More Related Content
Similar to Cybertopic_2security
Similar to Cybertopic_2security (20)
More from Anne Starr (20)
Cybertopic_2security
- 2. Security Operations Overview
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Focus Description
Maintain Operational
Resilience
Keep core business functions operating even when a negative event occurs.
Protect Valuable Assets Protect a wide range of assets and resources, from data to equipment to human.
Control System Accounts Control users who have access to critical business systems.
Effective Security Services
Management
Make sure that strong leadership is in place to keep security operations services
consistent and effective.
- 3. • Give user exactly what they need to do job, and no more.
• Cannot set and forget permission levels.
• Privilege can slowly escalate.
• Review periodically or set expiration times for user accounts.
• Assign two accounts to IT personnel:
• Common end-user account.
• Administrative account.
Least Privilege
User 1 User 4
User 2
Data Entry Clerks
User 3
Financial Coordinators
Perform their jobs
with fewer privileges
Perform their jobs
with more privileges
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 4. • Gates, fences, walls, doors, and other barriers.
• Locks.
• Guards.
• Perimeter intrusion detection such as:
• Infrared.
• Fence vibration sensors.
• Normal light and infrared CCTV.
• Sound and motion detectors.
• Any other system that can detect the presence of an intruder.
• Alarm systems.
• Logging and reporting of all physical access attempts.
Perimeter Security
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 5. • Begin at the building.
• Can include access control and monitoring at any point:
• Access controls such as card readers.
• Locks.
• Mantraps.
• Safes.
• Vaults.
• Other secure storage containers.
• Guards.
• Surveillance systems.
• Alarm systems.
• Logging and reporting of all physical access attempts.
• Should be applied to sensitive or high-risk areas.
Internal Security
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 7. • Fencing
• Walls
• Doors
• Windows
• Lighting
• Bollards
Physical Access Barriers
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 8. • Key lock
• Deadbolt lock
• Keyless lock or cipher lock
• Combination lock
• Intelligent keys
• Device locks
• Biometric or access card locks
Lock Types
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 9. • Automatic access control
• Card entry systems
• Biometric entry systems
• Man traps
• Turnstiles
Access Controls
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 10. • Container
• Safe
• Vault
Secure Storage
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 11. • Can monitor critical checkpoints and verify identification.
• Provide a visual deterrent.
• Can apply their own knowledge and intuition, but also have human vulnerabilities.
• Dogs extend guard effectiveness, but cannot exercise judgment.
Guards and Dogs
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 12. Senses changes in environment and alerts security.
PIDS
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 13. • Motion sensor
• Pressure-sensitive sensor
• Heat detector
• Proximity detector
• Vibration detector
• Magnetic detector
• Photometric detector
PIDS Types
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 14. • Physical security mechanism that monitors internal/external areas.
• Monitors for unusual behavior/potential intruders.
• Extend guard presence.
• Video broadcast and recording devices.
• Can include audio surveillance.
Surveillance Systems
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 15. • Audio
• Video
• Guard stations
• Security dogs
Types of Surveillance Systems
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 16. • Lights
• Bells and sirens
• Local activation/local response
• Local activation/remote response
• Remote activation/local response
• Remote activation/remote response
Alarm Systems
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 17. • Maintained by access control systems and by security guards.
• Should clearly identify:
• The name of the individual attempting access.
• The date and time of access.
• The access portal or entry point.
• The user ID entered to attempt access.
• The location of access to internal spaces, if required.
• Unsuccessful access attempts, including those during unauthorized hours.
Physical Access Logs
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 18. • Passive
• Events are logged and examined after they occur.
• Active
• Events are both logged and responded to continuously in real-time.
Continuous Security Monitoring
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 19. Types of Prevention
Copyright © 2019 Logical Operations, Inc. All rights reserved.
• IDS and IPS
• Blacklisting and whitelisting
• Sandboxing
• Honeypots and honeynets
• Anti-malware
• Third-party security services
- 20. • Sensor
• Detects unwanted or unexpected behavior and produces an alert.
• Communication
• The alert is transmitted to the proper recipient.
• Enunciator
• May adjust the alert for different recipient types.
IDS and IPS for Prevention
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 21. • Blacklisting blocks known malicious sites, applications, services, and traffic.
• Risk of false positives.
• You can’t know every threat to block.
• Whitelisting blocks everything except what you trust.
• More secure than blacklists.
• Might be too restrictive.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Whitelisting and Blacklisting
Whitelisting
Blacklisting
- 22. • The most fundamental security concept underlying virtualization.
