Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 12: Disaster Recovery and Incident Response

Published byEmerald Rich Modified over 7 years ago

Similar presentations

Presentation on theme: "Chapter 12: Disaster Recovery and Incident Response"— Presentation transcript:

1 Chapter 12: Disaster Recovery and Incident Response
Security+ Chapter 12: Disaster Recovery and Incident Response Modified 10/5/2016- wagnerju

2 Chapter 12: Disaster Recovery and Incident Response
Given a scenario, implement basic forensic procedures. Summarize common incident response procedures. Summarize risk management best practices. Explain the proper use of penetration testing versus vulnerability scanning.

3 What Is Business Continuity?
Organization’s ability to continue operations after a disruptive event Disruptive events Power outage Hurricane Tsunami Business continuity planning and testing steps Identify exposure to threats Create preventative and recovery procedures Test procedures to determine if they are sufficient

4 What Is Business Continuity? (cont’d.)
Succession planning Determining in advance who is authorized to take over if key employees not available (die or are incapacitated) Example - US Presidential Succession 1 Vice President of the United States 2 Speaker of the House 3 President pro tempore of the Senate 4 Secretary of State 5 Secretary of the Treasury 6 Secretary of Defense 7 Attorney General

5 What Is Business Continuity? (cont’d.)
Business impact analysis (BIA) Analyzes most important business functions and quantifies impact of their loss Identifies threats through risk assessment Determines impact if threats are realized Questionnaires used to prompt thinking about impact of a disaster In-person interviews held Discuss different disaster scenarios BIA interview form helps organize information obtained from the interview

6 Table 13-1 BIA interview form

7 Disaster Recovery Disaster Recovery - Subset of business continuity planning and testing Also known as contingency planning Focuses on protecting and restoring information technology functions Disaster recovery activities Create, implement, and test disaster recovery plans

8 Disaster Recovery IT contingency planning
Developing outline of procedures to be followed in event of major IT incident (a denial-of-service attack) or incident that directly impacts IT (a building fire)

9 Disaster Recovery Plan
Disaster Recovery Plan (DRP) A written document that details the process for restoring IT resource following an event that causes a significant disruption in service Comprehensive in its scope, a DRP is intended to be a detailed document that is updated regularly Example of disaster planning approach Define different risk levels for organization’s operations based on disaster severity

10 Disaster Recovery Plan Common Features
Common features of most disaster recovery plans Definition of plan purpose and scope Definition of recovery team and their responsibilities List of risks and procedures and safeguards that reduce risk Outline of emergency procedures Detailed restoration procedures DRP should contain sufficient level of detail Disaster Recovery Plan Common Features Common features of most disaster recovery plans Definition of plan purpose and scope Definition of recovery team and their responsibilities List of risks and procedures and safeguards that reduce risk Outline of emergency procedures Detailed restoration procedures DRP should contain sufficient level of detail

11 Disaster Recovery Plan (cont’d.)
Most disaster recovery plans address the common features included in the following typical outline: Unit 1: Purpose and Scope Unit 2: Recovery Team and their responsibilities Unit 3: Preparing for a Disaster List of risks and procedures and safeguards that reduce risk Unit 4: Emergency Procedures Unit 5: Restoration Procedures It is important that a good DRP contains sufficient detail

12 Disaster Recovery Plan (cont’d.)
DRP must be adaptable Backout/contingency option Component of a DRP If plan response is not working properly, technology is rolled back to starting point Different approach taken

13 Disaster Recovery Plan (cont’d.)
Disaster exercises Designed to test DRP’s effectiveness Disaster exercise objectives Test the efficiency of interdepartmental planning and coordination in managing a disaster Test current DRP procedures Determine the strengths and weaknesses in the responses

14 Disaster Recovery Plan (cont’d.)
Tabletop exercises Exercises simulate emergency situation but in informal and stress-free environment

15 AT&T's Network Disaster Recovery Team
Trucks and vans with enough equipment and personnel to set up a main telephone central office in a vacant lot in a few hours

