As a Systems Security Certified Practitioner (SSCP) you may be called upon to be a member of an incident response team and take an active part in security investigations. As an integral member of the security team you will be required to determine the difference between an event and an incident using many tools, logs, and monitoring techniques. Once an incident is identified, you may be required to take specific corrective or recovery actions, follow procedures, and record events according to incident response plans. You will need an understanding of how to handle incidents using proven methods that result in the preservation of a scene as well as careful acquisition, recording, and tracking of evidence. You will be expected to use plans and procedures that produce consistent results during an incident investigation.
As an IT team member, you may be required to perform duties in support of business continuity. A thorough understanding of the business continuity plan will enable you to take the required actions assigned to you during an incident or crisis that may cause potential harm to a portion or all of the business. It will be important for you to understand the terminology and techniques that may be applied during such an event.
In the event that parts of the enterprise are physically damaged, you may be involved in recovery operations. The disaster recovery plan will illustrate concepts and how they can be used in order to mitigate damages and recover business operations during an emergency event. You'll also be required to understand the recovery process so the business operations can be restored as quickly as possible.
The incident response policy is part of the overall IT security policy for the organization. It is a high-level document that generally includes all aspects of the organization and all geographic locations. With very large organizations that span globally diverse countries or that include independent operating units or divisions, a number of incident response policies might be written to address individual locations or corporate requirements. The incident response policy establishes the foundation, authorities, and concepts upon which all incident response plans can be built.
The incident response policy includes the following components:
Standards are the criteria that the organization must meet or be in compliance with in order to avoid fines or other actions levied against the organization. Standards may be required to meet a contractual agreement between partner organizations. In some industries, industry standards such as the Payment Card Industry Data Security Standard (PCI DSS) are enforced to set various performance criteria and reporting standards. Federal regulatory bodies may also apply standards that must be adhered to during normal business and during times of crisis.
Standards imposed by industry organizations and regulatory agencies should be applied to an incident response policy. That may include requirements with respect to reporting the occurrence of an incident, recording aspects of handling the incident, and reporting the final outcome and incident closure.
Procedures are lists the steps or activities that response teams should follow to perform all required duties as listed in an incident response plan. An organization may have several different incident response plans, depending on the nature of the incident.
Guidelines are informal lists of best practices or good practices either internal to the organization or as listed in various best practice frameworks such as an Information Technology Infrastructure Library (ITIL). A guideline may be a recommended course of action that is not included as an established procedure.
When creating an incident response plan, individuals responsible should take into consideration various terms and definitions to be used throughout the organization. These terms and definitions should be integrated into the plan so that all of those involved may refer to the same terminology. Here is a list of some of these terms:
On any network, there could be a great number of events happening all the time. Only a small fraction of these events might be classified as incidents.
The incident response plan will detail the activities that should take place once an incident is detected. Some organizations may refer to the activities as an incident response cycle. The following phases are involved in a normal incident response plan:
Detection can also be manual, such as through log analysis, operator investigation, or observation. Operators using investigation or intuitive processes determine that there is a problem on the network.
A great many sources can be used when analyzing data and information. In some cases, analysis involves tracking the event through various devices on the network. Triage is a medical term used in the analysis of events or situations and setting priorities. By setting priorities, incident response team can address various events and incidents in an orderly fashion.
Activities during the response include activating response teams, notifying management and executive members, and initiating contact with law enforcement agencies. Response activities should also minimize the knowledge that an attack has happened and contain the information on a need-to-know basis. Incident response plans must have a complete media communication section identifying spokespersons and the information that may be disseminated.
An incident response plan should be created to address various levels of escalation of an incident. Not all incidents are created equal. Therefore, various response strategies may be implemented, depending on the triage or estimated severity of damage an incident may create. A typical table of alert levels is illustrated in Table 6.1.
Table 6.1 Alert levels
Level | Label | Description of Risk |
4 | Severe | Highly disruptive levels of consequences are occurring or imminent. |
3 | Substantial | Observed or eminent degradation of critical functions with a significant level of risk. |
2 | Elevated | Early indications of the potential of risk. |
1 | Guarded | Baseline of risk acceptance. |
0 | Normal | Normal operations. |
Utilizing various levels or stages to describe an event is beneficial. For instance, different cyber incident stages may involve different personnel on a response team. Also, reporting responsibilities may depend on the stage.
