrity of configuration items.

Asset list

hardware library

1. Brand

2.Model

3. M A C addresses

4. Serial number

5. Operating system or firmware version

6. Location

7. BIOS and other hardware-related passwords

8. Assigned IP address if applicable

9. Labels or barcodes for organizational asset management

Software library

1. Software name

2. Software vendor (and reseller if appropriate)

3. Password or activation code (note if there are hardware keys)

4. Type of license and for what version

5.Number of licenses

6. License expiration

7. License portability

8. Organizational software librarian or asset manager

9. Organizational contact for installed software

10. Upgrade, full or limited license

The security role of software and hardware libraries

Security experts can quickly find and mitigate vulnerabilities related to hardware type and version

Knowing the type and location of hardware in the network can reduce the effort of identifying affected devices

Unauthorized devices on the network can be discovered through scanning

Maintain configuration list

Logging and tracking configuration changes provides assurance of network integrity and availability

Regular checks to ensure unauthorized changes

CM is suitable for different types of asset management

■ Physical assets (e.g., servers, laptops, tablets, smartphones)

■ Virtual assets (e.g., Software Defined Networks (SDNs), virtual SAN (vSAN)

systems, virtual machines (VMs))

■ Cloud assets (e.g., services, fabrics, storage networks, tenants)

■ Applications (e.g., workloads in private clouds, Web services, Software as a Service (SaaS))

security professional’s perspective

Patch and vulnerability management

The purpose of patch management

Establish a continuous configuration environment to protect operating systems and applications from known vulnerabilities

Many times, manufacturers do not give reasons and reasons for upgrading when upgrading versions.

Patch management steps

Security experts need to determine whether it is a vulnerability

Do you need to upgrade the patch?

risk-based decision making

Importance of patches

Management and system owners determine whether to update patches

Will it affect the business?

Update patches have been tested and residual risks have been addressed

Schedule updates

Notify users before deployment

Update at night or on weekends

Backup server before deployment

After the update is completed, it needs to be verified in the production environment

Some invisible problems may arise

Once deployment is complete ensure all appropriate machines are updated

Log all changes

Security and patch information management

Important section

Patch management is about knowing both about security issues and patch releases

Be aware of security issues and software updates relevant to their environment

It is recommended that a dedicated person and team be responsible for alerting administrators and users of security issues or app updates.

Patch Prioritization and Scheduling Patch priority and job scheduling

1. Patch life cycle (patch cycle) guides the normal application of patches and system updates

cycle

time or event driven

Helps with the release and updating of applied standard patches

2. Job planning to handle critical security and functional patches and updates

patch priority and urgency scheduling

Vendor-reported criticality (e.g., high, medium, and low)

system criticality

importance of the applications and data the system

Patch testing

Breadth and depth of patch testing

system criticality

Processed data

environmental complexity

Availability requirements

Available resources

The patch testing process begins with the acquisition of software updates and continuous acceptance testing after production deployment

Verification is required when obtaining patches

Source (soucre) verification

Integrity check

digital signature

Checksum

Test after patch verification is completed

The test environment is as close as possible to the production environment

You can use subsystems of the production system as a test environment

Patch change management

Change is important at every step of patch management

Patching applications should include contingency and fallback plans

Include risk reduction strategies in your change management program

Change management program includes monitoring and acceptance plan

Demonstrate patch success with specific milestones and acceptance criteria

Allow updates in closed change system

Patch installation and deployment

The deployment phase of patch management must have well-experienced administrators and engineers

Installation and deployment means that patches and updates to production systems are actually implemented

A technical factor affecting patch deployment is tool selection

Tool selection

Buy

Self-built

Tool type

agent-based

agentless systems,

Deploy security patches

Complete in time

Controllable and predictable

Patch audit and assessment

Routine audits and assessments measure patch management success and extent

two questions

What systems need to be patched for any known vulnerabilities or bugs?

Is the system updated with real patches?

critical success factors

Asset and host management

Ideal hosting management software can claim reporting

Management tools

System discovery and auditing as part of the audit and assessment process

System discovery tools

uncover these systems and assist in bringing them under the umbrella of formal system management and patch compliance.

consistency and compounding

Auditing and evaluation elements in a patch management program can help identify systems that are not compliant with organizational guidelines or other efforts to reduce noncompliance.

System build tools and guidelines are the primary enforcement means of ensuring compliance with patch requirements at installation time. System build tools and guidelines are the primary enforcement means of ensuring compliance with patch requirements at installation time.

Patch management technology is very important, but technology alone is not enough

Patch management solutions are team-based technologies that provide policy and operational solutions based on collaborative efforts to address the unique requirements of an organization.

Vulnerability management system

Configuration management

Help the organization know all its parts

vulnerability scan

Identify these weaknesses

Vulnerability type

System defects

product design imperfections

buffer overflow

Configuration error

represent implementation errors that expose a system to attack.

Strategy error

individuals fail to follow or implement security as required

Host-based scanning

conducted at the system console or through the use of agents on servers and workstations throughout the

identifying missing security updates on servers

identify unauthorized software or services that might indicate a compromised system

Apply security scan

Database security scan

Configuration error found

incident management

Including people, technology and processes

Directs all incident-related activities and directs security personnel to a predefined and pre-authorized path to resolution.

Describe the activities undertaken in relation to the roles and responsibilities of the parties involved in the incident.

Manage security technology

border control

The division between more trustworthy and untrustworthy environments

firewalls, routers, proxies, and other technologies

single system

on core functionality and end-user processes

Security operations focuses on ensuring technology can operate effectively and continuously monitors its effectiveness

Security metrics and reporting

Measuring the effectiveness of security controls

safety technology

ID/IPS

attacks that were detected or blocked anddetected or blocked attacks

provide trending over timeprovide trend analysis

firewall

common sources of attacks through IP addresses and other meansTracking attack sources through IP addresses and other means

Email security servicesSecure email services

on the amount of malware or spam that is being detected and blocked on the amount of malware or spam that is being detected and blocked

Focus on indicators (number of virus outbreaks, top 10 attack source IPs, number and proportion of spam discovered or removed)

Report

fundamental to successful security operations reporting is the foundation of security operations

Intended audience for the report

Technical reports tend to be designed for technical experts or managers of direct service delivery

Management reportingManagement reporting

provide summaries of multiple systems as well as key metrics for each of the services covered by the report

Executive dashboardsExecutive dashboards

in seeing only the highlights across multiple services

provide simple summaries of the current state, provide executives with summaries of the current state

usually in a highly visual form like charts and graph

reporting frequency

operational level

yearly, monthly, weekly, or even daily,

monitor

Intrusion Detection Prevention and Systems

identify and respond to suspected security-related events in real time or near real time. Used to identify and respond to suspected security-related events in real time or near real time.

Network-based intrusion systems

focus on the analysis of network traffic based on network traffic analysis

host-based intrusion systems

focus on audit logs and processes inside a single system

IDS

out-of-band

IPS

in-line

Signature- or Pattern-Matching systems pattern matching (or signature analysis)

Protocol Anomaly-Based systemsAnomaly-based intrusion detection system

Statistical-Anomaly-Based systems Intrusion detection system based on statistical anomalies

False-positives

False positive

False-negatives

False negative

Anti-malware system

installed on individual hosts, on systems deployed on individual hosts and systems

Unified Threat Management (UTM) security gateway

continual updatesContinuously update the virus database

monitored to ensure they are still active and effective

automatic scanning for new media and email attachments. Deploy automatic scanning policy for media and email attachments

Scanning should be scheduled and accomplished on a regular basis. Scanning should be scheduled and accomplished on a regular basis.

