Operations Security Week 5 Incident Management, Investigations, and Physical Security Incidence Response Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The Steps of Incidence Handling Triage – Is it an actual incident or a false alarm? How serious is it? Investigation – Gathering evidence Containment – Limit the damage by isolation and mitigation Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it? Tracking – Document the incident and determine the source Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence Triage The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts. Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection. Establishing baselines can help identify unusual activity. The number of indicators to potential incidents are very high, so false positives are common. Investigation The Incident Scene – The Environment where potential evidence may exist Principles of criminalistics apply Identify the scene Protect the Environment Identify evidence and potential sources of evidence Collect Evidence Minimize the degree of contamination General Guidelines All general forensic and procedural procedures must be applied Seizing digital evidence must not alter the evidence Any person accessing original digital evidence must be trained All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review While an individual is in possession of digital evidence, he or she is responsible for all actions Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles Roles and Responsibilities A solid foundation of knowledge and policy A properly trained response team Core areas must be represented Chain of Custody Tracks Evidence Handling A formal, well-documented procedure MUST be followed – NO EXCEPTIONS Locard’s Exchange Principle When a crime is committed, the perpetrators leave something behind and take something with them. Digital Forensics Be Authentic Be Accurate Be Complete Be Convincing Be Admissible Live Evidence Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down Short Term Containment The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup cop.

1. Operations Security
Week 5
Incident Management, Investigations, and Physical Security
Incidence Response
Incident response is an organized approach to addressing and
managing the aftermath of a security breach or attack (also
known as an incident).
The Steps of Incidence Handling
Triage – Is it an actual incident or a false alarm? How serious is
it?
Investigation – Gathering evidence
Containment – Limit the damage by isolation and mitigation
Analysis – Reconstruct the incident. Who is responsible? How
did they do it? When did it occur? Why did they do it?
Tracking – Document the incident and determine the source
Recovery – Mitigate the incident and apply lessons learned to
reduce risk of recurrence
Triage
The term Triage is used within the medical community. Triage
is the art of rapidly assessing the severity of the incident and
following the right protocols, in the right order, to reduce the
consequences of the incident and doing it all in the midst of
crisis, when every second counts.
Different incidents require different responses – A Denial of
Service attack (DOS) has to be addressed differently than a
malware infection.
Establishing baselines can help identify unusual activity. The

2. number of indicators to potential incidents are very high, so
false positives are common.
Investigation
The Incident Scene – The Environment where potential
evidence may exist
Principles of criminalistics apply
Identify the scene
Protect the Environment
Identify evidence and potential sources of evidence
Collect Evidence
Minimize the degree of contamination
General Guidelines
All general forensic and procedural procedures must be applied
Seizing digital evidence must not alter the evidence
Any person accessing original digital evidence must be trained
All activity relating to seizure, access, storage, or transfer of
digital evidence must be fully documented, preserved, and
available for review
While an individual is in possession of digital evidence, he or
she is responsible for all actions

3. Any agency responsible for seizing, accessing, storing, or
transferring digital evidence is responsible for compliance with
these principles
Roles and Responsibilities
A solid foundation of knowledge and policy
A properly trained response team
Core areas must be represented
Chain of Custody
Tracks Evidence Handling
A formal, well-documented procedure MUST be followed – NO
EXCEPTIONS
Locard’s Exchange Principle
When a crime is committed, the perpetrators leave something
behind and take something with them.
Digital Forensics
Be Authentic
Be Accurate
Be Complete
Be Convincing
Be Admissible

4. Live Evidence
Data that is dynamic and exists in processes that disappear in a
relatively short time frame once the system is powered down
Short Term Containment
The short term goal is to prevent more damage from occurring
and provide time for additional analysis and mitigation. Isolate
the system from the production network and create a backup
copy for investigation.
Possible short term containment steps include
Remove power
Unplug the NIC
Change DNS entries
Apply new ACL filters
Isolate network segments
Disconnect Internet access
Apply null routing
Long Term Containment
If an affected system is a critical system, it may be necessary to
keep it in production while a new system is built to take over its
functions. After a backup of the system has been made for
investigation, steps must be taken to mitigate the incident while
leaving the system available.
Long term containment steps include:
Remove compromised accounts
Apply security patches
Alter firewall rules
Remove Malware
Place in a Dirty VLAN