A communication plan is a vital part of an incident response plan. During an incident or disaster event, the news media, business partners, and government agencies may require incident reports, event information, and news release or press statements concerning the event. It is very important to clearly describe in an incident response plan who within the organization is responsible to handle a press or law enforcement contact and what the correct message should be. On the other hand, through training, orientation, and policy, all personnel should be aware of how to handle any media inquiries and to whom to forward media inquiries. It is also important to include incident nondisclosure statements and all third-party vendor and contractor contracts.
Consideration should be given to the communications released to both law enforcement and the news media.
A major consideration when law enforcement is involved is determining the amount or type of evidence that can be collected. In some instances, private information, personal identification information, HIPAA-restricted information, and corporate confidential information may be part of the evidence of an incident. Evidence that is collected may become public through various court procedures.
An incident response plan should clearly specify the person or persons from the organization who are authorized to contact law enforcement and under what circumstances triggers the contact. It should also state what information they can provide and what services they can request. The response plan should include all of the law enforcement agency communication contacts, including with the name of the individual and their working hours and after-hours contact information. Meetings should be held with all law enforcement contact personnel prior to any incident to gain a full understanding of the responsibilities of all parties.
The incident response plan should also include the departments responsible for handling dissemination of specialized information such as the legal department, public-relations department, investor relations department, and marketing department. Each of these departments should be involved in an incident response plan and determine how they will handle distribution of different types of authorized information that should be released to the media, shareholders, customers, and affected individuals.
An incident response team is the core of the incident response plan. The members involved in an incident response team may vary depending upon the structure of the organization or the nature of the incidents encountered The proper structure of an incident response team includes representatives of the IT department, the human resources department, legal services, public relations, executive management, accounting/auditing, and the physical security department. A good incident response team consists of named individuals, and their alternates, who participate in training and exercises to adequately perform their duties during an incident. Ad hoc or “only person available” team membership should be avoided, but if that's the normal response action for a department, each person that might respond should receive incident response training. Secondary or supporting team members should also be identified, such as network administrators, database administrators, and technical experts.
An incident response plan should also identify third-party forensic companies that may be engaged depending upon the severity level of the incident.
Incident response teams may be constructed both on needs and geographic requirements. Here are some of the different types of teams:
Incident response plans should be the requirement that the incident response team should be required to make incident response plans and keep activity records starting at the beginning of the incident and continuing through resolution. Team responders should record all actions and activities, either during the process or immediately thereafter, to completely document all actions taken during the event. The collection and documentation of all evidence, description of the scene, statements from individuals, and evidence processing notes must be filed and maintained in the event of a formal forensics examination or eventual legal action. Team responders should record all actions and activities, either during the process or immediately thereafter, to adequately document all actions taken. In the event of a forensic examination or eventual legal action, the collection and documentation of all evidence, description of the scene, statements from individuals, and evidence processing notes must be filed and maintained.
Many incident response teams regularly review after-action reports to identify areas of improvement.
A wide range of incident report templates are available on the Internet. At a minimum, the following incident response information should be recorded:
All digital records associated with an event that leads to an incident response must be retained. Event discovery or alerts may be triggered automatically through the use of intrusion prevention systems (IPSs) or intrusion detection systems (IDSs) or a number of other software solutions or hardware appliances. Events may also be discovered through manual review of system logs or other blog information.
Security Information and Event Management (SIEM) systems are used to provide a common platform to collect historical log information as well as real-time information from monitored devices. (Note that other texts may refer to this subject as Security Event and Information Management, or SEIM.) Applications are available that provide easy searching through multiple logs for correlating event information. The output logs of both real-time and historical investigations should be stored for an appropriate retention period. Corporate policy may require that event logs be kept for an indefinite period of time. The default on some log acquisition systems is 30 to 60 days.
The incident response plan should provide the details of all actions to be taken during a specific incident. Actions might include isolating the device from the network by, for example, disconnecting the Ethernet plug or pulling the power plug from the wall to shut down the affected network equipment. Plans may differ depending upon forensic investigation requirements. For instance, a forensic investigation might include disconnecting the device from the network but keeping the unit powered up so that volatile RAM memory can be recorded or examined. A Faraday bag may be utilized to shield a device that is connected to a wireless access point. A Faraday bag is designed as a shield to prohibit a device from transmitting or receiving radio signals.
It is never advisable to not take action and “monitor” an attack while it is in progress. In some cases, an IT individual may attempt to trace an attack back to its origin rather than terminating the attack. Such a trace is usually fruitless as attackers have many ways of disguising their actual location. Devices such as log files, monitoring appliances, honeypots, bastion hosts, and other devices may record the IP address or vectors of an attack. If an attack is discovered and not stopped, the organization may face various legal liabilities.