(SEIM) Security Information Event Management System

One disadvantage of system logs is that they provide a view into that single system. The disadvantage of system logs is that they can only provide a single system perspective and cannot provide logs and information about related events involving multiple systems.

provide a common platform for log collection, collation, and analysis in real time Provide a common platform for log collection, collation, and real-time analysis.

provide reports on historical events using log information from multiple sources

Log management systems are similarLog management systems are similar

combined with S E IM solutions combined with SEIM solutions

real time functions provide real-time analysis.

maintain a disciplined practice of log storage and archiving maintain strict log storage and archiving discipline

Modern reporting tools can also be used to transform security event information into useful business intelligence. Modern reporting tools can also be used to transform security event information into useful business intelligence.

response

Containment strategy (for example: cutting off virus sources from the network, controlling infected hosts)

■ The need to preserve forensic evidence for possible legal action. to preserve forensic evidence with legal action

■ The availability of services the affected component provides. Provide the affected component to maintain the availability of services

■ The potential damage that leaving the affected component in place may cause. Replace the affected component to avoid the potential damage that may cause.

■ The time required for the containment strategy to be effective.

■ The resources required to contain the affected component.

Delayed containment strategies lead to deeper impacts

lead to further attack

The initiating event and related information should be recorded as much as possible

More and more information should come together until the incident is deemed resolved by the security operations team

Report

Policies and proceduresPolicies and procedures must be defined

■ Does the media or an organizations external affairs group need to be involved? Does the media or an organizations external affairs group need to be involved?

■ Does the organizations legal team need to be involved in the review? Does the organization's legal team need to be involved in the review?

■ At what point does notification of the incident rise to the line management, At what point does the incident rise to the line management, and middle managers are notified.

middle management, senior management, the board of directors, or the stakeholders? Senior management? director? A board of directors?

■ What confidentiality requirements are necessary to protect the incident information? What are the confidentiality requirements to protect the incident information?

■ What methods are used for the reporting? If email is attacked, how does that impact the reporting and notification process? What methods are used for the reporting? How are reporting and notification procedures initiated if an email system is compromised? Mobile phone, solidification, emergency contact?

recover

Restore computer image to loss-free

The first step in recovery is eradication

Eradication is the process of removing the threat. Eradication is the process of removing the threat. (If a system is infected with a virus and is no longer functioning properly, a thorough disinfection will eradicate the problem.)

Restore or repair the system to a known good state.

If the last known image or state contains the actual cause of the event, Then the recovery becomes very complicated. In this case, a new image should be generated, And test the application before moving it to production environment.

Fixes and Reviews (Lessons Learned)

The most important thing in incident response is to summarize experiences and lessons

(RCA) Root Cause Analysis

work backwards to determine what allowed the event to happen in the first place. Work backwards to determine what allowed the event to happen in the first place. Work backwards to determine the cause of the event, working forward layer by layer until the root cause is discovered.

R CA can quickly cross boundaries between technical, cultural, and organizational.RCA can quickly cross boundaries between technical, cultural, and organizational boundaries.

Remediation Repair

from R C A are then reviewed by management for adoption and implementation Root analysis is reviewed by management to decide whether to adopt and implement

problem management

incident management

managing an adverse event

limiting the effect of an incident, limiting the impact of an incident.

problem management

tracking that event back to a root cause and addressing the underlying problem

addressing defects that made the incident possible or more successful. Addressing defects that made the incident possible or more successful.

have a longer term view takes longer

incidents as they occur in the operational environment the long-term course of events that occur in the operational environment

track down the underlying defect because it may take specific conditions to be in place that may not occur frequently.

Security Audits and Reviews - Mitigation Precursors

security audit

performed by an independent third party

determines the degree with which the required controls are implemented. determines the degree with which the required controls are implemented.

Internal reviewsInternal reviews

conducted by a member of the organization's staff that does not have management responsibility for the system.

External reviewsExternal reviews

involve outside entities that evaluate the system based on the organizational security requirements.

provide an independent assessment of the system.

security reviewsecurity review

conducted by the system maintenance or security personnel to discover conducted by the system maintenance or security personnel to discover conducted by the system maintenance or security personnel to discover system vulnerabilities

vulnerability assessment vulnerability assessment

Penetration testingPenetration testing

be conducted with physical access to the system or from the outside of the system and facility.

The outcome of the security audit and review processThe output of the security audit and review process should be listed as items and issues to be addressed in an organized manner

investigation

Glossary

digital survey

computer forensics, digital forensics, and network forensics to electronic data discovery, cyber forensics, and forensic computing.

Based on methodological, verifiable and auditable procedures and protocols

American Academy of Forensic Sciences (AAFS) American Academy of Forensic Science and Technology

Digital Forensic Science Research Workshop (DFRWS)Digital Forensic Science Research Workshop

Evidence Collection Guide

Identifying Evidence Identifying Evidence

Collecting or Acquiring EvidenceCollecting or Acquiring Evidence

Examining or Analyzing the EvidenceExamining or Analyzing the Evidence

Presentation of FindingsPresentation of Evidence

crime scene

formal principle

1. Identify the scene determine the scene,

2. Protect the environment protect the environment,

3. Identify evidence and potential sources of evidenceIdentify evidence and potential sources of evidence,

4. Collect evidenceCollect evidence,

5. Minimize the degree of contamination

environment

physical environment

server, workstation, laptop, smartphone, digital music device, tablet

relatively straightforward to deal with;

virtual environment

difficult to determine the exact location of the evidence or acquire the evidence,

e.g., data on a cluster or GRID, or storage area networks (SANs))

dynamic evidence

Data exists in a dynamic operating environment

more difficult for the security professional to protect the virtual scene

Motives, Opportunities, and Means MOM

motivation

Who and why

Chance

when and where

Way

Criminals need the ability to succeed

computer crime

Usage MO

Criminals use different modus operandi to commit crimes, which can be used to help identify various types of crime

Rocca's Law of Exchange

It is determined that criminals leave something behind when taking something away

General Guidelines G8

When dealing with digital evidence, all common forensic and procedural principles must be applied.

The act of grabbing evidence cannot change the evidence.

When it is necessary for a person to access original digital evidence, that person needs to be trained for this purpose.

All activities related to the seizure, access, storage or transmission of digital evidence must be fully documented, retained and available for review and inspection.

When digital evidence is in someone's possession that person must be responsible for all activities related to the digital evidence.

Any agency responsible for capturing, accessing, storing and transmitting digital evidence is responsible for compliance with these principles.

rules of thumb

■ Minimize handling/corruption of original data.

■ Account for any changes and keep detailed logs of your actions.

■ Comply with the five rules of evidence.

■ Do not exceed your knowledge.

■ Follow your local security policy and obtain written permission.

■ Capture as accurate an image of the system as possible.

■ Be prepared to testify.

■ Ensure your actions are repeatable.

■ Work fast.

■ Proceed from volatile to persistent evidence.

■ Do not run any programs on the affected system.

event handling Strategy, roles and responsibilities

The policy must be clear, concise, and empower the incident response/handling team to handle any and all incidents

Staffed and well-trained incident response team

virtual team

Dedicated team

Hybrid mode team

Outsourcing resources

A fourth model that some organizations are using would involve outsourced resources that are available “on-demand” for participation in an investigation or as members of a response team.

Response Team Core Areas

Establishing a team requires training and keeping it up-to-date, which requires a huge amount of resources.

