ISOL 631

OPERATIONS SECURITY
WEEK 5
INCIDENT MANAGEMENT, INVESTIGATIONS, AND PHYSICAL
SECURITY
INCIDENCE RESPONSE
Incident response is an organized approach to addressing and managing
the aftermath of a security breach or attack (also known as an incident).
The Steps of Incidence Handling
Triage Is it an actual incident or a false alarm? How serious is it?
Investigation Gathering evidence
Containment Limit the damage by isolation and mitigation
Analysis Reconstruct the incident. Who is responsible? How did they do it? When
did it occur? Why did they do it?
Tracking Document the incident and determine the source
Recovery Mitigate the incident and apply lessons learned to reduce risk of
recurrence
 TRIAGE
The term Triage is used within the medical community. Triage is the art
of rapidly assessing the severity of the incident and following the right
protocols, in the right order, to reduce the consequences of the
incident and doing it all in the midst of crisis, when every second
counts.
Different incidents require different responses A Denial of Service
attack (DOS) has to be addressed differently than a malware infection.
Establishing baselines can help identify unusual activity. The number
of indicators to potential incidents are very high, so false positives are
common.
INVESTIGATION
The Incident Scene The Environment where potential
evidence may exist
Principles of criminalistics apply Identify
evidence and
Identify the Protect the
potential
scene Environment
sources of
evidence
Minimize the
Collect degree of
Evidence contaminatio
n
GENERAL GUIDELINES
All general forensic and procedural procedures must be applied
Seizing digital evidence must not alter the evidence
Any person accessing original digital evidence must be trained
All activity relating to seizure, access, storage, or transfer of digital
evidence must be fully documented, preserved, and available for review
While an individual is in possession of digital evidence, he or she is
responsible for all actions
Any agency responsible for seizing, accessing, storing, or transferring
digital evidence is responsible for compliance with these principles
ROLES AND RESPONSIBILITIES

A solid foundation of knowledge and policy

A properly trained response team
Core areas must be represented
CHAIN OF CUSTODY
Tracks Evidence Handling
A formal, well-documented procedure MUST be followed NO
EXCEPTIONS

Locards Exchange Principle

When a crime is committed, the perpetrators leave
something behind and take something with them.
 DIGITAL FORENSICS

Be Be Be
Authenti Accurat Complet
c e e
Be Be
Convinc Admisibl
ing e
 LIVE EVIDENCE

Data that is dynamic and exists in processes that disappear

in a relatively short time frame once the system is powered
down
 SHORT TERM CONTAINMENT
The short term goal is to prevent more damage from occurring and
provide time for additional analysis and mitigation. Isolate the system
from the production network and create a backup copy for investigation.
Possible short term containment steps include
Remove power
Unplug the NIC
Change DNS entries
Apply new ACL filters
Isolate network segments
Disconnect Internet access
Apply null routing
 LONG TERM CONTAINMENT
If an affected system is a critical system, it may be necessary to
keep it in production while a new system is built to take over its
functions. After a backup of the system has been made for
investigation, steps must be taken to mitigate the incident while
leaving the system available.
Long term containment steps include:
Remove compromised accounts
Apply security patches
Alter firewall rules
Remove Malware
Place in a Dirty VLAN
 ANALYSIS
Media Analysis
Recovery of information or evidence from information media
The media may have been overwritten, damaged, degaussed, or re-
used

Network Analysis
Analysis and examination of network logs and activity for potential
evidence
The critical phase of the process is proper evidence handling and
processing
 SOFTWARE ANALYSIS
Encompasses investigative activity
Malware analysis
Intellectual property disputes
Copyright infringements

Goals
Author identification
Content Analysis
Payload and context Analysis
RECOVERY
Eventually the necessary steps to resolve the incident will be preformed.
Recovery simply implies the amount of time it may take for operations
to be fully restored
Reporting and Documenting
One of the most important, yet overlooked, phases is the debriefing and
feedback phase
Security Policy Review
Which controls were inadequate or failed?
How can we improve our controls?
Did the Incident Management Plan function as intended?
 PHYSICAL SECURITY

Respo
Deter Delay Detect Assess
nd
 DEFENSE IN DEPTH

The Practice of placing multiple layers of defenses (security

controls) to provide redundancy in the event a control fails or
a vulnerability is exploited
Layered barrier designs are advantageous when they require
increased knowledge, skill, and talent to circumvent them
Important concept borrowed from the military and has been
used since at least 216 BCE
 ACCESS CONTROL

Ensures that only authorized personnel are permitted inside

the controlled area
Persons subject to control include employees, visitors,
customers, vendors, and the general public
Authorization Mechanisms typically include Identification
Badges or Cards Something you have
Magnetic Stripe, Proximity Cards, or Smart Cards
CLOSED CIRCUIT TV (CCTV)
A collection of cameras, recorders, switches, keyboards, and
monitors that allow viewing and recording of security events
Provides a highly flexible method of surveillance and
monitoring
Can provide deterrence, detection, and Evidentiary Archives
 EXTERNAL MONITORING

Infrared (IR) sensors

Microwave
Coaxial strain-sensitive cable
Lighting
Cameras
Monitor displays
Guards
Alarm
 INTERNAL ACCESS

Turnstil Mantra
Doors
es ps

Keys Locks Safes

 FIRE PREVENTION

Classes of fires
Data center requirements
VESDA devices
CLASSES OF FIRE
 STAGES OF A FIRE

A fire normally goes through four stages of development:

Incipient (Pre-combustion)
Visible smoke
Fast flaming
Heat
 DATA CENTER REQUIREMENTS
Have suppression agents such as water, carbon dioxide, FM-200
(the industry-recognized replacement for Halon 1301), etc., on
hand.
Install alarms and sensors (i.e., ion-based or optical smoke
detectors), and fixed, or rate-of-rise temperature sensors.
Data centers require particularly sensitive alarms. Instead of
commercial- grade fire alarms, data centers should have devices
that signal the early stages of a fire through optical or chemical
sensors that may sound an alarm before a fire even starts.
 VESDA DETECTORS

VESDA (an abbreviation of Very Early Smoke Detection

Apparatus) is a laser based smoke detection system.
 FIRE PROTECTION

Heating, ventilation, and air conditioning systems maintain

appropriate humidity and temperature controls as well as a
contaminant-free air supply
Monitoring systems can detect abnormal data center
temperatures, humidity, or other factors
HVAC SYSTEMS
Heating, ventilation, and air conditioning systems maintain
appropriate humidity and temperature controls as well as a
contaminant-free air supply.
Monitoring systems can detect abnormal data center
temperatures, humidity, or other factors. Monitoring devices
alert you to a potential problem before there is a disruption in
service.
Ideally, HVAC systems will have backup power and be
isolated from the rest of the building.
 POWER
Electric power goals Provide clean and steady power for
data centers and include UPS (uninterruptible power supply)
surge protectors and protection from transient noise, etc.
Ensure that a proper electrical infrastructure is in place, and
have this validated by a certified electrician.
Mission-critical data centers should have alternate power
sources, such as emergency generators, as well as a
minimum 24-hour fuel supply.