Many corporate incident response policies require that a post-incident restoration action be invoked after an attack. These usually require that the attack unit be reimaged or restored from known good backups. Rarely are devices placed back into service after only one anti-malware or antivirus scan.
Countermeasures are usually put in place as a response to a risk analysis. In many cases they are intended to mitigate specific threats or vulnerabilities. Controls involve a much broader category of risk mitigation tools and may be put in place in response to best practices or due care. In many situations, the terms countermeasure and control are used interchangeably.
As an SSCP, you may be involved in implementing countermeasures throughout the organization. These countermeasures may include hardware devices such as IPSs/IDSs, antivirus software, anti-malware software, and network-based hardware appliances. Countermeasures, such as intrusion detection and prevention devices, must be adjusted or tuned correctly to be effective on a network. A false sense of security may be prompted by an ineffectively adjusted protection device. Every network protection device should have an established baseline and the performance of the device should be measured regularly against the baseline.
The application of countermeasures in a network or on a device such as a host computer does not relieve the operators or administrators from responsibility. User training is important so that controls and countermeasures are installed and operated correctly.
Thanks to many crime shows, many are familiar with the science of forensics and a forensics investigation. We all know it involves the identification and analysis of materials usually found at an incident scene. Usually at the point of acquisition, the decision as to whether it constitutes evidence has not yet been determined. The goal of forensics and the forensics examiner is to analyze material using professional assessment techniques to answer various questions for investigators.
Digital forensics involves the investigation of computer related incidents and the gathering of computer related information that may have originated during an incident or an attack. All materials collected during a digital forensic investigation are subject to the same procedural guidelines and practices so that the evidence may be presented in a legal court trial.
A number of organizations establish guidelines for use during computer forensic investigations:
In general practice, it's advisable to refer to the physical location of an incident as an incident scene rather than a crime scene. This avoids a rush to judgment as well as possibly unfounded or inaccurate accusations of individuals at the location.
In the case of the cyber incident, the incident scene is located in two environments:
First responders to digital incident must be trained on how to preserve a digital incident scene. If evidence is contaminated, changed, or altered it is no longer any use during the investigation. During an attack or other incident, users should be educated to step away from their host machines workstations or other digital equipment to allow the incident response team and forensics examiners to gather material and data.
It is a well-known fact in forensic science that just observing evidence changes it. For instance, let's say that you want to check a file to see when it was last accessed. By doing this, you put the current date on that file.
The volatility of evidence determines the priority that evidence must be collected. The volatility is determined by the life expectancy of evidence once power is withdrawn. As might be expected, evidence resident in RAM will be deleted or eliminated once power is withdrawn.
The following list includes evidence from the most volatile to the least volatile:
Forensic investigators usually acquire and process data in the order of volatility. Some incident response plans call for immediate disconnection and shut down of the target host or server. This eliminates the accessibility to any volatile memory that might be stored in RAM or register type devices.
Dr. Edmund Locard was a pioneer in forensic science and formulated Locard's exchange principle, which states that the perpetrator of a crime will bring something to a crime scene and leave with something from it. This is the foundation of trace evidence, that the perpetrator may leave dirt, hair, fingerprints, smudges, oils, or other residue at a crime scene. It also holds that the trace evidence from a crime scene will leave with the perpetrator, such as carpet fibers and other minute pieces of evidence that may link the perpetrator to the location.
In digital forensics, Locard's exchange principle holds that any perpetrator of an intrusion leaves behind trace evidence within the system. This trace evidence may be used to identify the attacker.
Chain of custody refers to a forensic principle whereby each movement or transfer of data must be recorded and logged appropriately. If the chain of custody is disrupted by any means, evidence may not be presented in court. Evidence should be appropriately identified, including the circumstances under which it was collected it, including a detailed description of the material when it was collected, as well as other important information. In most cases, evidence is packed in poly bags for transport to a forensic laboratory or storage location.
The evidence documentation must include, at a minimum, the following information:
Proper steps must be taken to ensure that data could not be altered. While working with a live hard disk, the forensic investigator will use a specialized write-block hard disk controller that will prevent the writing of any information on the hard drive during an investigation. Figure 6.1 illustrates an industry-standard write blocker attached to a hard drive under investigation.
