1. 2019 CISSP MENTOR
PROGRAM
May 13, 2019
-----------
Class 9 – May 13, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO
2. Another beautiful weekend in Minnesota! Makes it
harder to study?
• Check-in.
• How many have read Chapter 1 - 6?
• Questions?
CISSP® MENTOR PROGRAM – SESSION NINE
1
WELCOME BACK!
Back to the grind I suppose…
Only 99 slides tonight. We’ll fly through Chapter 7 tonight and
make good progress into Chapter 8.
We’ve made it through some of the toughest parts already.
3. Another beautiful weekend in Minnesota! Makes it
harder to study?
• Check-in.
• How many have read Chapter 1 - 6?
• Questions?
CISSP® MENTOR PROGRAM – SESSION NINE
2
WELCOME BACK!
Back to the grind I suppose…
Only 100 slides tonight. We’ll fly through Chapter 7 tonight and
make good progress into Chapter 8.
We’ve made it through some of the toughest parts already.
Other Updates:
REMINDER: We’ve seen a little more chatter in Slack...
• If you need anything, email us at
cisspmentor@frsecure.com.
• If you’re still here, you’re doing great!
4. 1. What technique would raise the False Accept Rate
(FAR) and Lower the False Reject Rate (FRR) in a
fingerprint scanning system?
A. Decrease the amount of minutiae that is verified
B. Increase the amount of minutiae that is verified
C. Lengthen the enrollment time
D. Lower the throughput time
CISSP® MENTOR PROGRAM – SESSION NINE
3
QUIZ…
Questions, questions, questions…
5. 1. What technique would raise the False Accept Rate
(FAR) and Lower the False Reject Rate (FRR) in a
fingerprint scanning system?
A. Decrease the amount of minutiae that is
verified
B. Increase the amount of minutiae that is verified
C. Lengthen the enrollment time
D. Lower the throughput time
CISSP® MENTOR PROGRAM – SESSION NINE
4
QUIZ…
Questions, questions, questions…
6. 2. A policy that states a user must have a business
requirement to view data before attempting to do so is
an example of enforcing what?
A. Least privilege
B. Need to know
C. Rotation of duties
D. Separation of duties
CISSP® MENTOR PROGRAM – SESSION NINE
5
QUIZ…
Questions, questions, questions…
7. 2. A policy that states a user must have a business
requirement to view data before attempting to do so is
an example of enforcing what?
A. Least privilege
B. Need to know
C. Rotation of duties
D. Separation of duties
CISSP® MENTOR PROGRAM – SESSION NINE
6
QUIZ…
Questions, questions, questions…
8. 3. Server A trusts server B. Server B trusts Server C.
Server A therefore trusts server C. What term describes
this trust relationship?
A. Domain trust
B. Forest trust
C. Nontransitive trust
D. Transitive trust
CISSP® MENTOR PROGRAM – SESSION NINE
7
QUIZ…
Questions, questions, questions…
9. 3. Server A trusts server B. Server B trusts Server C.
Server A therefore trusts server C. What term describes
this trust relationship?
A. Domain trust
B. Forest trust
C. Nontransitive trust
D. Transitive trust
CISSP® MENTOR PROGRAM – SESSION NINE
8
QUIZ…
Questions, questions, questions…
10. 4. What protocol provides a common open protocol for
interfacing and querying directory service information
provided by network operating systems, using port 389
via TCP or UDP?
A. CHAP
B. LDAP
C. PAP
D. RADIUS
CISSP® MENTOR PROGRAM – SESSION NINE
9
QUIZ…
Questions, questions, questions…
11. 4. What protocol provides a common open protocol for
interfacing and querying directory service information
provided by network operating systems, using port 389
via TCP or UDP?
A. CHAP
B. LDAP
C. PAP
D. RADIUS
CISSP® MENTOR PROGRAM – SESSION NINE
10
QUIZ…
Questions, questions, questions…
12. 5. Within Kerberos, which part is the single point of
failure?
A. The Ticket Granting Ticket
B. The Realm
C. The Key Distribution Center
D. The Client-Server session key
CISSP® MENTOR PROGRAM – SESSION NINE
11
QUIZ…
Questions, questions, questions…
13. 5. Within Kerberos, which part is the single point of
failure?
A. The Ticket Granting Ticket
B. The Realm
C. The Key Distribution Center
D. The Client-Server session key
CISSP® MENTOR PROGRAM – SESSION NINE
12
QUIZ…
Questions, questions, questions…
14. 6. A type II biometric is also known as what?
A. Crossover Error Rate (CER)
B. Equal Error Rate (EER)
C. False Accept Rate (FAR)
D. False Reject Rate (FRR)
CISSP® MENTOR PROGRAM – SESSION NINE
13
QUIZ…
Questions, questions, questions…
15. 6. A type II biometric is also known as what?
A. Crossover Error Rate (CER)
B. Equal Error Rate (EER)
C. False Accept Rate (FAR)
D. False Reject Rate (FRR)
CISSP® MENTOR PROGRAM – SESSION NINE
14
QUIZ…
Questions, questions, questions…
17. (Designing, Performing, and Analyzing
Security Testing)
• Assessing Access Control
• Software Testing Methods
CISSP® MENTOR PROGRAM – SESSION NINE
16
WHAT ARE WE GOING TO COVER?
Agenda – Domain 6: Security Assessment and Testing
Only two objectives?! Piece of cake.
Starting on page 329 this evening
18. Unique Terms and Definitions
• Dynamic Testing – Tests code while executing it
• Fuzzing – A type of black box testing that submits random,
malformed data as inputs into software programs to determine if
they will crash
• Penetration Testing – Authorized attempt to break into an
organization’s physical or electronic perimeter (and sometimes
both)
• Static Testing – Tests code passively: the code is not running.