Handle public disclosures with caution

incident response

Incident response or incident handling has become a primary responsibility of organizational security departments

general framework

Creation of a response capability;

Incident handling and response;

Recovery and feedbackRecovery and feedback;

Incident handling and response

definition

An event is a negative event that can be observed, verified, and recorded

An incident is a series of events that negatively affects a company and its safety posture

Incident Response: Something happens to the company that causes a safety breach, and dealing with it becomes Incident Response or Incident Handling

step

diagnosis

Contains sub-phases such as event detection, identification and notification;

Classify events according to their potential risk level, which is affected by event type, source (internal or external), growth rate, and error suppression capabilities;

Handling false-positive events/false positives is the most time-consuming;

If it is a real event, classification (based on the needs of the organization) and classification (determining the level of potential risk or criticality of the event) are required

investigation

Directly deals with analysis, interpretation, response, and recovery of events;

Investigation involves the appropriate collection of relevant data, which will be used in analysis and subsequent stages;

Management must determine whether law enforcement is involved in the investigation, gathering evidence for prosecution, or simply patching the loophole;

contain

Contain incidents and reduce their impact;

Containment measures should be based on the type of attack, the assets affected by the incident, and the criticality of those assets;

Appropriate containment measures buy the incident response team time to properly investigate and determine the root cause of the incident;

Appropriate records must be maintained and the handling of potential sources of evidence must be maintained;

Analysis and Tracking

Collect more data (logs, videos, system activity, etc.) during the analysis phase to try to understand the root cause of the incident and determine whether the source of the incident was internal or external, and how the intruder penetrated;

Security experts need a combination of formal training and real-world experience to provide appropriate explanations, often without sufficient time;

Tracking often goes hand-in-hand with analysis and inspection, and requires weeding out sources of false leads or deliberate deception;

Also important is what needs to be done once the root cause is identified and traced back to the true source.

Objective

obtain sufficient information to stop the current incident

prevent future “like” incidents from occurring

identify what or whom is responsible

recovery stage

The purpose is to get the business back up and running, return affected systems to production, and be consistent with other activities;

Make necessary repairs to ensure this does not happen again;

Remediation efforts include: blocking sensitive ports, disabling vulnerable services or functions, applying patches, etc.

Reports and records

The most important and easily overlooked stage is the reporting and feedback stage;

Organizations often learn a lot from events and move from mistakes to success;

Debriefing requires all team members, including representatives from each team affected by the incident;

The advantage is that this phase can develop or track response team performance from collecting meaningful data;

Metrics can determine budget allocation, staffing needs, baselines, demonstrate prudence and reasonableness;

The difficulty lies in producing statistical analysis and metrics that are meaningful to the organization.

Evidence collection and processing

Evidence chain of custody

What it refers to is that evidence media must have clear records (Document) and responsibility (Accountability) from the initial collection and labeling, to transportation, use, intermediate custody, and final storage and archiving to ensure that the original evidence media There is absolutely no chance of contamination (Contaminate) and tampering (Tamper);

Throughout the life cycle of evidence, it is all about the who, what, when, where, and how of handling evidence;

Ensure the authenticity and integrity of evidence with the help of Hash (SHA-256) and digital signatures;

Interview

The most delicate part of the investigation is the interviewing of witnesses and suspects;

Interviews must be preceded by reviewing strategy, notifying management, and contacting company legal counsel;

Do not be alone during the interview. If possible, record the entire interview as evidence;

Understand the forensic process

evidence admissible in court

Evidence classification

Classification of presentation methods

written

oral

testimony given by witnesses

computer generated

visual or auditory

Events captured during or immediately after a crime

Classified by influence

best evidence

original contract

auxiliary evidence

Oral evidence, copies of original documents

direct evidence

witness testimony

Evidence gathered based on the five senses of the witness

decisive evidence

circumstantial evidence

Confirm intermediate facts, which can be used to infer or determine the existence of another fact

conclusive evidence

Supporting evidence used to help provide an idea or opinion

opinion evidence

Educational Perspectives Presented by Expert Witnesses

Ordinary witnesses can only testify to facts

hearsay evidence

Oral or written evidence presented in court, which is second-hand

Evidence characteristics

authenticity or relevance

Must have a modest and realistic relationship to the findings

integrity

Evidence must present the whole truth

adequacy or credibility

There must be sufficient persuasion to convince a reasonable person of the authenticity of the investigation, and the evidence must be strong and not easily doubted.

reliability or accuracy

Must be consistent with the facts. The evidence is not reliable if it is based on one person's opinion or a copy of an original document

computer logs

The premise is that they must be collected during the standardization process of the business, with the exception of business records

Most computer-related documents should not be considered hearsay, i.e. secondary evidence

Evidence collection principles

Any action taken as a result of the investigation shall not alter data on the storage medium or digital device;

People accessing data must be qualified to do so and able to explain their actions

Audit trails or other records suitable for third-party audits and applied to the process should be generated and protected, and each step of the investigation should be accurately documented

Those responsible for the investigation must be fully responsible for ensuring the above-mentioned order and compliance with government laws

Regarding the behavior of people grabbing data, they must not change the evidence.

When necessary personnel have access to original evidence, this must be legally qualified

Actions related to the capture, access, storage or transmission of digital evidence must be carefully recorded, preserved and made available for audit

When digital evidence is held for someone, that person must be fully responsible for actions taken with respect to the evidence

Australian Computer Forensics General Guidelines

Processing or corruption of raw data is kept to a minimum

Document all actions and explain changes

Follow the 5 principles of evidence (acceptable, reliable, complete, accurate, and convincing)

Seek help from more experienced people when processing and/or associating evidence is beyond your own knowledge, skills and abilities

Follow the organizational structure's security policies and obtain written permission from management to govern forensic investigations

Capture an image of your system as quickly and accurately as possible

Prepare to testify in court

Prioritize your actions from volatile evidence to permanent evidence

Do not run any programs on the system that could become evidence

Be ethical and sincere in managing forensic investigations and do not attempt to undermine anything

Evidence analysis method

Media Analysis: Recovering information or evidence from information media;

Network Analysis: Analysis and examination of web logs and network activity used as potential evidence;

Software analysis: analyze and inspect program code (including source code, compiled code and machine code), use decoding and reverse engineering techniques, including author identification and content analysis, etc.;

Hardware/embedded device analysis: should include analysis of mobile devices;

Survey type requirements

need

an expression of desired behavior.

deals with objects or entities,

the states they can be in,

the functions that are performed to change states or object characteristics.

computer crime

Unlawful conduct that is facilitated and assisted by a computer, whether the computer is the target of a crime, a tool of a crime, or the storage of evidence related to a crime.

first responder

critical import

Three elements of criminal investigation

Information accumulation Information accumulation: is the basic element of investigation

Instrumentation Tools: Tools used when investigating financial-related crimes involving computer systems primarily revolve around tracking and analyzing logs and records to identify discrepancies or irregularities in normal patterns;

Interviewing: Provides investigators with indirect tools such as insights into motives and possible techniques used, especially if the attacker is an insider;

Ongoing and export monitoring

Egress Monitoring Egress Monitoring

Egress filtering is the practice of monitoring and potentially restricting the flow of information from one side of a network to the other;

The flow of information from private networks to the Internet should be monitored and controlled;

Network traffic should be strictly controlled, monitored and audited;

Influence and manage network traffic and bandwidth using physical and logical access control mechanisms;

Whenever a new application requires external network access, policy changes and administrative management mechanisms may be required;

The border device inspects data packets leaving the intranet and verifies that the source IP address of all outbound packets belongs to the assigned internal address block, preventing spoofing attacks on IP addresses received by the intranet;

Continuous monitoring systems are designed to meet organizational needs;

Implement ongoing monitoring systems and protect critical agency facilities;

For details, please pay attention to the "Collecting Security Data" section in "Chapter 6 Security Assessment and Testing"

Several computer crimes

salami attack

Providers commit several small crimes in the hope that they combined into a larger crime will not attract attention

data deception

Changes to existing data

Password sniffing

Capture passwords sent between computers

IP spoofing

The attacker does not want others to know his real address, so he changes the IP address of the packet so that it points to another address.

spam search

Look through other people's trash cans to find discarded documents, information, and other valuable items that could be used against that person or company.

eavesdropping

A passive attack, the tools used to eavesdrop on communications can be wireless phone scanners, radio receivers, microphone receivers, voice recorders, network sniffers, etc.