All data on a hard drive under investigation should immediately be copied using industry-standard bit copy software. Products such as EnCase, developed by Guidance Software, and Forensics Toolkit from Access Data offer a suite of tools used by digital forensic examiners to not only create a bit-for-bit copy of hard drive data but also hash the contents to ensure data integrity between the original hard drive source and the copy. The hash value will ensure that no changes have been made to the original disk image. The hash value for an image can be calculated and compared with the original hash value of the data. A data copy should always be used during an examination, while the original is stored as primary evidence.
While the forensic examiner is performing the examination of the evidence, they will allow the character of the evidence to lead to various suppositions and potential conclusion possibilities. This is the interpretation process that the forensic expert will use to determine the importance or significance of various pieces of the evidence information. Through experience, training, and proven forensic examination techniques, the forensic examiner will interpret the data and formulate a conclusion. On occasion, the data will be insufficient to draw any conclusions.
Once the forensic examiner has examined the evidence, they will prepare a report. The examiner's report is very important as it provides information concerning the evidence, the analysis techniques, and the resulting findings to the incident investigator, the prosecutor, other attorneys and possibly the court by way of testimony. Forensic examiner reports differ in content but generally contain the following sections:
It is quite common for either legal side of the court case to request to see the “examiner's notes.” The forensic investigator must keep a log of every action taken and test applied during the evidence examination process.
As a security practitioner, it is essential to understand both business continuity and disaster recovery programs for the organization. It is almost certain that you will be involved in either or both programs, either during the planning and creation phase or in the event that one or either plan must be put into action.
These plans are created with the assistance of key personnel such as department heads, executives, and subject matter experts throughout the organization. Each plan is the result of an executive-sponsored policy that directs the creation and implementation of such a plan.
The very survival of the business or enterprise rests upon the accuracy of the procedures directed in each plan. A great many businesses neglect to either formulate a plan or maintain the plan over time.
Emergency response plans differ from incident response plans in that an incident response plan usually refers to a network intrusion. Emergency response is generally much broader in nature. For instance, an incident may be a network intrusion that plants malware on several host machines. An emergency is the network being down for an appreciable amount of time, affecting ongoing business operations.
There are two types of emergency response plans:
Business continuity planning is a set of procedures and prearrangements that can be put into action in the event of a disaster. The effort of the continuity plan is to maintain, as best as possible, business as usual in the face of a crisis. The business continuity plan is the result of a business continuity policy approved at the executive level. A substantial commitment of personnel and funds is required to achieve an actionable plan. Without significant corporate executive support, a business continuity plan stands little chance of success.
A number of terms are used when creating a business continuity plan. These terms are described in the following sections.
A business impact analysis is performed to determine the resulting impact to the business of the full or partial loss of an operational functional unit of the business. For instance, a manufacturing unit was shut down because of a hurricane flooding the facility. What effect would it have on the overall performance of the business? In some cases, manufacturing may be shifted to another location. If manufacturing cannot be shifted to another location, the issue becomes how long the business can survive and be a viable entity without the manufacturing unit.
The business impact analysis determines the functions of the business that are critical and functions of the business that are noncritical. Every business is unique and, depending upon the types of goods and services provided, has both essential and nonessential business functions within it. In order for a business impact analysis to be successful, all functions of a business, essential or not, must be identified. Once identified, they are categorized as to essential or nonessential activities. This categorization may be simply ranking the activities on a 1-to-5 scale with, for example, 5 being the most essential.
Maximum tolerable downtime (MTD) is the total amount of time the organization can be without the department or business function before irreparable harm is done to the organization. In other words, the maximum tolerable downtime is the point after which the survivability of the business is in question. In some circles, maximum tolerable downtime may also be referred to as maximum tolerable period of disruption (MTPoD).
Recovery time objective (RTO) is a point in time when a lost or “down” business functionality has been totally restored. Each operational business function may support a different recovery time objective depending upon the function or service. Recovery time objective can be categorized in minutes, hours, days, weeks, or even months. Of course, recovery time is based on a great many factors, including labor, repair parts, new equipment delivery, and event facility repair and build-out. Naturally, the recovery time objective cannot be longer than the maximum tolerable downtime.
Recovery point objective (RPO) specifies a point in time to which data can be restored. The recovery point could be the last full backup plus any completed incremental or differential backups that might've taken place after the full backup. The more frequent the backup, the less data will be lost during a business disruption event. For instance, if the organization uses a dual-write technique such as a RAID-1 mirror backup where the second drive is a cloud drive or off-premises drive, the recovery point objective could be at the point of the business disruption event.