16 Reinforcing Vendor Support

17 Interoperability Agreements
Service Level Agreement (SLA) contract between a vendor and a client Service Blanket Purchase Agreement (BPA) Prearranged purchase or sale agreement between a government agency and a business Memorandum of Understanding (MOU) Describes agreement between two or more parties Interconnection Security Agreement (ISA) Agreement intended to minimize security risks for data transmitted across a network Interoperability Agreements Service Level Agreement (SLA) - Service contract between a vendor and a client Blanket Purchase Agreement (BPA) - Prearranged purchase or sale agreement between a government agency and a business Memorandum of Understanding (MOU) - Describes agreement between two or more parties Interconnection Security Agreement (ISA) - Agreement intended to minimize security risks for data transmitted across a network

18 Incident Response Procedures

19 Incident Response Procedures
When unauthorized incident occurs: Response is required Incident response procedures include using forensic science and properly responding to a computer forensics event

20 Incident Response Procedures
Preparation The key to properly handling event is be prepared in advance by establishing comprehensive policies and procedures Execution Putting the policies and procedures in place involves several crucial Analysis In aftermath, proper reporting should document how event occurred and what actions were taken; “lessons learned” analysis should be conducted in order to use event to build stronger incident response policies and procedures Hidden Clues Hidden clues be mined and exposed One source of hidden data is slack Windows computers use two types of slack: RAM slack - Windows pads the remaining cluster space with data that is currently stored in RAM Drive file slack (sometimes called drive slack) - Padded data that Windows uses comes from data stored on the hard drive

21 What Is Forensics? Forensics, also known as forensic science
The application of science to questions that are of interest to the legal profession Analyzing evidence Computer forensics Uses technology to search for computer evidence of a crime Can attempt to retrieve information—even if it has been altered or erased—that can be used in the pursuit of the attacker or criminal Also used to limit damage and loss of control of data

22 What Is Forensics? Computer forensics
The importance of computer forensics is due in part to the following: High amount of digital evidence Increased scrutiny by the legal profession Higher level of computer skill by criminals

23 Basic Forensics Procedures
Four basic steps are followed when responding to the crime scene Secure the crime scene Collect the evidence Establish a chain of custody Examine for evidence

24 Basic Forensics Procedures (cont’d.)
Secure the crime scene Goal: preserve the evidence Damage control steps taken to minimize loss of evidence The computer forensics response team should be contacted whenever digital evidence needs to be preserved and serve as first responders The physical surroundings of the computer should be clearly documented Photographs of the area should be taken before anything is touched

25 Basic Forensics Procedures (cont’d.)
Secure the crime scene continued The computer should be photographed from several angles The complete room should be recorded with 360 degrees of coverage, when possible Photograph the front of the computer as well as the monitor screen and other components. Also take written notes on what appears on the monitor screen. Active programs may require videotaping or more extensive documentation of monitor screen activity. Cables connected to the computer should be labeled Team takes custody of entire computer Team interviews witnesses

26 Forensic Data Acquisition
Off Line Vs Live Systems

27 Basic Forensics Procedures (cont’d.)
Preserve the evidence Digital evidence is very fragile Can be easily altered or destroyed Computer forensics team captures volatile data Examples: contents of RAM, current network connections, screenshots Order of volatility must be followed to preserve most fragile data first

28 Table 13-11 Order of volatility

29

30 Basic Forensics Procedures (cont’d.)
Preserve the evidence continued Capture entire system image Mirror image backups replicate all sectors of a computer hard drive, including all files and any hidden data storage areas to meets evidence standards Take Hashes

31

32 Basic Forensics Procedures (cont’d.)
Establish the Chain of Custody Documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence

33 Basic Forensics Procedures (cont’d.)
Examine for evidence After a computer forensics expert creates a mirror image of a system: Original system is secured Mirror image is examined to reveal evidence Includes searching word processing documents, files, spreadsheets, and other documents for evidence File hashes (signatures) are created to compare against law enforcement hash databases

34 Hidden Clues Hidden clues be mined and exposed
Hidden clues can also be mined and exposed Including the Windows page file Slack and metadata are additional sources of hidden data Computers can use two types of slack: RAM slack - Windows pads the remaining cluster space with data that is currently stored in RAM Drive file slack (sometimes called drive slack) - Padded data that Windows uses comes from data stored on the hard drive Hidden Clues Hidden clues be mined and exposed One source of hidden data is slack Windows computers use two types of slack: RAM slack - Windows pads the remaining cluster space with data that is currently stored in RAM Drive file slack (sometimes called drive slack) - Padded data that Windows uses comes from data stored on the hard drive