Domain name squatting

This is when someone purchases a domain name with the goal of using a similar domain name to harm a company or to extort money.

resource protection

Protect your company’s valuable assets, not all of them

tangible and intangible assets

Tangible assets are physical and fall under the category of traditional property.

Intangible assets are not physical and fall under the categories of intellectual property. (Patent certificates, franchise rights)

Facility protection

A facility requires appropriate systems and controls to maintain its operating environment

Fire detection and suppression systems

Heating, ventilation, and air conditioning systems

Water and sewage systems are an integral part of any facility

power supply and distribution system

Stable communications

facility access control and intrusion detection system

hardware

Hardware requires appropriate physical security measures to maintain the required confidentiality, integrity and availability

Access should be restricted to operator terminals and at work

Access to facilities should be restricted

Mobile assets should be protected

Printing facilities should be located at the Authorized User Annex

Network devices are core assets and need to be protected

Media management

type

Soft-copy media

magnetic, optical, and solid state

flash drives and memory cards.

hard-copy media

paper and microfiche.

media protection

Media containing sensitive or confidential information should be encrypted

data should be protected through the use of encryption to mitigate a compromise.

special types of media

product software

Original copies and installed versions of system and application

controlled through a software librarian.

removable media

question

Organizations don’t know when information leaves

The organization does not know if the information has been compromised

Users generally do not report violations.

Solution suggestions

Organize and implement DLP

a Monitoring and restriction of USB and other external ports

a Monitoring of DVD, Blu-ray, and other writable disk drives

Secure removable media management solution

Force encryption to use strong authentication

Monitor and log information transferred to media

Inventory keeping capabilities

Remote wipe capability

The ability to target geographic locations

Archiving and offline storage

Backups and archives are two different types of methods used to store information

backup

On a regular basis and used to restore information or systems in the event of a disaster

Contains information that users process daily

archive.

Information that has historical purposes and no ongoing use should be retained and removed from the system

Recovery from backups

have well-defined and documented procedures to ensure that restorations are done in the right order.

all backup and archival media are tested regularly

Cloud storage and virtual storage

Cloud storage

digital data is stored in logical pools

may be accessed through a co-located cloud compute service, a Web service application programming interface (API), or by applications that utilize the API,

Cloud storage services

■ Made up of many distributed resources, but it still acts as one.

■ Highly fault tolerant through redundancy and distribution of data.

■ Highly durable through the creation of versioned copies.

several concerns

When data is distributed, it is stored at more locations, increasing the risk of unauthorized physical access to the data.

The number of people with access to the data who could be compromised (i.e., bribed or coerced) increases dramatically.

It increases the number of networks over which the data travels

When you are sharing storage and networks with many other users/customers, it is possible for other customers to access your data, sometimes because of erroneous actions, faulty equipment, a bug, or because of criminal intent.

Virtual storage

definition

Refers to multiple independent physical storage bodies of different types. Through software and hardware technology, the integration is transformed into a logical virtual storage unit. Centralized management for unified use by users.

benefit

that commodity hardware or less expensive storage can be used to provide enterprise-class functionality.

primary types of virtualization

Block virtualization

abstraction (separation) of logical storage

File virtualization

Types

Host-based

Storage Device-based

A primary storage controller provides the virtualization services and allows the direct attachment of other storage controllers.

The primary controller will provide the pooling and metadata management services

Network-based

most commonly available and implemented form

hard copy records

Records and Information Management Program (RIM)

Ensure information is available in the event of a disaster to the organization

Protect hard copy records

risk

Loss of or damage to paper records can occur from fires, floods, hurricanes

Disposal recommendations

Strategies for protecting vital hard-copy

documents include storing them in secure, clean, and environmentally stable containers;

making backup copies and storing the backups in secure off-site areas with stabilized temperature and humidity;

making microfiche copies

Disposal and reuse

Residual data should be cleared carefully

Simple delete or format

simply remove the pointers to the information.

Software removal tools

Overwrite every part of the magnetic media using a random or predetermined pattern

shortcoming

A one-time overwrite is easy to recover. Sensitive information should be overwritten multiple times.

Easily recoverable by lab tools

remanence

A measure of the residual magnetic field in a medium that somehow erases the physical manifestation of what remains of the information

not safe

Degaussing

Using electromagnetic fields to eliminate magnetism

That is to reduce the magnetic field on the medium to zero.

A safer approach

physical destruction

Crushing, burning, and grinding are common methods

Safest, but pay attention to granularity

resource protection technology

Unauthorized DisclosureUnauthorized disclosure

is a threat worthy of concern

The malicious activities of malware as well as malicious users can lead to the loss of important information

vandalism, disruption and theft

Malicious activity on the part of malware and malicious users can cause the loss of a significant amount of information.

Interruptions in service can also be extremely disruptive to normal business operations

Theft is also a common threat.

corrupt or inappropriate modifications

protections on key systems as well as provide appropriate procedures

Intrusion detection system architecture

Classified by protection scope

Based on Network Intrusion Detection System (NIDS)

passive architecture

installing a network tap, attaching it to a hub,

or mirroring ports on a switch to a N ID S dedicated port.

handle traffic throughput equivalent to (or greater than) the combined traffic load for all the ports on that device,

cannot monitor encrypted data

Many technologies now exist that can break session encryption

user training and privacy concerns

Real-time monitoring of network traffic, deployed on the debug port of a tap or switch or on a hub

Host-Based Intrusion Detection System (HIDS)

Real-time monitoring of host audit logs and deployment on each key host

limited to the boundaries of a single-host system.

multihost IDSs

identify and respond to data from multiple hosts

share policy information and real time attack

drawback

Very harmful to the host operating system

Interfering with normal system processing and excessively consuming CPU and memory

Based on application IDS

IDS to monitor malicious behavior of specific applications

Classification according to protection principle

Feature based IDS

Signature matching, similar to antivirus software

Signature-based IDS

Features must be continuously updated

Only previously identified attack signatures are detected, no new attacks can be discovered

Category: feature matching, status matching

Rule-based IDS

Using rule-based procedures IF/THEN in expert systems

Allow artificial intelligence

The more complex the rules, the higher the requirements for software and hardware performance.

Unable to detect new attacks

Based on anomaly IDS

Behavior-based systems that require learning of “routine” activities in the environment

Can detect new attacks

shortcoming

May mistakenly detect non-attack events caused by a momentary anomaly in the system

Also called behavior-based or heuristic

Classification

statistical anomaly

Protocol exception

Traffic abnormality

Intrusion response

If the IDS detects an intrusion

Limit or block system traffic

Also integrates with other devices to respond

For example, inject rules into routers, VPN gateways, Vlan switching devices, etc.

Early versions of IDS were integrated with firewalls to guide the firewall to implement proposed rules for allowed traffic.

Normal business may be affected during the process of activating rules

The false alarm rate must be strictly controlled

Alerts and alerts

IDS basic components

1. Sensor

Deployment detection mechanism

Identify events

Generate appropriate notifications

Notify administrator

activate a rule

2. Control and communication Command, control and communication

Handle alarm information

Send emails or text messages, etc.