• Synthetic Transactions – Also called synthetic monitoring:
involves building scripts or tools that simulate activities normally
performed in an application
CISSP® MENTOR PROGRAM – SESSION NINE
17
LECTURE
Agenda – Domain 6: Security Assessment and Testing
19. Assessment and testing are critical.
• Accurately assess real-world security.
• How do you know where to start, unless you’ve
assessed where you are?
• Overall security assessments – including various
controls & testing methods.
• Testing software; static and dynamic
CISSP® MENTOR PROGRAM – SESSION NINE
18
LECTURE
Agenda – Domain 6: Security Assessment and Testing
20. Assessing Access Control
• First, determine scope!
• What are we testing?
• Why are we testing it?
• Testing with narrow(er) scope include penetration tests
(“pentests”), vulnerability assessments, and security audits.
• Broad scope assessments often include narrow scope testing.
CISSP® MENTOR PROGRAM – SESSION NINE
19
LECTURE
Agenda – Domain 6: Security Assessment and Testing
21. Penetration Testing
• Lots of different types of penetration tests, depending on the what
and why (and a little how).
• Network (Internet)
• Network (internal or DMZ)
• War dialing
• Wireless
• Physical (attempt to gain entrance into a facility or room)
• Simulate client-side attacks, server-side attacks, Web application
attacks, etc.
CISSP® MENTOR PROGRAM – SESSION NINE
20
LECTURE
Agenda – Domain 6: Security Assessment and Testing
22. Penetration Testing - Black Hats and White Hats
• Black hat attackers are malicious hackers, sometimes called
crackers.
• “Black” derives from villains in fiction: Darth Vader wore all black
• Lack ethics, sometimes violate laws, and break into computer systems with
malicious intent, and may violate the confidentiality, integrity, or availability of
organization’s systems and data
• White hat hackers are the “good guys”
• Professional penetration testers who break into systems with permission
• Malware researches who research malicious code to provide better
understanding and ethically disclose vulnerabilities to vendors, etc.
• Also known as ethical hackers; they follow a code of ethics and obey laws
CISSP® MENTOR PROGRAM – SESSION NINE
21
LECTURE
Agenda – Domain 6: Security Assessment and Testing
23. Penetration Testing - Black Hats and White Hats
• Black hat attackers are malicious hackers, sometimes called
crackers.
• “Black” derives from villains in fiction: Darth Vader wore all black
• Lack ethics, sometimes violate laws, and break into computer systems with
malicious intent, and may violate the confidentiality, integrity, or availability of
organization’s systems and data
• White hat hackers are the “good guys”
• Professional penetration testers who break into systems with permission
• Malware researches who research malicious code to provide better
understanding and ethically disclose vulnerabilities to vendors, etc.
• Also known as ethical hackers; they follow a code of ethics and obey laws
CISSP® MENTOR PROGRAM – SESSION NINE
22
LECTURE
Agenda – Domain 6: Security Assessment and Testing
24. Penetration Testing - Black Hats and White Hats
• Gray hat hackers fall somewhere between black and white hats
• Exploits a security weakness in a computer system or product in order to
bring the weakness to the attention of the owners
• Unlike a black hat, a gray hat acts without malicious intent
• The goal of a gray hat is to improve system and network security
CISSP® MENTOR PROGRAM – SESSION NINE
23
LECTURE
Agenda – Domain 6: Security Assessment and Testing
25. Penetration Testing - Black Hats and White Hats
• Gray hat hackers fall somewhere between black and white hats
• Exploits a security weakness in a computer system or product in order to
bring the weakness to the attention of the owners
• Unlike a black hat, a gray hat acts without malicious intent
• The goal of a gray hat is to improve system and network security
CISSP® MENTOR PROGRAM – SESSION NINE
24
LECTURE
Agenda – Domain 6: Security Assessment and Testing
26. Penetration Testing
• War dialing uses modem to dial a series of phone numbers,
looking for an answering modem carrier tone (the penetration
tester then attempts to access the answering system); the name
derives from the 1983 movie WarGames
• Social engineering uses the human mind to bypass security
controls
• May be used in combination with many types of attacks, especially client-
side attacks or physical tests
• An example of a social engineering attack combined with a client-side attack
is emailing malware with a Subject line of “Category 5 Hurricane is about to
hit Florida!”
• A physical social engineering attack (used to tailgate an authorized user into
a building)
CISSP® MENTOR PROGRAM – SESSION NINE
25
LECTURE
Agenda – Domain 6: Security Assessment and Testing
27. Penetration Testing
• War dialing uses modem to dial a series of phone numbers,
looking for an answering modem carrier tone (the penetration
tester then attempts to access the answering system); the name
derives from the 1983 movie WarGames
• Social engineering uses the human mind to bypass security
controls
• May be used in combination with many types of attacks, especially client-
side attacks or physical tests
• An example of a social engineering attack combined with a client-side attack
is emailing malware with a Subject line of “Category 5 Hurricane is about to
hit Florida!”