• You can virtualize and sandbox:
• Operating systems.
• Applications.
• Desktops.
Sandboxing
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 23. Honeypots and Honeynets
• Honeypot – decoy computer.
• Honeynet – decoy network.
• Challenging enough to keep hacker busy and away from real servers.
• Allow you to collect information about intruder and take deterrent action.
• Placed:
• Outside the firewall.
• Inside the DMZ.
Attacker
Launches
scanning
attack
Honeypot
Scan
attack
logged
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 24. • One of the most basic preventive measures you can take.
• You must keep it up-to-date.
• No one product has proven to be 100% effective against all attacks.
• Most end-user anti-malware products can’t be installed side-by-side on same
machine.
• Some enterprise products integrate multiple anti-malware engines for better
coverage.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Anti-Malware
- 26. • One of the most common mechanisms for provisioning.
• Can automatically inventory and track hardware and software assets.
• Can deploy operating systems to “bare metal boxes.”
• Can collect statistics about every system on the network.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Configuration Management
- 27. • Central repository that stores data about all significant items in your IT environment.
• Significant items are known as “Configuration Items”:
• IT assets that are related to IT processes.
• Can include hardware, software, documents, models, plans, even people.
• The CMDB tracks the interrelations between the CIs.
CMDB
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 28. • Define how the CM process is carried out.
• CM policies usually contain:
• A list of configuration items that are under the CM's control.
• How these items are named.
• How these items are added and removed from the CM's control.
• How the items are subject to change within the CM.
• How the same item is versioned if it appears multiple times in the CM.
• How the CM is enforced within the organization.
CM Policies
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 29. • Identify CIs and any related assets that will be placed in control of the CM.
• Describe each item's characteristics in the CM.
• Implement configuration/change management processes for items controlled by CM.
• Establish baselines for both internal and customer use.
• Ensure that requests to change items are tracked.
• Ensure any changes to items are controlled by the CM.
• Audit the baselines established for the CM items.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
CM Practices
- 30. • Desktop images.
• Guest operating systems.
• Virtual SANs.
• Configuration files.
• Software-defined networking capabilities.
• Cluster resources.
• Anything that is software-based.
Virtual Assets
VM
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 31. • Cloud services, like email, collaboration tools, etc.
• Cloud storage.
• Cloud-based virtual machines.
• Cloud-based networking components.
Cloud Assets
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 32. Incident Response Process
Detect a
Problem
Evaluate the
Problem
Mitigate the
Damage
Determine
Lessons
Learned
Report Details
Recover and
Remediate
Implement
Preventive
Controls
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 33. IRT Roles and Responsibilities
IT
Information
Security
Physical/Corporate
Security
Executive
Management
Legal
Internal
Audit
Human
Resources
Media/Public
Relations
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Incident
Response
Team
- 34. • Prevent a situation from becoming worse.
• Ensure that first responders take correct action.
• Provide the team with all of the tools and resources they need.
Incident Response Management
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 35. • Volume of log entries and false positives can be overwhelming.
• Adverse occurrence might not actually be a security incident.
• Hardware failures.
• Human error.
• Use professional judgment.
• Document all systems.
• Set a baseline of normal behavior.
• Retain logs from all sources.
• Correlate events, alerts, and indicators from all sources.
• Research reputable sources for information.
• Filter out irrelevant or inconsequential sources.
• Properly document analysis findings in a database.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Evaluation and Analysis
- 36. • Use triage method to determine priority by criticality.
• Take care to not inadvertently contaminate a crime scene.
• If you do not intend to prosecute:
• Contain damage.
• Discover the problem.
• Bring systems back online.
Response and Mitigation
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 37. • Can be as simple as restoring a single operating system or as complex as moving all
personnel and operations to a new physical location.
• Make sure the recovered system will not be vulnerable to the same attack.
• Use a different team to perform a fresh vulnerability assessment on recovered
system.
• Stop or reverse the damage caused by the incident.
• Discover root cause.
Recovery and Remediation
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 38. • Report business impact of incident.
• Report should include:
• Source of incident.
• Triggers.
• Systems targeted.
• Specific impacts.
• Actions taken to mitigate incident.
• Actions taken to recover systems and operations.
• Actions taken to mitigate lingering effects.
• Current state of the system.
• Lessons learned.
Reporting and Documentation
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 39. • Identify areas of security that need improvement.
• Determine the best way possible to improve security.
Lessons Learned
Actions taken.
Optimal solution.
How teams reacted/performed.
Cost in time and money.
How future response will be different.