Figure 6.2 illustrates a timeline with the business disruption event in the center (the crash event). The maximum tolerable downtime (MTD) indicates the maximum time the organization can be without the business operational unit. The recovery time objective (RTO) is the point at which full operation will be restored, and the recovery point objective (RPO) indicates the point in time at which reliable data for backup purposes is available. Notice that the vertical line represents cost. The bell-shaped graph represents a cost versus timeline. For example, the closer you move the recovery time objective to the business disruption event, the more it will cost the organization. The closer you move the recovery point objective to the business disruption event, meaning that backups are made more frequently (up to complete data mirroring), the more costly it is for the firm to create the backups.
Since business units require IT processing to perform their duties, IT systems and business network capabilities must be fully operational prior to the maximum tolerable downtime (MTD) of the departments served.
After a disaster event, it is extremely important to restore IT services and functions. The restoration process may be detailed for a disaster recovery plan. The high-level disaster recovery policy is an executive-supported policy that sets forth the creation of the disaster recovery plan (DRP).
In the event of a disaster affecting IT operations, all IT personnel, including you as an SSCP, will participate in recovery efforts to restore IT services as soon as possible. As you have seen, in business continuity planning, the majority of business operations are contingent upon active and reliable IT services and functions.
The difference between a disaster recovery plan and an incident response plan is that an incident response plan details the methods and procedures used to detect and stop an imminent threat to the organization's IT assets while the disaster recovery plan is designed to rebuild, recover, and restore damaged assets to full operational capacity. Restoration operations may take a period of time and significant coordination and effort to rebuild or refurbish facilities, restore order, restore and provision hardware products, and restore data and applications from backup sources.
There are some things to consider during the creation of the disaster recovery plan. Some of these considerations are detailed in the following sections.
As with incident response planning, a disaster recovery plan begins with identifying various disaster types. Disasters may be the result of either natural causes or man-made causes. Natural disasters include hurricanes, tornadoes, mudslides, forest fires, floods, and other disasters caused by weather-related events, and man-made disasters, either intentional or unintentional, may be caused by fires, bombs, terrorist activities, civil unrest, and acts of war, just to name a few.
It is very difficult to have a large number of disaster plans with a response to each particular type of disaster. Imagine communicating to a senior executive on the phone that IT operations has experienced a disaster due to fire. The very next question might be, How big was the fire? Was it localized? Did it take down the entire IT installation and facility? And how serious was it? So as you can see, the overall effects of disasters might differ.
Many organizations find it convenient to establish a disaster classification system to describe to all individuals the severity of the disaster and the type of restoration response to expect. Figure 6.3 illustrates a typical disaster classification chart. In this example, there are only three grades of disasters—one, three, and five—which allows for other numbers or levels of classification to be substituted if required. Other columns may be added to indicate programs of plans to invoke, persons to notify, and other disaster information.
On occasion, certain disasters come with a warning. For instance, depending upon the geographic location of the organization, an IT operation such as a data center may have knowledge of an impending hurricane, forest fire, or potential flood hours if not days ahead of time. In this instance, a disaster preparation plan may be invoked, where critical data is backed up to an offsite location or to a cloud service provider, which should be of significant geographic distance from the primary IT location so as not to be involved in the same disaster.
Provisions may be made to protect facilities from wind, flood, or fire, and protection must be afforded to all staff members in expectation of a disaster event. Remember, the primary concern in any disaster is the safety and preservation of human life.
The IT organization should have a complete inventory of all hardware assets and virtual assets at the physical site. This would include all network hardware, network telecommunications equipment, telephone communications equipment, user workstations, wiring diagrams, and a complete description of all configurations of network equipment such as routers, switches, firewalls, and servers. Virtual assets such as applications and data should be inventoried, and the inventory should be recorded. Naturally, in the case of disaster preparedness, all of this information should be stored and backed up to a geographically remote location.
Various considerations must be made during the creation of a disaster recovery plan. Consideration must be given to the sources and availability of products used to restore the physical facility as well as networking electronic components required to rebuild the data center. Along with the inventory of hardware assets, a list should be created of potential sources of replacement products. The disaster recovery plan should include the methods of purchasing and paying for replacement products in the event that the accounting department and purchasing department have been displaced by the same disaster.