• A physical social engineering attack (used to tailgate an authorized user into
a building)
CISSP® MENTOR PROGRAM – SESSION NINE
26
LECTURE
Agenda – Domain 6: Security Assessment and Testing
28. Penetration Testing
• A zero-knowledge (also called black box) test is “blind”; the
penetration tester begins with no external or trusted information,
and begins the attack with public information only
• A full-knowledge test (also called crystal-box) provides internal
information to the penetration tester, including network diagrams,
policies and procedures, and sometimes reports from previous
penetration testers
• Partial-knowledge tests are in between zero and full knowledge:
the penetration tester receives some limited trusted information
• Most penetration tests have a scope that includes a limitation on
the time spent conducting the test
CISSP® MENTOR PROGRAM – SESSION NINE
27
LECTURE
Agenda – Domain 6: Security Assessment and Testing
29. Penetration Testing Tools and Methodology
• Penetration testing tools:
• Open source Metasploit (http://www.metasploit.org)
• Closed source Core Impact (http://www.coresecurity.com)
and Immunity Canvas (http://www.immunitysec.com)
• Top 125 Network Security Tools (http://sectools.org/)
• Custom tools
CISSP® MENTOR PROGRAM – SESSION NINE
28
LECTURE
Agenda – Domain 6: Security Assessment and Testing
30. Penetration Testing Tools and Methodology
• Penetration testing tools:
• Open source Metasploit (http://www.metasploit.org)
• Closed source Core Impact (http://www.coresecurity.com)
and Immunity Canvas (http://www.immunitysec.com)
• Top 125 Network Security Tools (http://sectools.org/)
• Custom tools
CISSP® MENTOR PROGRAM – SESSION NINE
29
LECTURE
Agenda – Domain 6: Security Assessment and Testing
31. Penetration Testing Tools and Methodology
• Penetration testers use the following methodology:
• Planning
• Reconnaissance
• Scanning (also called enumeration)
• Vulnerability assessment
• Exploitation
• Reporting
• Black hat hackers typically follow a similar methodology
• Black hats will also cover their tracks (erase logs and other signs
of intrusion), and frequently violate system integrity by installing
back doors (in order to maintain access)
CISSP® MENTOR PROGRAM – SESSION NINE
30
LECTURE
Agenda – Domain 6: Security Assessment and Testing
32. Penetration Testing Tools and Methodology
• Penetration testers use the following methodology:
• Planning
• Reconnaissance
• Scanning (also called enumeration)
• Vulnerability assessment
• Exploitation
• Reporting
• Black hat hackers typically follow a similar methodology
• Black hats will also cover their tracks (erase logs and other signs
of intrusion), and frequently violate system integrity by installing
back doors (in order to maintain access)
CISSP® MENTOR PROGRAM – SESSION NINE
31
LECTURE
Agenda – Domain 6: Security Assessment and Testing
33. Assuring Confidentiality, Data Integrity, and System
Integrity
• Penetration testers must ensure the confidentiality of any
sensitive data that is accessed during the test
• Testers will often request that a dummy file containing no
regulated or sensitive data (sometimes called a flag) be placed in
the same area of the system as the credit card data, and
protected with the same permissions
• If the tester can read and/or write to that file, then they prove they
could have done the same to the credit card data
• Penetration testers must be sure to ensure the system integrity
and data integrity of their client’s systems
• The risk of encountering signs of a previous or current successful
malicious attack (discuss this before starting a test)
CISSP® MENTOR PROGRAM – SESSION NINE
32
LECTURE
Agenda – Domain 6: Security Assessment and Testing
34. Vulnerability Testing
• Vulnerability scanning (also called vulnerability testing) scans a
network or system for a list of predefined vulnerabilities such as
system misconfiguration, outdated software, or a lack of patching
• Nessus (http://www.nessus.org), OpenVAS
(http://www.openvas.org), Qualys, and Rapid 7/Nexpose
• Missing patches and configuration errors
• Common Vulnerability Scoring System (CVSS) -
https://nvd.nist.gov/cvss.cfm
CISSP® MENTOR PROGRAM – SESSION NINE
33
LECTURE
Agenda – Domain 6: Security Assessment and Testing
35. Vulnerability Testing
• Vulnerability scanning (also called vulnerability testing) scans a
network or system for a list of predefined vulnerabilities such as
system misconfiguration, outdated software, or a lack of patching
• Nessus (http://www.nessus.org), OpenVAS
(http://www.openvas.org), Qualys, and Rapid 7/Nexpose
• Missing patches and configuration errors
• Common Vulnerability Scoring System (CVSS) -
https://nvd.nist.gov/cvss.cfm
CISSP® MENTOR PROGRAM – SESSION NINE
34
LECTURE
Agenda – Domain 6: Security Assessment and Testing
36. Security Assessments
• A holistic approach to assessing the effectiveness of
access control
• Broad scope
• Security assessments view many controls across
multiple domains, and may include the following:
• Policies, procedures, and other administrative controls
• Assessing the real world-effectiveness of administrative
controls
• Change management
• Architectural review
• Penetration tests
• Vulnerability assessments
• Security audits
CISSP® MENTOR PROGRAM – SESSION NINE
35
LECTURE
Agenda – Domain 6: Security Assessment and Testing
37. Security Assessments
• Key words… “assessing the effectiveness”
• Where there are gaps in control (weakness/vulnerability), what
are the applicable threats?
• Vulnerabilities + Threats = Likelihoods & Impacts = RISK
• FRSecure specializes in assessments – FISA™ and
FISASCORE®
CISSP® MENTOR PROGRAM – SESSION NINE
36
LECTURE
Agenda – Domain 6: Security Assessment and Testing
38. Security Assessments
• Remember our definition of information security?
• Administrative Controls – policies, procedures,
training & awareness, etc.
• Physical Controls – the things we can touch; locks,
cameras, etc.
• Technical Controls – the effectiveness of the
technology we employ to protect assets.
CISSP® MENTOR PROGRAM – SESSION NINE
37
LECTURE
Agenda – Domain 6: Security Assessment and Testing
39. Security Assessments
• FRSecure specializes in assessments – FISA™ is at our core.