3. Enunciator Publisher

relay system

Quickly notify local and remote resources

Determine who can receive information

Ensure timely information delivery mechanism

Determine the type of alert received and the urgency of the information

mail

Short message

IDS management

IDS is one of the security technologies widely adopted by enterprises.

Simple investment

No or little maintenance required

Requires extensive maintenance support

Effective IDS Management

Hire a technically knowledgeable person to select, implement, configure, run and maintain an IDS

Regularly update the system with new attack characteristics and evaluate expected behavioral characteristics

Noting IDS vulnerabilities and effectively protecting them

Attackers may launch attacks to disable IDS/IPS systems

Email protection - whitelist, blacklist and greylist

whitelist

A list of email addresses or IP addresses, etc., listed as "good" senders

blacklist

A list of "bad" senders

Gray list

I don't know who you are and your email skips extra steps before I accept it"

Greylisting tells the sending email server to quickly resend new emails.

non-profit organization

Non-profit organizations

Track the operations and sources of Internet spam

Provide real-time and effective spam protection for the Internet

DLP (Data Leak/Loss Prevention) data leakage prevention

definition

A set of technologies aimed at preventing the leakage of sensitive corporate information

Three key goals

Locate and catalog sensitive information stored across the enterprise;

Monitor and control the movement of sensitive information across the enterprise;

Monitor and control the movement of sensitive information from end-user systems;

Classification, storage location and transmission path of organizational sensitive information

Organizations often fail to realize the type and location of the information they process. When purchasing a DLP solution, they must first understand the types of sensitive data and data flows between systems and from systems to users;

Classifications can include attribute categories, such as privacy data, financial data, and intellectual property;

Once the data is properly identified and categorized, a deeper analysis process helps locate primary data and critical data paths;

It is necessary to pay attention to the life cycle of enterprise data, and understanding the processing, maintenance, storage and disposal of data can reveal deeper data storage and transmission paths;

Advantages of deploying DLP

Protect critical business data and intellectual property;

strengthen compliance;

Reduce the risk of data breach;

Increase training and awareness

Improve business processes;

Optimize disk space and network bandwidth;

Detect rogue/malware

Data at Reststatic data

Find and identify specific file types and identify and record the location where information is stored;

Once found, DLP opens and identifies the contents of the file;

DLP uses crawler systems; crawlers

Data in Motion (Network) dynamic data

DLP solution

1. Passively monitor network traffic;

2. Identify the correct data traffic captured;

3. Assemble the collected data;

4. Perform file reconstruction in the data stream;

5. Perform the same analysis on static data and confirm that any part of the file content is restricted by its rules.

To monitor enterprise network data movement, DLP solutions use special network devices or built-in technologies to selectively capture and analyze network traffic;

Deep packet inspection (DPI) technology, as the core capability of DLP, DPI can read the packet payload content beyond the basic header information.

DPI technology allows DLP to detect data in transit and determine content, source and destination;

DLP has the ability to handle encrypted data (for example, with an encryption key), or to decrypt it before detection and continue to encrypt it after detection is completed;

Data in Use (End Point)Data in Use

Monitor data movement actions taken by end users on their workstations

Use Agent to complete tasks

DLP Function

Policy Creation and ManagementPolicy Creation and Management

Directory Services Integration

Workflow ManagementWorkflow Management

Backup and RestoreBackup and Restore

ReportingReporting

Steganography and watermarking technology

watermark

Steganography is an information hiding technology that hides large amounts of information in pictures and video files;

Information hiding includes covert channels, hiding text on Web pages, hiding visible files, and empty passwords;

Third-party services, sandboxes, anti-malware, honeypot systems and honeynets

Third-party Security ServicesThird-party Services

Dynamic application security testing (DAST)

Used to detect security vulnerabilities in the running state of the application

Most of the exposed HTTP and HTML problems are based on WEB vulnerabilities

Some are non-Web protocols and data malformations

method

Dynamic Application Security Testing is a Service

Have crawler capabilities to test RIA (Rich Internet Applications)

HTML5.

Have crawling capabilities and test applications using other web protocol interfaces

Static application testing capabilities (SAST).

Interactive Security Testing.

Comprehensive fuzz testing

Testing mobile and cloud-based applications.

Honeypots and HoneynetsHoneypot systems and honeynets

Acts as a decoy server to collect information about attackers or intruders operating on the system

Variants of IDS

Focus more on information collection and deception

Common tools

Glastopf

ow-interaction,

open source honeypot

Specter -

commercial

Ghost USB

free USB emulation honeypot

KFSensor

Windows based honeypot intrusion detection system (IDS).

Sandboxing

Software virtualization technology

Let programs and processes run in an isolated environment

Restrict access to other system files and systems

What happens in the sandbox only happens in the sandbox

A replacement for traditional signature-based antivirus

Possible detection of zero-day vulnerabilities and hidden attacks

Malware uses a variety of techniques to evade detection

Hooks

Technology introduced to detect malware

Insert directly into the program to get notification of function or library calls (call back)

This technique requires changes to program code

Be aware of malware

Interrupt dynamic code generation

main problem

The sandbox cannot see any instructions executed by the malware when called

environmental checksenvironmental monitoring

Anti-malware Anti-malware

Anti-Malware Testing Standards Organization (AMTSO Anti-Malware Testing Standards Organization

A forum for malware testing and related product discussions

Publish objective standards and best practices for malware testing

Promote education and awareness related to malware testing issues

Provide tools and resources dedicated to standardized testing and methodologies

Windows

1. Test if my protection against the manual download of malware (EICAR.COM) is enabled.

2. Test if my protection against a drive-by download (EICAR.COM) is enabled.

3. Test if my protection against the download of a Potentially Unwanted Application (PUA) is enabled.

4. Test if protection against accessing a Phishing Page is enabled.

5. Test if my cloud protection is enabled.

Android

Disaster recovery

Develop a recovery strategy

Recovery strategies to consider

Surviving SiteSurviving Site

Self-ServiceSelf-service

Internal Arrangement Internal Arrangement

Reciprocal Agreements/Mutual Aid Agreements Reciprocal Agreements/Mutual Aid Agreements

Dedicated Alternate Sites Dedicated Alternate Sites

Work from Home Work from home

External Suppliers External Suppliers

No Arrangement No arrangement

The choice of recovery strategy must meet organizational needs

Cost-benefit analysis (CBA)

Initial cost of setting up a strategy

Ongoing costs of maintaining a recovery strategy solution

The cost of periodic testing of the plan

Communication related expenses

Implement a backup storage strategy

Recovery Time Objective (RTO)\Maximum Tolerable Downtime (MTD)\Recovery Point Objective (RPO)

Backup method

fully prepared

incremental backup

take copies of only the files that have changed since the last full or incremental backup was taken

and then set the archive bit to “0.”

takes the most time in restoration

differential backup

copies only the files that have had their data change since the last full backup

since the last full backup and does not change the archive bit value.