Recommended changes to security policy.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 40. • Seeking evidence from computers/networks that might pertain to criminal/civil
matter.
• Remember nearly anything done on computer/network leaves a trace.
• Set of procedures/protocols that are:
• Methodical.
• Verifiable.
• Auditable.
Investigative Procedures
Collect
Evidence
Present
Findings
Analyze
Evidence
Discover
Evidence
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 41. • Keep asking "what was the immediate thing that allowed this to happen?”
• With each answer, repeat the question until you find the root cause.
• Most root causes can be uncovered in six questions.
• There are likely to be several root causes.
Root Cause Analysis
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 42. • Report findings to management, authorities, stakeholders.
• Tailor report based on audience.
Investigation Reports
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 43. Disaster Recovery Planning Process
Update and Maintain
Identify
Document
Train
Assess
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 44. DRPs
• Well-documented policy that defines:
• How people/resources will be protected during disaster.
• How organization will recover.
• Plan should be tested for effectiveness and fine-tuned before a disaster strikes.
• Train staff on policy so they can respond automatically in case of emergency.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 46. Disaster Recovery Strategy Considerations
Risks
Personnel safety
Essential items
Relocation scheme
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Cost vs.
benefit
Weigh goals and
costs to ensure an
effective DRP
Prioritization
Recover business
critical processes first
- 47. Disaster Recovery Priority Levels
Short
term
Mid term
Long
term
Not
required
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 48. DRP Personnel Roles and Responsibilities
Executive emergency
management team
Command
center team
Emergency management
team
Emergency
response teams
End users
DRP
Personnel
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 53. • Crisis leadership for senior management.
• Business continuity training for department managers.
• Technical training and logistics training for the technical teams.
• "What to do and what NOT to do during a crisis" training for end-users.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
DRP Training
- 54. • Testing scope and objectives.
• What functions, processes, and systems will be tested.
• An assurance that the test will not jeopardize normal business operations.
• Expectations of the test process for all departments and lines of business.
• A description of each test and how it will impact each department and business
operations.
• The level of involvement of the staff, technologies, and facilities.
• Expectations of the test output.
• A measurement to determine the success of each test.
• Ability to identify any interdependencies (internal/external) that may impact success
of test.
• Be able to uncover and rectify gaps in the testing process itself.
• Be able to tolerate deviating from the test script and injecting unplanned events such
as the loss of key personnel, services, or equipment.
• Use a sufficient volume and range of transactions to provide an adequate
representative sample in the test output.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
DRP Test Strategy
- 55. • A master schedule that lists all of the tests.
• A description of the test objectives and methods.
• A list of all test participants.
• The roles and responsibilities of all test participants including support personnel.
• The decision-makers and their successors.
• Test locations.
• Test escalation conditions.
• Contact information.
DRP Test Plan
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 56. • Read-Through.
• Structured Walkthrough.
• Simulation.
• Parallel.
• Full Interrupt.
DRP Test Types
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 57. • Who are decision makers and how to contact them.
• Where and how data is backed up.
• Can any fault tolerance or redundancy mechanisms restore data.
• Alternate site location, along with services and technologies at the site.
• Travel and accommodation services.
• Recovery strategy for the organization in each specific technology.
• Where people should assemble if they cannot reenter the building.
• The process for declaring a disaster for specific site.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Recovery Strategies
- 58. • Short-term
• Mirrored site
• Shared location
• Long-term
• Relocation
• Rebuilding
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Disaster Recovery Response Approaches
- 59. • Notify all stakeholders:
• Employees and their families.
• Vendors, contractors, and business
partners.
• Facility and site managers.
• Department managers.
• Senior managers and Board of Directors.
• News media.
• Law enforcement.
• Emergency responders.
• Insurance companies.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
• Suppliers and distributors.
• Customers.
• Government regulators.
• Competitors.
• Unions.
• Internet users.
• The general public or line-of-business
related communities.
• Industry groups.
Communication with Stakeholders
- 60. Communication Flow
• Create a fault-tolerant call tree.
• Put emergency numbers on badges or refrigerator magnets.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
- 61. • Final part of disaster recovery.
• Part of the DRP.
• Primary working facility and environment is back to normal.
• Part of staff might still be at alternate site for awhile.
• Legal team and insurance agent will play a role.
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Restoration
- 62. • What was the root cause of the disaster?
• How can such a disaster be avoided in the future?
• How did the DR/BCP team respond?
• What lessons were learned?
• What went well?
• What could be improved?
Copyright © 2019 Logical Operations, Inc. All rights reserved.
Disaster Post-Mortem