During significant natural disasters such as Hurricane Katrina and Hurricane Sandy, the availability of goods, supplies, building materials, and labor were at a premium. As part of their disaster planning, some large corporations keep small denomination currency and gold to use as larger to pay for goods and services during a severe emergency. In the event of a severe natural disaster, credit cards will be of little use due to a power outage or an Internet outage.
Labor and personnel must be considered in the creation of a disaster recovery plan. During a severe natural disaster, third-party labor such as contractors and a skilled labor force may either not be available or be available to the highest bidder. On the other hand, it might be anticipated that the organization's personnel may not be available either, through lack of transportation, personal disaster, and through lack of basic services.
During a disaster event and recovery operation, the primary IT facility may not physically be available to carry out IT operations. In some disaster scenarios, it may be temporarily disabled, while in other, more severe scenarios, it may be totally destroyed and need to be totally rebuilt.
The disaster recovery plan must include the possibility of relocating IT operations. The different relocation options will respond directly to the recovery time objective. For instance, services may be made available for almost instant switchover, while other services may require the transportation and configuration of hardware in a remote location. Each strategy affects the variables of time to restore services and cost to restore services.
When employing any of the types of recovery site options, the planners must consider several important factors:
It is important to consider cross training of personnel or duplicate personnel with alternate skill sets and the availability of contractors in the remote recovery site location.
Disaster preparedness and restoration planning is the formulation of plans that reduce the vulnerability to threats and provide a set of procedures for restoration after a disaster event. In addition to the safety and protection of human life, many other items must be taken in consideration during the creation of a disaster recovery plan:
Disaster preparedness planners, when creating a disaster recovery plan, should consider alternate sources for any of these requirements.
It is important that as a security practitioner you are familiar with all of the different types of backup and data restoration solutions. Data backup and restoration solutions are driven by two primary considerations: time and cost. As you saw with recovery time objectives (RTOs) and recovery point objectives (RPOs), fast recovery times and minimal data loss come with a price. By varying the time frame, not only is the cost affected, but the type of technology used for data backup storage may change.
Not all data needs to be backed up equally. When creating a backup program for the organization, data may be prioritized by importance or frequency of use. For instance, data required for immediate use, such as customer information or accounting data, may be considered vitally important to corporate operations. The decision might be made to prioritize this data and back it up in such a manner as to provide a very fast restoration process. Other data, such as sales transactions, database archives, or archived communications such as emails, may be backed up using a method that is far less expensive and may require a much longer time to restore.
In years past, data was backed up sequentially on magnetic tape. Many may remember the reel-to-reel tapes featured in science-fiction movies. While some of these devices still exist in mainframe computer centers, most tape backup today is performed on tape cartridges and specialized machines. It is not unusual to back up data on DVDs and hard disk arrays and to the cloud.
When removable media is involved, various backup scenarios may be used. The selection of the backup scenario is based upon several factors:
When considering these criteria, several backup scenarios can be employed. Of course, at some point in time all of the data must be backed up, which is usually referred to as a full backup. The selection of backup techniques between full backups depend upon the criteria. Various backup techniques are described in the following sections.
A mirrored backup features the immediate writing of data to two different locations. “Online data” refers to data that is backed up in the local IT facility. The second copy of the data is transmitted to a separate storage device located in a distant location so as to be separate from any natural disaster. A mirrored backup may also be cloud based.
A mirrored backup requires the use of two identical storage devices. These identical storage devices may be in physically separate locations. A mirrored backup is the most expensive type of backup/restoration system and is usually used for vital data that must be immediately available at all times. Mirrored backups are not used for archive data, applications, operating systems, or other types of data that might be backed up to magnetic or optical media.
A full backup is the contiguous copy of the entire system and data. A full backup may include the entire operating system, applications, and data associated with the system. It may also refer to a subset of data. For instance, a full backup may be created of the customer transactions database. This database may have been prioritized as being vitally important to the organization and therefore has its own backup schedule. Normally, full backups to tape or offline storage are made at least weekly.
A full backup may be created once a week, then daily backups must be made of the transactions for each day. The differential backup records all of the transactions since the full backup. For instance, the transactions occurring on Monday will be recorded. On Tuesday, all of the transactions occurring on Tuesday will be added to the backup of all of the transactions occurring on Monday. On Wednesday, all of the Wednesday transactions will be added to the backup of all of the Monday and Tuesday transactions. So on each day, the transactions are just appended to the previous day's backup file.
The advantage is in the event of a restoration, only one file must be added to the full backup file to create a record of all transactions that have occurred. The disadvantage may be in media cost; the backup for each day requires more media because of the amount of data stored each day. Figure 6.4 illustrates the concepts of a differential backup.