5. Analysis
Media Analysis
Recovery of information or evidence from information media
The media may have been overwritten, damaged, degaussed, or
re-used
Network Analysis
Analysis and examination of network logs and activity for
potential evidence
The critical phase of the process is proper evidence handling
and processing
Software Analysis
Encompasses investigative activity
Malware analysis
Intellectual property disputes
Copyright infringements
Goals
Author identification
Content Analysis
Payload and context Analysis
Recovery
Eventually the necessary steps to resolve the incident will be
preformed.
Recovery simply implies the amount of time it may take for
operations to be fully restored
Reporting and Documenting
One of the most important, yet overlooked, phases is the
debriefing and feedback phase
Security Policy Review

6. Which controls were inadequate or failed?
How can we improve our controls?
Did the Incident Management Plan function as intended?
Physical Security
Deter
Delay
Detect
Assess
Respond
Defense in Depth
The Practice of placing multiple layers of defenses (security
controls) to provide redundancy in the event a control fails or a
vulnerability is exploited
Layered barrier designs are advantageous when they require
increased knowledge, skill, and talent to circumvent them
Important concept borrowed from the military and has been
used since at least 216 BCE
Access Control

7. Ensures that only authorized personnel are permitted inside the
controlled area
Persons subject to control include employees, visitors,
customers, vendors, and the general public
Authorization Mechanisms typically include Identification
Badges or Cards – Something you have
Magnetic Stripe, Proximity Cards, or Smart Cards
Closed Circuit TV (CCTV)
A collection of cameras, recorders, switches, keyboards, and
monitors that allow viewing and recording of security events
Provides a highly flexible method of surveillance and
monitoring
Can provide deterrence, detection, and Evidentiary Archives
External Monitoring
Infrared (IR) sensors
Microwave
Coaxial strain-sensitive cable
Lighting
Cameras
Monitor displays
Guards
Alarm
Internal Access
Doors

8. Turnstiles
Mantraps
Keys
Locks
Safes
Fire Prevention
Classes of fires
Data center requirements
VESDA devices
Classes of Fire
Stages of a Fire
A fire normally goes through four stages of development:
Incipient (Pre-combustion)
Visible smoke
Fast flaming
Heat

9. Data Center Requirements
Have suppression agents such as water, carbon dioxide, FM-200
(the industry-recognized replacement for Halon 1301), etc., on
hand.
Install alarms and sensors (i.e., ion-based or optical smoke
detectors), and fixed, or rate-of-rise temperature sensors.
Data centers require particularly sensitive alarms. Instead of
commercial- grade fire alarms, data centers should have devices
that signal the early stages of a fire through optical or chemical
sensors that may sound an alarm before a fire even starts.
VESDA Detectors
VESDA (an abbreviation of Very Early Smoke Detection
Apparatus) is a laser based smoke detection system.
Fire Protection
Heating, ventilation, and air conditioning systems maintain
appropriate humidity and temperature controls as well as a
contaminant-free air supply
Monitoring systems can detect abnormal data center
temperatures, humidity, or other factors
HVAC Systems
Heating, ventilation, and air conditioning systems maintain
appropriate humidity and temperature controls as well as a
contaminant-free air supply.
Monitoring systems can detect abnormal data center
temperatures, humidity, or other factors. Monitoring devices
alert you to a potential problem before there is a disruption in
service.

10. Ideally, HVAC systems will have backup power and be isolated
from the rest of the building.
Power
Electric power goals – Provide clean and steady power for data
centers and include UPS (uninterruptible power supply) surge
protectors and protection from transient noise, etc.
Ensure that a proper electrical infrastructure is in place, and
have this validated by a certified electrician.
Mission-critical data centers should have alternate power
sources, such as emergency generators, as well as a minimum
24-hour fuel supply.