Recovery site strategy

Dual Data CenterDual Data Center

Using this strategy makes the application unacceptable for downtime to impact the organization

Advantage

Less or no downtime

Easy to maintain

No need to restore

shortcoming

higher cost

Requires redundant hardware, networks and personnel

limited by distance

hot sites hot war

Internal Hot Site Internal Hot Site

Prepare a standby site with all the technology and equipment needed to run the application

run non-time sensitive

such as a development or test environment

External Hot SiteExternal Hot Site

The facilities are in place, but the environment needs to be rebuilt

These services are subject to service provider agreements

Advantage

Allow testing of recovery strategies

High availability

Site can be restored within hours

shortcoming

Internal thermal stations are more expensive than external thermal stations

There are software and hardware compatibility issues at the external hot station

Warm Site Warm Site

A rental facility partially equipped with some equipment but not actual computers

Cold Site Cold Site

A cold site is a shell or empty data center without any technical facilities on the floor

Advantage

low cost

for longer recoveries

shortcoming

Unable to recover in time

No complete testing work upfront

mobile site mobile site

It is a mobile trailer or standard container equipped with appropriate telecommunications equipment and IT equipment. It can be flexibly dragged, dropped and placed at the required alternate location to provide key application services such as telephone switching functions.

advantage

High mobility and relatively easy to transport

A modular approach to building data centers

No indoor equipment required when building

shortcoming

Cold site capabilities must be established at designated locations

The density and design of containers make upgrades and customization extremely challenging

Maintaining shipping contracts or moving equipment in the event of a disaster is expensive

multiprocessing data center

This solution can be used if the organization has facilities across the country or the world

Have sufficient bandwidth and latency

Can be thought of as a “reciprocal agreement” within an organization

Processing Agreement

Reciprocal agreements reciprocal agreements

Used to share downtime risks between organizations

In the event of a disaster, each organization commits to taking on the other's data and processing tasks

question

The organization's commitment to reserve spare processing capacity for others or to reduce processing capacity when other organizations are down

Organizations first need to be able to comply with these protocols

Difficulty finding the right partner within the industry or among competitors

outsourcing outsourcing

Meet the cost-effectiveness needs of enterprises

Take the risk of unknown capabilities and ability to meet requirements

The SAL agreement can indicate that services will be provided for a period of time, but it does not truly guarantee coverage in the event of a disaster.

advantage

on demand services

All requirements and enforcement responsibility lie with the third party

less cost

Provide wider geographical selection

shortcoming

More proactive testing and assessment to confirm competency maintenance

Arguments over the agreement prevent manufacturers from enforcing it

Deployment of private systems will lock in vendor

If outages occur frequently, capacity building may cost more

System resilience and fault tolerance requirements

Trusted paths and fail-safe mechanisms

trusted path

Provides a trusted interface for privileged user functionality

Provides a means to ensure that communications using this path are not intercepted or corrupted

Typical countermeasures

Fail-Safe

Automatically switches on in case of failure (e.g. power interruption)

Concerned about life or system safety

Fail-Secure Fail-Secure Property Security

Automatic lockout in case of fault (e.g. power interruption)

Focus on blocking access in a controlled manner after a failure, when the system is in an inconsistent state

Redundancy and fault tolerance

Device backup

spare parts

cold standby

Spare parts not started

Exactly the same as the main device

Can be used if needed

Generally stored near the main device

Cannot be used in non-artificial environments

warm standby

Already injected into the system but not enabled unless needed

Hot standby

Inject into the system and boot until needed to wake up

redundant system

Typical redundant configuration

Active/standby pair mode

The main system provides all services

Problems with passive systems monitoring primary systems

cluster

Two or more join the cluster and provide services simultaneously

Power backup

Redundant (or dual) power supplies

UPS)

Alternative energy sources (such as diesel generators)

Drives and data storage

SAN and NAS

SAN storage area network

A SAN consists of dedicated block level storage on a dedicated network.

numerous storage devices such as tape libraries, optical drives, and disk arrays

protocols like iSCSI to appear to operating systems as locally attached devices

large banks of disks are made available to multiple systems connecting to them via specialized controllers or via Internet Protocol (IP) networks

NAS network attached storage

file level instead of the block level

designed to simply store and serve files

FTP servers

shared file server

network drive

NAS may also be used to provide storage for multiple systems across the network.

RAID cheap redundant disk array

A technology used to increase redundancy and/or improve performance by logically combining multiple physical disks to form a logical array. When data is saved, the information is written to all drivers

RAID 0

Writes files in stripes across multiple disks without the use of parity information.

fast reading and writing

all of the disks can be accessed in parallel.

does not provide redundancy

use RAID 0 to store temporary data

RAID 1

This level duplicates all disk writes from one disk to another to create two identical drives.

data mirroring.

Redundancy

costly

RAID 2

This R A ID level is more or less theoretical and not used in practice.

Hamming error correction code

RAID 3 and 4 -

These levels require three or more drives to implement.

get striping of data

parity drive

Parity information

written to a dedicated disk

Data is striped

across multiple disks at the byte level for RAID 3 and at the block level for RAID 4.

fatal weakness

parity drive

RAID 5

is similar to RAID 4

parity information is striped together across all drives

most commonly used for general data storage.

RAID 6

extends the capabilities of R A ID 5

computing two sets of parity information.

the performance of this level is slightly less

RAID 0 1 and RAID 1 0 -

combining two different R A ID types

Redundant Array of Independent Tapes (RAIT).

database shadowing

Used for database management systems to update records at multiple points

Full database copy for remote use

Backup and restore system

Backup data includes critical system files and user data

backup window

big enough

fully prepared

not big enough

Differential or incremental backup

Backup involves copying data from production systems to remote media

Such as transporting or storing high-density tapes to different locations

At least three backup tapes

Original site

Recover a single failed system

near site

The primary site suffered a general failure and the tapes were corrupted

remote site

Offsite site

A safe location some distance away from the main site

electronic transmission

Back up data over the network

Implement mirroring

Changes to the main system are transmitted to the library server in real time

repository server

Configured like a storage device

As opposed to real-time updates, file changes are delivered to the repository using incremental and differential backups

Log or transaction record

Database management systems use techniques that provide transactional redundancy

Staffing Flexibility

Avoid single points of failure for key personnel

Adequate staffing levels

Proper training and education

Rotation training

Disaster recovery process

DR areas

DR includes response, people, communication, assessment, recovery and training

The process must be recorded.

Organizational level continuous testing strategy

the board and senior management

Test strategy and plan

Includes use of BIA and risk assessment

Identify key roles and responsibilities and establish minimum requirements for the organization's business continuity testing, including baseline requirements for testing frequency, scope and results reporting

Testing strategies vary depending on the scope and risk scenarios of the organization

Address testing issues for the organization and its service providers

The testing strategy for internal systems should include the people involved when systems and data files are tested

Documentation of plans

Document recovery in response to various incidents

Documentation should be stored in all recovery facilities

The document should be detailed enough for the technical recovery operation so that people with relevant skills can still complete it for the first time.

Test the recovery plan each time and update as needed

response

Notify the centralized communications team of incidents after they occur

centralized number

Help desk

Technical Operations Center

physical security personnel

Monitoring personnel

response plan

Create an emergency contact list

Assessment Team

Notify first

Determine if the incident requires escalation

First upgrade team

event owner

incident responder

Establish communication channels

conference call

Establish alternative communication channels internally and externally

Don’t forget about the unavailability of some services

express delivery

Water and electricity services

Executive Emergency Management Team

Made up of senior managers in the organization

No need to do the initial response part

Take full responsibility for the recovery of the organization and business

Located in the command center after the incident

No need to manage daily operation and maintenance

Executives need to respond and assist in resolving issues that require their guidance

Focus on strategic responses

Crisis Management vs. Crisis Leadership

Managing

response

short term

process

narrow

tactical level

Leading

expect

long

in principle

extensive attention

strategic level

emergency management team

Report directly to the command center

Responsible for monitoring the disaster recovery team and developing recovery and recovery processes

Report incident status to senior management

Make decisions that support recovery

main function

Disaster recovery team

Retrieve off-site records and recovery information stored off-site

Report to offsite site

Perform recovery procedures in order of priority

Communicate recovery status to command center as needed

Identify issues and report them to the management team for resolution

Establish a recovery team to support 24/7 shifts

Establish liaisons with key business users and personnel

Repair and replace equipment and necessary software to resume normal operations

command center

Center for communication and decision-making during emergencies

In the event of a disaster, provide emergency response documentation and other resources needed to respond to the disaster

Also includes procedures for dealing with financial issues

initial response plan

Organizations with multiple locations will need a plan for each business site

What are the key businesses or technologies in the site?