Again, assuming a full backup was created once a week, daily backups must be created for the transactions of each day. In the case of incremental backup, the transactions occurring on Monday are backed up into a file. Tuesday's transactions are backed up into a second file. Wednesday's transactions are backed up into a third file. Thursday and Friday transactions are similarly backed up into separate files. In the event of a restoration, each of the files must be added to the others and finally to the full backup to form a contiguous data file containing not only all of the existing information from Sunday but also the information from the rest of the week.
The advantage to this program is that each day's backup may be created much faster. Each day's data is in one file. The cost of media for each day is reduced because it is only storing one day's worth of information. The obvious disadvantage is that if a full restoration is required, it takes much longer to combine all of the different daily files together with the full backup prior to being able to restore all the data to the affected device. Figure 6.5 illustrates incremental backup.
Data that is stored as backup is extremely important to the organization. When formulating a backup program, various aspects should be given consideration:
Electronic vaulting is another name for transmitting data offsite to either a physical storage location or a cloud storage location. At the physical storage location, the transmitted data is recorded onto tape or media, while on the cloud storage location, virtual storage techniques may be employed. With electronic vaulting, data transmission should be encrypted and validated for integrity, such as employing IPsec as a transmission encryption and integrity coding system.
Journaling is a database term that refers to recording transactions and creating a transaction log. A transaction log may be used in conjunction with the last known good database copy to create an up-to-date database. If an IT transaction is interrupted, a journal can be used along with the original database copy to restore information as of the last transaction.
Clustering refers to using a combination of servers or systems to reduce the risk associated with a single point of failure. A cluster of anything provides a configuration that reduces risk and provides high availability. A term used in clustering is automatic failover, which provides system redundancy. In the event of a failover, the secondary system takes over all server operations, and the failover is transparent to the user. This is primarily used in environments that require high availability and continuous use.
Load-balancing clustering is a technique of utilizing various servers and systems in an array to spread the workload. In this technique, various algorithms are used to send work to each one of the cluster servers so that one server does not receive all of the workload. Load-balancing clustering differs from server clustering in that server clustering provides redundancy of servers while load balancing provides availability of servers.
Redundant Array of Independent Disks (RAID) is a method of storing data across several different hard disks. Using this system, data is written to a series of hard disks in such a manner as to provide either speed or data redundancy. A RAID array can be viewed as a stack of two or more hard disks that are written to using either software or hardware implementations.
RAID is based on several data recording concepts that may be combined in a number of ways to reach the desired results. These recording concepts include parity, mirroring, and striping.
Different RAID levels are specified by a number that indicates a particular type of configuration. It is important to know that some RAID levels offer redundancy while other RAID levels offer speed.
Various other types of RAID configurations exist that are based on combinations of the preceding RAID techniques.
The business continuity plan (BCP) and disaster recovery plan (DRP) should be verified at least once every year. This procedure is accomplished through the use of a variety of tests and drills with the personnel involved. The various types of tests are based on time, cost, complexity, and risk to the organization. For example, taking the IT department offline to test the capability of a failover to a remote site might pose a substantial risk to the organization. However, many government and military organizations perform this type of test to test readiness in the event of an emergency.
There are various types of tests used to validate either the business continuity plan or the disaster recovery plan:
As an SSCP, you will be expected to perform many roles as assigned during both continuity and disaster preparedness testing. You must understand the reasons for the testing and the importance of your role to its success.
As a security practitioner, you will be closely involved with various aspects of planning, testing and possibly executing incident plans, business continuity, and business recovery plans. As such, it is important to understand the basic concepts of each practice.
In this chapter, you gained an understanding of how to handle incidents using consistent and applied techniques. You learned what the elements of an incident response policy are and that, as in all policies, it must have executive-level support. The incident response plan is the result of a policy directive and requires the interaction and input of many corporate individuals, including heads of departments and subject matter experts. The incident response plan requires a commitment in both time and funding. It also requires training individuals so they understand their responsibilities as possible members of the incident response team. You saw how incident analysis, sometimes referred to as triage during multiple incidents or attacks, is used to prioritize the efforts of the incident response team to mitigate harm to the organization.
During forensic investigations, you may play a role as part of an incident response team while gathering information as well as evidence from the incident scene. In this chapter you learned how to recover and record evidence and provide a continuous tracking method, referred to as chain of custody. We also discussed Locard's exchange principle, which states that a perpetrator will always leave something at the crime scene and will also take something from the crime scene.