35 Basic Forensics Procedures (cont’d.)
Examine for evidence (continued) RAM slack Can contain any information that has been created, viewed, modified, downloaded, or copied since the computer was last booted Drive file slack (sometimes called drive slack) Contains remnants of previously deleted files or data from the format pattern associated with disk storage space that has yet to be used by the computer An additional source of hidden clues can be gleaned from metadata, or data about data

36 Figure RAM slack © Cengage Learning 2012

37 Figure 13-11 Drive file slack
© Cengage Learning 2012

38 Hex Editor and Disk Editor HxD

39 Vulnerability Scanning vs. Penetration Testing
Two important vulnerability assessment procedures: Vulnerability scanning Penetration testing Similar and therefore often confused Both play an important role in uncovering vulnerabilities Vulnerability Scanning vs. Penetration Testing Two important vulnerability assessment procedures: Vulnerability scanning Penetration testing Similar and therefore often confused Both play an important role in uncovering vulnerabilities

40 Vulnerability Scanning vs. Penetration Testing
Automated software searches a system for known security weaknesses Creates report of potential exposures Should be conducted on existing systems and as new technology is deployed Usually performed from inside security perimeter Does not interfere with normal network operations

41 Vulnerability Scanning Methods
Intrusive vulnerability scan Attempts to actually penetrate system in order to perform simulated attack Non-intrusive vulnerability scan Uses only available information to hypothesize status of the vulnerability Credentialed vulnerability scan Scanners that permit username and password of active account to be stored and used Non-credentialed vulnerability scans Scanners that do not use credentials Vulnerability Scanning Methods Intrusive vulnerability scan - Attempts to actually penetrate system in order to perform simulated attack Non-intrusive  vulnerability scan - Uses only available information to hypothesize status of the vulnerability Credentialed vulnerability scan – Scanners that permit username and password of active account to be stored and used Non-credentialed vulnerability scans - Scanners that do not use credentials

42 Intrusive and Non-intrusive Vulnerability Scans
Intrusive and Non-intrusive Vulnerability Scans (Table 15-7) A table with four columns and three rows. The first row is composed of column headers: Type of scan, Description, Advantages, and Disadvantages. Row 2. Type of scan: Intrusive vulnerability scanning Description: Vulnerability assessment tools use intrusive scripts to penetrate and attack. Advantages: By attacking a system in the same manner as an attacker would, more accurate results are achieved. Disadvantages: The system may be unavailable for normal use while the scan is being conducted. Also, it may disable security services for the duration of the attack. Row 3. Type of scan: Non-intrusive vulnerability scanning Description: Through social engineering and general reconnaissance efforts, information is gathered regarding the known vulnerabilities and weaknesses of the system. Advantages: Organizations can avoid any disruption of service or setting off alerts from IPS, IDS, and firewalls. These scans also mimic the same reconnaissance efforts used by attackers. Disadvantages: Time is needed for all the information to be analyzed so that the security status of the system based on the data can be determined.

43 Penetration Testing Designed to exploit system weaknesses
Relies on tester’s skill, knowledge, cunning Usually conducted by independent contractor Tests usually conducted outside the security perimeter May even disrupt network operations End result: penetration test report

44 Penetration Testing (cont’d.)
Black box test Tester has no prior knowledge of network infrastructure White box test Tester has in-depth knowledge of network and systems being tested Gray box test Some limited information has been provided to the tester

45

Download ppt "Chapter 12: Disaster Recovery and Incident Response"

Similar presentations

Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc. 2007.

Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 13: Advanced Security and Beyond Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 13: Advanced Security and Beyond Security+ Guide to Network Security Fundamentals Second Edition.
Chapter 13: Advanced Security and Beyond

Chapter 13: Advanced Security and Beyond
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Information Security Policies and Standards

Information Security Policies and Standards
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices

Network security policy: best practices
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
AICT5 – eProject Project Planning for ICT. Process Centre receives Scenario Group Work Scenario on website in October Assessment Window Individual Work.

AICT5 – eProject Project Planning for ICT. Process Centre receives Scenario Group Work Scenario on website in October Assessment Window Individual Work.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.

Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.

Similar presentations

Ads by Google