CISSP® MENTOR PROGRAM – SESSION NINE
38
LECTURE
Agenda – Domain 6: Security Assessment and Testing
40. Internal and 3rd-Party Audits
• Internal audit
• Structured audits – external audience, validate compliance,
etc.
• Unstructured audits – internal audience, improve security,
etc.
• 3rd-Party audits
• Experts (hopefully)
• Adds credibility
• Teach
CISSP® MENTOR PROGRAM – SESSION NINE
39
LECTURE
Agenda – Domain 6: Security Assessment and Testing
41. Log Reviews - Security Audit Logs
• Reviewing security audit logs within an IT system is one of the
easiest ways to verify that access control mechanisms are
performing adequately
• Reviewing audit logs is primarily a detective control
• Remember; we cannot prevent all bad things from happening, so
we must be able to detect and respond. – NOT risk elimination,
but risk management.
CISSP® MENTOR PROGRAM – SESSION NINE
40
LECTURE
Agenda – Domain 6: Security Assessment and Testing
42. Log Reviews - Security Audit Logs
• According to NIST Special Publication 800-92
(http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf),
the following log types should be collected:
• Network Security Software/Hardware:
• Antivirus logs
• IDS/IPS logs
• Remote Access Software (such as VPN logs)
• Web proxy
• Vulnerability management
• Authentication servers
• Routers and firewalls
CISSP® MENTOR PROGRAM – SESSION NINE
41
LECTURE
Agenda – Domain 6: Security Assessment and Testing
43. Security Audit Logs – Centralized Logging
• Assists in log retention (sufficient for legal/regulatory
compliance and investigation)
• Assists in log protection (integrity & availability) –
attackers delete logs, destroying evidence.
• SIEM
• Log protection
• Log aggregation
• Log correlation
• Dashboard reporting
CISSP® MENTOR PROGRAM – SESSION NINE
42
LECTURE
Agenda – Domain 6: Security Assessment and Testing
SIEM isn’t plug and play.
44. Software Testing Methods
• Static testing tests the code passively: the code is not running. This
includes walkthroughs, syntax checking, and code reviews.
• Dynamic testing tests the code while executing it.
• White box software testing gives the tester access to program source
code, data structures, variables, etc.
• Black box testing gives the tester no internal details: the software is
treated as a black box that receives inputs.
• Traceability Matrix (sometimes called a Requirements Traceability
Matrix, or RTM) can be used to map customer’s requirements to the
software testing plan: it “traces” the “requirements,” and ensures that
they are being met.
• Fuzzing (also called fuzz testing) is a type of black box testing that
enters random, malformed data as inputs into software programs to
determine if they will crash.
• Combinatorial software testing is a black-box testing method that
seeks to identify and test all unique combinations of software inputs.
CISSP® MENTOR PROGRAM – SESSION NINE
43
LECTURE
Agenda – Domain 6: Security Assessment and Testing
45. Software Testing Methods
• Static testing tests the code passively: the code is not running.
This includes walkthroughs, syntax checking, and code reviews.
• analysis of computer software that is performed without actually
executing programs
• In most cases the analysis is performed on some version of the
source code, and in the other cases, some form of the object
code
• List of tools for static code analysis
(https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analy
sis)
CISSP® MENTOR PROGRAM – SESSION NINE
44
LECTURE
Agenda – Domain 6: Security Assessment and Testing
46. Software Testing Methods
• Static testing tests the code passively: the code is not running.
This includes walkthroughs, syntax checking, and code reviews.
• analysis of computer software that is performed without actually
executing programs
• In most cases the analysis is performed on some version of the
source code, and in the other cases, some form of the object
code
• List of tools for static code analysis
(https://en.wikipedia.org/wiki/List_of_tools_for_static_code_analy
sis)
CISSP® MENTOR PROGRAM – SESSION NINE
45
LECTURE
Agenda – Domain 6: Security Assessment and Testing
47. Software Testing Methods
• Traceability Matrix (or
Requirements Traceability
Matrix or RTM)
• Map customer
requirements to the
software testing plan.
CISSP® MENTOR PROGRAM – SESSION NINE
46
LECTURE
Agenda – Domain 6: Security Assessment and Testing
48. Software Testing Levels
• Synthetic Transactions (aka synthetic monitoring):
• Scripts and/or tools to simulate “normal” activities.
• Establish baselines and performance metrics
(usually)
CISSP® MENTOR PROGRAM – SESSION NINE
47
LECTURE
Agenda – Domain 6: Security Assessment and Testing
49. Software Testing Levels
• Unit Testing: Low-level tests of software components, such as
functions, procedures or objects
• Installation Testing: Testing software as it is installed and first
operated
• Integration Testing: Testing multiple software components as they
are combined into a working system. Subsets may be tested, or
Big Bang integration testing tests all integrated software
components
• Regression Testing: Testing software after updates,
modifications, or patches
• Acceptance Testing: testing to ensure the software meets the
customer’s operational requirements. When this testing is done
directly by the customer, it is called User Acceptance Testing.
CISSP® MENTOR PROGRAM – SESSION NINE
48
LECTURE
Agenda – Domain 6: Security Assessment and Testing
50. Software Testing Levels
Fuzzing
• Black box testing that enters random, malformed data as inputs
into software programs to determine if they will crash.
• Typical causes are boundary checking issues, leading to possible
buffer overflows
• Typically automated, repeatedly presenting random input strings
as command line switches, environment variables, and program
inputs attack
• List of good fuzzers; http://sectools.org/tag/fuzzers/.