Prepare an appropriate recovery strategy for it

who is the decision maker

Where should people go if they can't get back into the building?

The process of declaring a disaster

Backup site location

Travel options to backup sites

Workstation allocation at backup site

Hotels near backup sites\Transportation services and logistics

personnel

The problem with many plans is human resources issues

Disasters can greatly affect people

In a disaster, organizations need to pay attention to the hardships of team families in addition to responding to their own needs.

The level of support team members will be clearly defined by the nature of the disaster itself

Incorporate administrative support as part of the recovery team

communicate

Notify employees

In emergencies, members of the emergency contact list are contacted directly by the Responsible Management Team

Describe how the organization will contact remaining members

Establish emergency information line

Keep employees informed about disasters that have occurred

Put it behind the employee’s badge or on a refrigerator magnet

Stakeholders

Employees and their families

Contractors and business partners

Q Facility and Site Managers

Q Staff Managers (HR, IT, etc.)

Q Senior Managers; Board of Directors

Institutional investors and shareholders

insurance representatives

Suppliers and Distributors

Customers

Government Regulators and Politicians

Competitors

Unions

Communities

Industry activist groups

Internet users or bloggers

media representatives

how to say

During the disaster recovery process, each employee should be consistent in what they tell the customer or vendor about the situation

Businesses should provide all stakeholders with updated information on recovery status

honest

accurate

Security professionals need to establish problem reporting and management processes

conference bridges

Evaluate

In an incident, the impact of the incident needs to be determined

tiers or categories

Non-Incident non-incident

Incident

Report to management

Severe Incident serious incident

Management report required

recover

The last part of the plan is about restoring the main environment and migrating to normal operations

The rest of the organization is concerned with the recovery of the organization at the alternate site

Part of the focus is on what needs to be done to get back to the main facility production environment

You will need to contact your legal department and insurance company before restoring your primary site.

Take photos before taking action

The migration plan must document the process and details of how to migrate

Asset replacement

Negotiate with vendors to provide equipment to build or restore data centers

Provide training

No matter how good a plan is, it won't work if no one knows about it

leading a team

Know crisis management

In disaster recovery, it’s not about performing recovery but leading the organization back to normal.

Technical team

Know the procedures for performing recovery

and the logistics facilities they're going to.

employee

evacuation plan

Put part of the BCP plan into new employee training

Drills, Assessments and Maintenance Plans

testing strategy

■ Expectations for business lines and support functions to demonstrate the achievement of business continuity test objectives consistent with the BIA and risk assessment;

■ A description of the depth and breadth of testing to be accomplished;

■ The involvement of staff, technology, and facilities;

■ Expectations for testing internal and external interdependencies;

■ An evaluation of the reasonableness of assumptions used in developing the testing strategy.

Test strategy contains test goals and scope

BCP tested at least once a year

Testing is required when major changes occur

Test objectives can start simply and gradually increase in complexity, participation level, function, and physical location

Testing should not jeopardize normal business operations

Tests demonstrate various management and response capabilities under simulated crises, gradually adding more resources and participants

Reveal inadequacies so test procedures can be corrected

Consider deviating from test scripts to insert unexpected events, such as the loss of key individuals or services

Include sufficient amounts of all types of transactions to ensure appropriate capabilities and functionality of the restoration facility

Test strategy includes test plan

Based on predetermined test scope and objectives

Contains test plan review process

Including the development of various test scenarios and methods

Test Plan

The master test plan should include all test objectives

Specific description of test objectives and methods

All test participants including support roles

Delegation of test participants

Test decision makers and follow-up plans

Test location

Test upgrade conditions and test contact information

Test plan review

testing strategy

Test scope and goals

BIA, verify RTO and RPO

testing strategy

Set by senior management

Role responsibilities, frequency, scope and reporting results

Business recovery and disaster recovery exercises

business recovery

Pay attention to the operation of the test business line

disaster recovery

Focus on testing the continuity of technical parts

Checklist Review

Distribute copies of the BCP to managers of each key business unit

Ask them to review portions of the plan that are appropriate for their department

Desktop Exercise/Structured Exercise Test

As a tool for planning initial testing, but not the best way to test

Target

Ensure key personnel from all areas are familiar with BCP

Ensure the planned response organization's ability to recover from disasters

Features

Meeting room contact, low cost

Rehearsal drill/simulation drill

Contains more content than the tabletop walkthrough

Participants select specific event scenarios to be applied in BCP

Functional testing/parallel testing

Including real personnel moving to other sites in an effort to establish communications and implement real recovery procedures in accordance with BCP regulations

The primary purpose is to determine whether critical systems can be restored at an alternate processing site if personnel apply the procedures specified in the BCP.

Features

Full break/full test

The most complex test

Simulate as real a scene as possible

Cannot affect business

Update and maintenance schedule

Any team has an obligation to participate in the change control process

Planning documents and all related procedures are reviewed every three months

Formal audit of program at least once per year

Plans must version control

From project to program

Continuity planning is an ongoing process

All defined tasks must be kept current and consistent with the existing environment

There must be annual requirements

emergency management organization (EMO) emergency management organization

Formal management response process

On-site coverage, support and expertise

Areas covered

■ Security

■ Real estate

■ Systems

■Human resources

■ Organizational communications

■ Compliance

■ Risk and insurance management '

■ Organizational contingency planning

Team Responsibilities

■ Responding to incidents and emergencies

■ Determining the extent of the impending or actual emergency situation

■ Establishing and maintaining communication with senior management

■ Communicating with employees and customers

■ Managing media communications, security, systems, facilities

■ Coordinating and integrating business continuity planners

The organizational emergency operations center (EOC)

Provide location

Provide the necessary resources to manage the organization's recovery regardless of whether EMO is initiated

Roles and Responsibilities Roles and Responsibilities

The organizational contingency planning group

■ Setting strategic direction and plans for all organization units to ensure BC and effective emergency management.

■ Integrating the contingency planning process across organization units when the nature of the organization requires it.

■ Providing consulting services and direction to senior level contingency managers.

■ Coordinating and integrating the activation of emergency response organizations with the organization units.

■ Providing periodic management reporting and status.

■ Ensuring executive management compliance with the contingency planning program.

■ Ensuring the identification and maintenance of all critical organization functions and requirements.

■ Procuring and managing the alternate sites used to support recovery of the operations of the company whether technical or organizational.

■ Developing, implementing, and maintaining policy and guidelines for all organization units to follow.

■ Developing and maintaining testing and maintenance programs for all contingency planning organizations.

■ Providing training, maintenance, and support for approved contingency planning tools.

business continuity planners

■ Provide primary contact for their functional area to handle coordination response during an organization interruption.

■ Act as a resource for contingency planning efforts within their area of responsibility.

■ Secure appointment, training, and backup of all contingency planning and response teams.

■ Assist in the design and maintenance of alternate sites.

■ Maintain currency of all contingency planning documentation, including all deliverables listed in Figure 7.8.