You learned the importance of a business continuity plan. The business continuity plan provides the responsibilities, criteria, and procedures to maintain business operations as close to normal as possible during an incident or a disaster. This involves prioritizing business activities that must be maintained before business activities that are support operations. The disaster recovery plan is put into action after a disaster occurs. It provides the responsibilities, criteria, and procedures necessary to restore and recover back to normal operations after a disaster.
We discussed the various techniques of backing up data and providing redundancy for data storage as well as network operations. We also discussed the importance of testing so that every individual is aware of their responsibilities and plans are carried out as intended.
You can find the answers in Appendix A.
You can find the answers in Appendix B.
A. Hard disk
B. CPU cache
C. RAM
D. USB drive
A. Determine the source and vector of the threat.
B. Follow the procedures in the incident response plan.
C. Disconnect the affected computers.
D. Alert the third-party incident response team.
A. Controlling risk to the organization
B. Planned procedures that are performed when a security-related incident occurs
C. Planned activities that enable the organizations critical business functions to return to operations
D. Transferring risk to a third-party insurance carrier
Which choice
A. An occurrence that is outside the normal functional baselines
B. An occurrence or imminent threat to the enterprise of widespread or severe damage, injury, loss of life, or loss of property
C. An emergency that is beyond the normal response resources of the enterprise
D. A suddenly occurring event that has a long-term negative impact on major IT infrastructure
A. It should require the ability to respond quickly and effectively to an incident.
B. It should require the prevention of future damage from an incident.
C. It should require the retaliation against repeat attackers.
D. It can require the repair of damage done from an incident.
A. Providing information and direction to senior management staff
B. Providing stress mitigation programs to employees after an asset loss event
C. Analyzing and identifying all critical business functions
D. Coordinating and planning integration among business units
A. Full failover test
B. Structured walk-through test
C. Tabletop exercise
D. Bullet point test
A. An alternate processing facility with established electrical wiring and HVAC but no data processing hardware
B. An alternate processing facility with most data processing hardware and software installed, which can be operational within a matter of hours to a few days
C. An alternate processing facility that has all hardware and software installed and is mirrored with the original site and can be operational within a very short period of him him him him time
D. A mobile trailer with portable generators and air-conditioning
A. Detective controls monitor for attacks and instigate preventative or corrective controls.
B. Controls reduce the possibility that vulnerabilities will be attacked.
C. The effect of an attack is reduced through the use of controls
D. Restorative controls reduce the likelihood of a deliberate attack.
A. Simulation
B. Parallel
C. Structured walk-through
D. Full interruption
A. Mobile or portable alternate IT computing service
B. Hot site
C. Cold site
D. Warm site
A. A computer facility with electrical power and HVAC but with no applications or installed data on the workstations or servers prior to the event
B. A computer facility with available electrical power and HVAC and some print/file servers. No equipment has been installed at the site.
C. An alternate computing location with little power and air-conditioning is but no telecommunications capability
D. A computer facility with power and HVAC and all servers and communications. All applications are ready to be installed and configured, and recent data is available to be restored to the site.
A. To make sure everyone understands their responsibility and the procedures they must follow
B. To inform everyone that a disaster or incident event has occurred
C. To maintain business operations, as best as possible, until all operations can be restored
D. To rebuild the facility after disaster occurrence
A. Daily backups are appended to previous backups.
B. Daily backups are maintained in separate files.
C. Daily backups are appended to the full backup.
D. Daily backups are mirrored to the cloud.
A. The time after which the viability of the enterprise is in question
B. The point at which the most accurate data is available for restoration
C. The point at which the least accurate data is available for restoration
D. The target time full operations should be restored after disaster
A. Dedicated full-time incident response team
B. Functional incident response team
C. Third-party incident response team
D. Expert incident response team
A. Record of evidence
B. Chain of custody
C. Evidence recovery tag
D. Investigators evidence notebook
A. Write protect tool
B. Block data copy software
C. Bit data copy software
D. Memory dump tool
A. Turn off the affected machine to stop the attack.
B. Follow the procedures specified in the incident response plan.
C. Quickly unplug the Ethernet plug.
D. Take photographs of the crime scene before it can be disturbed.
A. Reduces noise signals on the IT infrastructure
B. Removes unwanted packets
C. Defines a threshold of activity that, after crossed, sets off an operator alarm or alert
D. Provides real-time monitoring
3.142.36.231