• Burp Suite https://portswigger.net/burp/
CISSP® MENTOR PROGRAM – SESSION NINE
49
LECTURE
Agenda – Domain 6: Security Assessment and Testing
51. Software Testing Levels
Fuzzing
• Black box testing that enters random, malformed data as inputs
into software programs to determine if they will crash.
• Typical causes are boundary checking issues, leading to possible
buffer overflows
• Typically automated, repeatedly presenting random input strings
as command line switches, environment variables, and program
inputs attack
• List of good fuzzers; http://sectools.org/tag/fuzzers/.
• Burp Suite https://portswigger.net/burp/
CISSP® MENTOR PROGRAM – SESSION NINE
50
LECTURE
Agenda – Domain 6: Security Assessment and Testing
52. Other Software Testing Terms
• Misuse Case Testing - derived from and is the inverse of use
case testing; describes the process of executing a malicious act
against a system, while use case can be used to describe any
action taken by the system
• Test Coverage Analysis
• Interface Testing – testing of all interfaces exposed by the
application.
• Combinatorial software testing - a black-box testing method that
seeks to identify and test all unique combinations of software
inputs.
CISSP® MENTOR PROGRAM – SESSION NINE
51
LECTURE
Agenda – Domain 6: Security Assessment and Testing
53. And now we’re done…
CISSP® MENTOR PROGRAM – SESSION NINE
52
LECTURE
Agenda – Domain 6: Security Assessment and Testing
54. And now we’re done…
Or are we?!
CISSP® MENTOR PROGRAM – SESSION NINE
53
LECTURE
Agenda – Domain 6: Security Assessment and Testing
55. And now we’re done…
Or are we?!
CISSP® MENTOR PROGRAM – SESSION NINE
54
LECTURE
Agenda – Domain 6: Security Assessment and Testing
Let’s get a jump start on Domain 7: Security Operations.
56. And now we’re done…
Or are we?!
CISSP® MENTOR PROGRAM – SESSION NINE
55
LECTURE
Agenda – Domain 6: Security Assessment and Testing
Let’s get a jump start on Domain 7: Security Operations.
57. Domain #7: Security Operations (a lot of them…)
• Administrative Security
• Forensics
• Incident Response Management
• Operational Preventive and Detective Controls
• Asset Management
• …
CISSP® MENTOR PROGRAM – SESSION NINE
56
LECTURE
The next domain…
58. Domain #7: Security Operations (a lot of them…)
• Continuity of Operations
• BCP and DRP Overview and Process
• Developing a BCP/DRP
• Backups and Availability
• DRP Testing, Training and Awareness
• Continued BCP/DRP Maintenance
• Specific BCP/DRP Frameworks
CISSP® MENTOR PROGRAM – SESSION NINE
57
LECTURE
The next domain…
59. Unique Terms and Definitions
• Business Continuity Plan (BCP)—a long-term plan to ensure the
continuity of business operations
• Collusion—An agreement between two or more individuals to
subvert the security of a system
• Continuity of Operations Plan (COOP)—a plan to maintain
operations during a disaster.
• Disaster—any disruptive event that interrupts normal system
operations
• Disaster Recovery Plan (DRP)—a short-term plan to recover
from a disruptive event
CISSP® MENTOR PROGRAM – SESSION NINE
58
LECTURE
Domain #7: Security Operations
60. Unique Terms and Definitions
• Mean Time Between Failures (MTBF)—quantifies how long a
new or repaired system will run on average before failing
• Mean Time to Repair (MTTR)—describes how long it will take to
recover a failed system
• Mirroring—Complete duplication of data to another disk, used by
some levels of RAID.
• Redundant Array of Inexpensive Disks (RAID)—A method of
using multiple disk drives to achieve greater data reliability,
greater speed, or both
• Striping—Spreading data writes across multiple disks to achieve
performance gains, used by some levels of RAID
CISSP® MENTOR PROGRAM – SESSION NINE
59
LECTURE
Domain #7: Security Operations
61. Administrative Security
• Administrative Security provides the means to control people's
operational access to data
Least Privilege or Minimum Necessary Access
• Dictates that persons have no more than the access that is
strictly required for the performance of their duties
• May also be referred to as the principle of minimum necessary
access
• Discretionary Access Control (DAC) – most often applicable
CISSP® MENTOR PROGRAM – SESSION NINE
60
LECTURE
Domain #7: Security Operations
62. Need to know
• Mandatory Access Control (MAC)
• Access determination is based upon clearance levels of subjects
and classification levels of objects
• An extension to the principle of least privilege in MAC
environments is the concept of compartmentalization:
• A method for enforcing need to know goes beyond the reliance
upon clearance level and necessitates simply that someone
requires access to information.
CISSP® MENTOR PROGRAM – SESSION NINE
61
LECTURE
Domain #7: Security Operations
63. Separation of Duties
• Prescribes that multiple people are required to complete critical
or sensitive transactions
• Goal of separation of duties is to ensure that in order for
someone to be able to abuse their access to sensitive data or
transactions; they must convince another party to act in concert
• Collusion is the term used for the two parties conspiring to
undermine the security of the transaction
CISSP® MENTOR PROGRAM – SESSION NINE
62
LECTURE
Domain #7: Security Operations
64. Rotation of Duties/Job Rotation
• Also known as job rotation or rotation of responsibilities
• Provides a means to help mitigate the risk associated with any
one individual having too many privileges
• Requires that critical functions or responsibilities are not
continuously performed by the same single person without
interruption
• “hit by a bus” or “win the lottery” scenario
Exam Warning: Though job or responsibility rotation is an important control,
this, like many other controls, is often compared against the cost of
implementing the control. Many organizations will opt for not implementing
rotation of duties because of the cost associated with implementation. For the
exam, be certain to appreciate that cost is always a consideration, and can
trump the implementation of some controls.