■Program Requirements

Business continuity and other risk areas

BC has a very important relationship with other security domains

physical access control

Border security implementation and operations

Physical Security Purpose

Controlling access to physical facilities, the first barrier to facility protection

defense-in-depth defense-in-depth

If one layer of mechanisms fails, other mechanisms function

secure the weakest link secure the weakest link

“rings of protection

deter-detect-delay-respond deter-detect-delay-respond

Examples of key building components

■ Emergency generator, including fuel systems, day tank, fire sprinkler, and water supply Emergency generator

■Fuel storage

■ Telephone distribution and main switchgear

■ Fire pumps Fire pumps

■ Building control centersBuilding control centers

■ Uninterrupted power supply (UPS) systems controlling critical functions

■ HVAC systems if critical to building operation

■ Elevator machinery and controls Hoisting machinery and controls

■ Shafts for stairs, elevators, and utilities stairwells, elevators, and utilities

■ Critical distribution feeders for emergency power

doors and walls

Barriers Barriers

Barriers can be comprised of natural or manufactured elements, such as mountains, rivers, green belts

is designated to impede or deny access.

objective

Fences

fences are a perimeter identifier that is designed and installed to keep intruders out.

the chain linked fence

largely a psychological deterrent

a boundary marker

Gates

Gates exist to facilitate and control access.

Walls walls

Walls serve the same purpose as fences

walls ought to be 7 feet high with 3 to 4 strands of barbed wire on top

perimeter intrusion detection

Infrared Sensors Infrared Sensors

Active infrared sensors

transmit an infrared signal via a transmitter.

The location for reception is at a receiver.

Interruption of the normal IR signal indicates an intruder or object has blocked the path

Passive infrared sensors

Passive infrared sensors are designed for human body detection, so they are great for detecting when someone approaches.

Passive-infrared sensors detect the heat emitted by animate forms

Microwave Microwave

two configurations

bistatic and monostatic

radiating a controlled pattern of microwave energy into the protected area.

The transmitted microwave signal is received, and a base level “no intrusion” signal is established

bistatic sensor

sends an invisible volumetric detection field that fills the space between a transmitter and receiver.

Monostatic microwave sensors

use a single sensing unit that incorporates both transmitting and receiving functions.

Coaxial Strain-Sensitive Cable Coaxial Strain-Sensitive Cable

These systems use a coaxial cable woven through the fabric of the fence

The coaxial cable transmits an electric field

Time Domain Reflectometry (TDR) Systems Time Domain Reflectometry (TDR) Systems

Time Domain Reflectometry (TDR) systems send induced radio frequency (RF) signals down a cable that is attached to the fence fabric.

Intruders climbing or flexing a fence create a signal path flaw that can be converted to an alarm signal

Video Content Analysis and Motion Path Analysis Video content analysis and motion path analysis

is sophisticated software analysis of the camera images.

CCTV camera systems are increasingly being used as intrusion detection systems.

Using complex algorithms allows CCTV systems to detect intruders

illumination

Security lighting can be provided for overall facility illumination along with the perimeter to allow security personnel to maintain a visual assessment during times of darkness.

provide both a real and psychological deterrent

Types of Lighting Systems

Continuous lighting Continuous lighting

Standby lighting standby lighting

Movable lighting Movable lighting

Emergency lighting Emergency lighting

0.2 foot-candles

Types of Lights

Fluorescent lights

Mercury vapor lights Mercury vapor lights

Sodium vapor lights Sodium vapor lights

Quartz lamps quartz lamps

American Institute of Architects

interior lighting levels

range from 5 to 10 fc;

exterior lighting requirements

■ Building entrances (5 fc)

■ Walkways (1.5 fc)

■ Parking garages (5 fc)

■ Site landscape (0.5 fc)

■ Areas immediately surrounding the building (1 fc)

■ Roadways (0.5 fc)

Adequate lighting for monitoring activities is important.

Infrared Illuminators Infrared Illumination

Most monochrome CCTV

Card type

Magnetic stripe cards

Sensitive terms such as credit cards are attached to the PVC material

Proximity card

Built-in antenna, the antenna bag is equipped with a chip with an identification code, and the reader can read the contents of the chip through a magnetic field

smart card

IC cards containing microprocessing chips have certain data processing capabilities

Other security measures can be integrated

Keystroke or biometric measure with PIN code

CCTV closed circuit television

Function

Surveillance supervision

Assessment

Deterrence Deterrence

Eventiary ArchivesEvidentiary Archives

Camera

Color cameras offer more information,

Outdoor camera

Outdoor camera installations cost more than indoor cameras due to the need to environmentally house, heat, and ventilate the camera

Fixed Position Cameras Fixed Position Cameras

A fixed position camera cannot rotate or pan

Pan/Tilt/Zoom (PTZ) Cameras Pan/Tilt/Zoom (PTZ) Cameras

PTZ camera mounts allow the camera to rotate, pan, tilt, and zoom

Dome Cameras

Internet Protocol (IP) Cameras

An IP camera captures a video image digitally

The IP camera resides on a local area network

Lens Selection

Focal length is the distance from the surface of the lens to the point of focus measured in millimeters.

Lenses either have a fixed or variable focal length

Lighting Requirements

“Light-to-dark” ratio

Resolution

Image resolution

Frames Per Second (FPS)

frames per second

frames per second (fps).

CCTV cameras transmit video in image frames

Compression

MPEG-4.

Digital Video Recorder (DVR) digital hard disk recorder

DVRs typically come in an 8 port or 16 port version, meaning that 8 or 16 cameras can be recorded at one time

Monitoring display

Single Image Display Single Image Display

Split Screen split screen display

Matrix Displaying for Large Format Displays

Call the police

monitoring Center

also known as the security console center

dispatch center

Maintaining a 24/7 security control center requires at the minimum two officers per shift.

design requirements

doorman

Physical protection measures ultimately require personnel to intervene to respond to alarms

Security personnel maliciously conduct foot patrols of the building or stop at a fixed location

Control access by checking employee ID cards

Strong deterrent, but high cost

Limited personnel reliability

When choosing a security guard, it is more important to screen and choose reliable personnel.

Proprietary

Proprietary guards benefit from esprit de corps and a sense of community

disadvantages

Hybrid

internal security

Internal intrusion detection system

Balanced Magnetic Switch (BMS) Balanced Magnetic Switch

Motion Activated Cameras dynamically activate cameras

Acoustic Sensors Acoustic Sensors

Infrared Linear Beam Sensors Infrared Linear Beam Sensors

Passive Infrared (PIR) Sensors Passive Infrared Sensors

Dual-Technology Sensors

Escort and access control

the visitor is escorted at all times while inside the facility

Other types of visitor management systems use a computer-based system or specific visitor software product.

Buildings and their interior security

Doors

Door Locks

Locks are commonly used and have good cost-effective protection mechanisms that can contain or delay intrusions. The new locks have added access recording functions and take into account the problem of preventing key loss and duplication.

Electric LocksElectronic locks

Electric Strikes electronically controlled lock

Magnetic LocksMagnetic Locks

Anti-Passback anti-tracking detection settings

Lock category

Rim Lock spring lock

Mortise Lock

Locking Cylinders

Cipher Lock password lock

Combination locks use a keypad and can be programmed

Hi-Tech Kevs

"Intelligent keys"

"Instant keys

Safes

Tool-Resistant Safe Class TL-15.

Require

Vaults

■ Class M - One quarter hour

■ Class 1 - One half hour

■ Class 2 - One hour

■ Class 3 - Two hours

Containers

Key Control

critical elements

Personal safety

Privacy privacy

All individuals have an expectation of privacy

Travel

YOU SHOULD KNOW

BEFORE YOU TRAVEL

Prepare your device:

WHILE YOU'RE AWAY

WHEN YOU RETURN

Duress coercion