CISSP® MENTOR PROGRAM – SESSION NINE
63
LECTURE
Domain #7: Security Operations
65. Mandatory Leave/Forced Vacation
• Also known as forced vacation
• Can identify areas where depth of coverage is lacking
• Can also help discover fraudulent or suspicious behavior
• Knowledge that mandatory leave is a possibility might deter
some individuals from engaging in the fraudulent behavior in the
first place
CISSP® MENTOR PROGRAM – SESSION NINE
64
LECTURE
Domain #7: Security Operations
66. Non-Disclosure Agreement (NDA)
• A work-related contractual agreement that ensures that, prior to
being given access to sensitive information or data, an individual
or organization appreciates their legal responsibility to maintain
the confidentiality of sensitive information.
• Often signed by job candidates before they are hired, as well as
consultants or contractors
• Largely a directive control
CISSP® MENTOR PROGRAM – SESSION NINE
65
LECTURE
Domain #7: Security Operations
67. Background Checks
• Also known as background investigations or preemployment
screening
• Majority of background investigations are performed as part of a
preemployment screening process
• The sensitivity of the position being filled or data to which the
individual will have access strongly determines the degree to
which this information is scrutinized and the depth to which the
investigation will report
• Ongoing, or postemployment, investigations seek to determine
whether the individual continues to be worthy of the trust required
of their position
• Background checks performed in advance of employment serve
as a preventive control while ongoing repeat background checks
constitute a detective control and possibly a deterrent.
CISSP® MENTOR PROGRAM – SESSION NINE
66
LECTURE
Domain #7: Security Operations
68. Privilege Monitoring
• Heightened privileges require both greater scrutiny and more
thoughtful controls
• Some of the job functions that warrant greater scrutiny include:
account creation/modification/deletion, system reboots, data
backup, data restoration, source code access, audit log access,
security configuration capabilities, etc.
CISSP® MENTOR PROGRAM – SESSION NINE
67
LECTURE
Domain #7: Security Operations
69. Digital Forensics
• Provides a formal approach to dealing with investigations and
evidence with special consideration of the legal aspects of the
process
• Forensics is closely related to incident response
• Main distinction between forensics and incident response is
that forensics is evidence-centric and typically more closely
associated with crimes, while incident response is more
dedicated to identifying, containing, and recovering from
security incidents
• The forensic process must preserve the “crime scene” and the
evidence in order to prevent unintentionally violating the integrity
of either the data or the data's environment
CISSP® MENTOR PROGRAM – SESSION NINE
68
LECTURE
Domain #7: Security Operations
70. Digital Forensics
• Prevent unintentional modification of the system
• Antiforensics makes forensic investigation difficult or impossible
• One method is malware that is entirely memory-resident, and not
installed on the disk drive. If an investigator removes power from a
system with entirely memory-resident malware, all volatile memory
including RAM is lost, and evidence is destroyed.
• Valuable data is gathered during the live forensic capture
• The main source of forensic data typically comes from binary
images of secondary storage and portable storage devices such
as hard disk drives, USB flash drives, CDs, DVDs, and possibly
associated cellular phones and mp3 players
• A binary or bit stream image is used because an exact replica of
the original data is needed
• Normal backup software will only capture the active partitions of
a disk, and only that data which is marked as allocated
CISSP® MENTOR PROGRAM – SESSION NINE
69
LECTURE
Domain #7: Security Operations
71. Digital Forensics
The four types of data that exist:
• Allocated space—portions of a disk partition which are marked as
actively containing data.
• Unallocated space—portions of a disk partition that do not
contain active data. This includes memory that has never been
allocated, and previously allocated memory that has been
marked unallocated. If a file is deleted, the portions of the disk
that held the deleted file are marked as unallocated and available
for use.
CISSP® MENTOR PROGRAM – SESSION NINE
70
LECTURE
Domain #7: Security Operations
72. Digital Forensics
The four types of data that exist:
• Slack space—data is stored in specific size chunks known as
clusters. A cluster is the minimum size that can be allocated by a
file system. If a particular file, or final portion of a file, does not
require the use of the entire cluster then some extra space will
exist within the cluster. This leftover space is known as slack
space: it may contain old data, or can be used intentionally by
attackers to hide information.
• “Bad” blocks/clusters/sectors—hard disks routinely end up with
sectors that cannot be read due to some physical defect. The
sectors marked as bad will be ignored by the operating system
since no data could be read in those defective portions. Attackers
could intentionally mark sectors or clusters as being bad in order
to hide data within this portion of the disk.
CISSP® MENTOR PROGRAM – SESSION NINE
71
LECTURE
Domain #7: Security Operations
73. Digital Forensics
• Numerous tools that can be used to create the binary backup
including free tools such as dd and windd as well as commercial
tools such as Ghost (when run with specific nondefault switches
enabled), AccessData's FTK, or Guidance Software's EnCase.
• The general phases of the forensic process are:
• the identification of potential evidence;
• the acquisition of that evidence;
• analysis of the evidence;
• production of a report
• Hashing algorithms are used to verify the integrity of binary
images
• When possible, the original media should not be used for
analysis
CISSP® MENTOR PROGRAM – SESSION NINE
72
LECTURE
Domain #7: Security Operations
74. Live Forensics
• Forensics investigators have traditionally removed power from a
system, but the typical approach now is to gather volatile data.
Acquiring volatile data is called live forensics.
• The need for live forensics has grown tremendously due to non-
persistent tools that don’t write anything to disk
• One example from Metasploit…
CISSP® MENTOR PROGRAM – SESSION NINE
73
LECTURE
Domain #7: Security Operations
75. Live Forensics - Metasploit
• Popular free and open source exploitation framework
• Metasploit framework allows for the modularization of the
underlying components of an attack, which allows for exploit
developers to focus on their core competency without having to
expend energy on distribution or even developing a delivery,
targeting, and payload mechanism for their exploit
• Provides reusable components to limit extra work
• A payload is what Metasploit does after successfully exploiting a
target
CISSP® MENTOR PROGRAM – SESSION NINE
74
LECTURE
Domain #7: Security Operations
76. Live Forensics – Metasploit & Meterpreter
• One of the most powerful Metasploit payloads
• Can allow password hashes of a compromised computer being
dumped to an attacker's machine
• The password hashes can then be fed into a password cracker
• Or the password hashes might be capable of being used directly
in Metasploit's PSExec exploit module, which is an
implementation of functionality provided by Sysinternal's (now
owned by Microsoft) PSExec, but bolstered to support Pass the
Hash functionality.
Information on Microsoft's PSExec can be found at
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx.
Further details on Pass the Hash techniques can be found at
http://oss.coresecurity.com/projects/pshtoolkit.htm
CISSP® MENTOR PROGRAM – SESSION NINE
75
LECTURE
Domain #7: Security Operations
77. Live Forensics – Metasploit & Meterpreter
• Dumping password hashes with Meterpreter.
• In addition to dumping password hashes, Meterpreter
provides features such as:
• command execution on the remote system
• uploading or downloading of files
• screen capture
• keystroke logging
• disabling the firewall
• disabling antivirus
• registry viewing and modification
• Meterpreter's capabilities are updated regularly
CISSP® MENTOR PROGRAM – SESSION NINE
76
LECTURE
Domain #7: Security Operations
78. Live Forensics – Metasploit & Meterpreter
• Dumping password hashes with Meterpreter.
• In addition to dumping password hashes, Meterpreter
provides features such as:
• command execution on the remote system
• uploading or downloading of files
• screen capture
• keystroke logging
• disabling the firewall
• disabling antivirus
• registry viewing and modification
• Meterpreter's capabilities are updated regularly
CISSP® MENTOR PROGRAM – SESSION NINE
77
LECTURE
Domain #7: Security Operations
79. Live Forensics – Metasploit & Meterpreter
• Dumping the registry with Meterpreter.
• Meterpreter was designed with detection evasion in
mind
• Meterpreter can provide almost all of the
functionalities listed above without creating a new file
on the victim system
• Runs entirely within the context of the exploited victim
process, and all information is stored in physical
memory rather than on the hard disk.
CISSP® MENTOR PROGRAM – SESSION NINE
78
LECTURE
Domain #7: Security Operations
80. Live Forensics – Metasploit & Meterpreter
• Dumping the registry with Meterpreter.
• Meterpreter was designed with detection evasion in
mind
• Meterpreter can provide almost all of the
functionalities listed above without creating a new file
on the victim system
• Runs entirely within the context of the exploited victim
process, and all information is stored in physical
memory rather than on the hard disk.
CISSP® MENTOR PROGRAM – SESSION NINE
79
LECTURE
Domain #7: Security Operations
81. Live Forensics – Metasploit & Meterpreter
• If the forensic investigator removed the power supply
from the compromised machine, destroying volatile
memory: there would be little to no information for the
investigator to analyze
CISSP® MENTOR PROGRAM – SESSION NINE
80
LECTURE
Domain #7: Security Operations
82. Network Forensics
• The study of data in motion.
• Focus on gathering & preservation of
evidence for presentation in court.
• Email contents, online conversations, Web
activities, and file transfers.
CISSP® MENTOR PROGRAM – SESSION NINE
81
LECTURE
Domain #7: Security Operations
83. Forensic Software Analysis
• De-constructing malware and other software.
• Most use a VM to detonate malware, also
reverse engineering is used.
Embedded Device Forensics
• IoT devices and handheld devices
• Specialized tools are required.
CISSP® MENTOR PROGRAM – SESSION NINE
82
LECTURE
Domain #7: Security Operations
84. Electronic Discovery (eDISCOVERY)
• legal counsel gaining access to pertinent electronic
information during the pre-trial discovery phase of civil
legal proceedings
• seeks ESI, or electronically stored information
• ESI does not need to be conveniently accessible or
transferable
• Data Retention Policy (IMPORTANT)
• Legal/Regulatory reasons?
• Business reasons?
CISSP® MENTOR PROGRAM – SESSION NINE
83
LECTURE
Domain #7: Security Operations
85. Incident Response Management
• Every organization faces information security incidents
• Regimented and tested methodology for identifying and
responding to incidents is critical
• Computer Security Incident Response Team (CSIRT) is a term
used for the group that is tasked with monitoring, identifying, and
responding to security incidents
• Overall goal of the incident response plan is to allow the
organization to control the cost and damage associated with
incidents, and to make the recovery of impacted systems quicker
CISSP® MENTOR PROGRAM – SESSION NINE
84
LECTURE
Domain #7: Security Operations
86. Incident Response Management – Methodology
Different books and organizations may use different terms and
phases associated with incident response; this section will mirror
the terms associated with the examination.
Step 0 - Preparation
• Incidents are inventible.
• What is an event vs. an incident.
• Who does what, how will they do it, and when?
CISSP® MENTOR PROGRAM – SESSION NINE
85
LECTURE
Domain #7: Security Operations
87. Incident Response Management – Methodology
Different books and organizations may use different terms and
phases associated with incident response; this section will mirror
the terms associated with the examination.
Step 1 - Detection (what I can’t prevent, can I detect?)
• Events are analyzed in order to determine whether
these events might comprise a security incident
• Emphasis on detective controls
CISSP® MENTOR PROGRAM – SESSION NINE
86
LECTURE
Domain #7: Security Operations
88. Incident Response Management – Methodology
Step 2 - Containment (OK I’ve detected it, now what?)
• The point at which the incident response team
attempts to keep further damage from occurring
• Might include taking a system off the network,
isolating traffic, powering off the system, or other
items to control both the scope and severity of the
incident
• Typically where a binary (bit by bit) forensic backup is
made of systems involved in the incident
CISSP® MENTOR PROGRAM – SESSION NINE
87
LECTURE
Domain #7: Security Operations
89. Incident Response Management – Methodology
Step 3 - Eradication
• Involves the process of understanding the cause of
the incident so that the system can be reliably cleaned
and ultimately restored to operational status later in
the recovery phase
• The cause of the incident must be determined
BEFORE recovery
• Root cause analysis is key
CISSP® MENTOR PROGRAM – SESSION NINE
88
LECTURE
Domain #7: Security Operations
90. Incident Response Management – Methodology
Step 4 - Recovery
• Involves restoring the system or systems to
operational status
• Typically, the business unit responsible for the system
will dictate when the system will go back online
• Close monitoring of the system after it is returned to
production is necessary
CISSP® MENTOR PROGRAM – SESSION NINE
89
LECTURE
Domain #7: Security Operations
91. Incident Response Management – Methodology
Step 5 - Reporting
• Most likely to be neglected in immature incident
response programs
• If done right, this phase has the greatest potential to
effect a positive change in security posture
• Goal is to provide a final report on the incident, which
will be delivered to management
CISSP® MENTOR PROGRAM – SESSION NINE
90
LECTURE
Domain #7: Security Operations
93. Incident Response Management – Methodology
• Exam lists a 7-step lifecycle; book calls for 8-step
(adding “Preparation):
• 1. Preparation
• 2. Detection (aka Identification)
• 3. Response (aka Containment)
• 4. Mitigation (aka Eradication)
• 5. Reporting
• 6. Recovery
• 7. Remediation
• 8. Lessons Learned (aka Post-incident Activity, Post Mortem,
or Reporting)
CISSP® MENTOR PROGRAM – SESSION NINE
92
LECTURE
Domain #7: Security Operations
94. Incident Response Management – Methodology
1. Preparation
• training, writing incident response policies and
procedures, providing tools such as laptops with
sniffing software, crossover cables, original OS media,
removable drives, etc.
• Everything that you do to prepare for an incident
• Policy and procedures
• Incident handling checklist and other forms for
tracking
• Classification
• Impact
CISSP® MENTOR PROGRAM – SESSION NINE
93
LECTURE
Domain #7: Security Operations
95. Incident Response Management – Methodology
NOTE to Brad. Show something…
CISSP® MENTOR PROGRAM – SESSION NINE
94
LECTURE
Domain #7: Security Operations
96. Incident Response Management – Methodology
NOTE to Brad. Show something…
CISSP® MENTOR PROGRAM – SESSION NINE
95
LECTURE
Domain #7: Security Operations
97. Incident Response Management – Methodology
NOTE to Brad. Show something…
CISSP® MENTOR PROGRAM – SESSION NINE
96
LECTURE
Domain #7: Security Operations
98. Incident Response Management – Methodology
2. Detection (aka Identification)
• What are all of the inputs into my incident response process?
• Events Incidents
3. Response (aka Containment)
• Step-by-step, depending upon classification & severity
• Forensic response? Protection of evidence, while containing
damage
• Start root cause analysis
CISSP® MENTOR PROGRAM – SESSION NINE
97
LECTURE
Domain #7: Security Operations
99. Incident Response Management – Methodology
4. Mitigation (aka Eradication)
• Root cause analysis completed (mostly/hopefully)
• Get rid of the bad things
5. Reporting
• Actually not really a step (happens throughout)
• More formal here; include incident responders (technical and
non-technical)
CISSP® MENTOR PROGRAM – SESSION NINE
98
LECTURE
Domain #7: Security Operations
100. Incident Response Management – Methodology
6. Recovery
• Restore systems and operations
• Increase monitoring
7. Remediation – broader in context
8. Lessons Learned (aka Post-incident Activity, Post
Mortem, or Reporting) – there’s always lessons
CISSP® MENTOR PROGRAM – SESSION NINE
99
LECTURE
Domain #7: Security Operations
101. We made it through Class 9!
For real. Much of this class was educational AND practical.
Please try to catch up in your reading.
• We left off on page 363 in the book.
• Wednesday (5/15) we’ll start again with “Operational
Preventive and Detective Controls”
• Come with questions!
Have a great evening, talk to you Wednesday!
CISSP® MENTOR PROGRAM – SESSION NINE
100
LECTURE
Domain #7: Security Operations
102. We made it through Class 9!
For real. Much of this class was educational AND practical.
Please try to catch up in your reading.
• We left off on page 363 in the book.
• Wednesday (5/15) we’ll start again with “Operational
Preventive and Detective Controls”
• Come with questions!
Have a great evening, talk to you Wednesday!
CISSP® MENTOR PROGRAM – SESSION NINE
101
LECTURE
Domain #7: Security Operations
Let’s do some more quiz questions!
After all, you’ll need to get used to it.