1

CompTIA Security+

Lecture Five

Incident ResponseDisaster Recovery & Business Continuity

Copyright 2011 - VTC

IncidentAn incident is the occurrence of any event that compromises a system or network. Examples as

� Loss of information confidentiality (data theft)

� Compromise of information integrity (damage to data or unauthorized modification).

� Theft or damage of physical IT assets including computers, storage devices, etc.

� Denial of service.

� Misuse of services, information, or assets.

� Infection of systems by unauthorized or hostile software.

� An attempt at unauthorized access.

� Unauthorized changes to organizational hardware, software, or configuration.

2

2

Incident Response� Incident response encompasses forensics and refers to the

process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.

� Security incidents happen quickly

� Important that you be prepared with an organized and methodical response process

� Ensures consistent and reliable investigation and proper evidence handling

3

Incident Response Goals� Verify that an incident occurred.

� Maintain or Restore Business Continuity.

� Reduce the incident impact.

� Determine how the attack was done or the incident happened.

� Prevent future attacks or incidents.

� Improve security and incident response.

� Prosecute illegal activity.

� Keep management informed of the situation and response.

4

3

Six-Step Incident Response Process

1. Preparation

◦ setting up systems to detect threats and policies for dealing with them.

◦ identifying roles staff will play in incident response

◦ creating emergency contact lists.

2. Identification

◦ identifying what the threat is, and/or the effects it is having on your systems/networks,

◦ keeping records of the time/systems involved/what was observed

◦ making a full system backup after the intrusion was observed to preserve as much information about the attack as you can.

5

Six-Step Incident Response Process

3. Containment

◦ limiting the effects of an incident by confining the problem to as few systems as possible

◦ freezing the scene so that nothing further happens to the compromised system(s) by disconnecting its network connections.

4. Eradication

◦ getting rid of whatever the attacker might have compromised by deleting files or doing a complete system reinstall

6

4

Six-Step Incident Response Process

5. Recovery

◦ getting back into business, by putting the system back into normal operations, reconnecting it to the network, restoring from backups if necessary, etc.

6. Follow-up

◦ tightening security so that the intrusion cannot happen again

◦ determining the “cost” of the intrusion based on staff time/lost data/lost user work time

◦ considering additional tools might have helped handle the incident better than it may have been handled

◦ reflecting on “lessons learned” from both the intrusion and the organization’s response to it and tweaking policies as required.

7

Computer Forensics

is the science of extracting information from computers in support of the investigation of crime or other malicious activity.

� Gathering evidence from computer systems to assist in an investigation

� Volatile vs. non-volatile data

� Requires special expertise and tools

8

5

Forensic Process Phases

a number of steps from the original incident alert through to reporting of findings.

1. Collection

2. Examination

3. Analysis

4. Reporting

9

Non-Volatile Operating System Data

� Configuration files

� Logs

� Data files

� Swap files

10

6

Volatile Operating System Data

� Unused disk space

� Network connections

� Running processes

� Memory contents

11

Guideline for Collecting Computer Evidence

� Keep the system powered on

� Disconnect it from the network

� Create an image and work from it

� Use forensic tools

� Document every step of the way

12

7

Network Forensics

� Many security incidents are focused on the network

� Network devices provide sources of forensic information, both volatile and non-volatile

� Advance preparation is the key to availability of quality evidence

13

Network Data Sources

� Protocol analyzers

� Firewall and routers

� Intrusion detection systems

� Remote access systems

� Security event management software

14

8

NetFlow Data

� Summary network traffic information

� Useful in reconstructing communications session data

◦ Source

◦ Destination

◦ Quantity

� No payload information

15

Identifying an Attacker� Spoofed IP addresses

� Distributed attacks: botnets, zombie

� Dynamic nature of IP addressing (DHCP log)

16

WHOIS data

9

Network Forensic Recommendations

� Provide adequate storage for network logs

� Prepare by collecting information

� Employ skilled analysts

� Consider the fidelity and value of each data source

17

Physical Forensics

� Traditional forensic and investigative techniques can help with incident response

◦ physical incidents provide valuable source of information for investigation as electrical

Physical Data Sources

� Surveillance systems: video camera

� Access control systems

� Fingerprints

� Paper records

18

10

Witnesses

� Hackers often tripped up because:

◦ Someone saw something

◦ They say something to someone

� Witnesses should be treated as a valuable source of evidence

� Interview vs. examination

19

Business Continuity and Disaster Recovery

� Business Continuity Planning (BCP)

◦ limiting the impact a disaster will have on the organization

� Disaster Recovery Planning (DRP)

◦ restoring operations as soon as possible in the face of a disruptive disaster

� DRP picks up where BCP leave off

BCP/DRP is a last line of defense against failure. If other controls have failed, BCP/DRP is the final alternative. If it fails, the business may fail.

20

11

Four Phases of BCP

� Project scope and planning

� Business impact assessment

� Continuity planning

� Approval and implementation

21

Phase 1: Project Scope and Planning

� 1. Identify stakeholders

◦ Operational departments

◦ Critical support services

◦ Senior leadership

� 2. Select team members

◦ Representatives of stakeholders

◦ Technical experts in each BCP area

◦ Security professionals

◦ Legal

� 3. Determine resource requirements to:

◦ Develop the plan

◦ Test, train and maintain the plan

◦ Implement in an emergency

22

12

Phase 2: Business Impact Assessment

� Gap analysis of business processes that identifies:

◦ Recovery Time Objective (RTO)

� describes the maximum time allowed to recover business or IT systems

◦ Maximum Tolerable Outage (MTO)

� the maximum amount of time that an organization can survive without the business process in any form

◦ Recovery Point Objective (RPO)

� determines the minimum frequency with which backups must be made.

23

Phase 3: Continuity Planning

� For each risk, select one of the four risk management strategies

◦ Avoid

◦ Mitigate

◦ Accept

◦ Transfer

24

13

Phase 4: Approval and Implementation

� Document the plan

◦ Written documentation is key

◦ Place copies where everyone can locate it

◦ Provides an historical record

� Training and education

◦ Everyone needs to know their role

◦ Leaders need the big picture

◦ Initial and refresher training should be used in combination

25

Disaster Recovery Planning

� When the BCP fails (and it will!), disaster recovery steps in

� Two types of disaster

◦ Natural disasters

◦ Man-made disasters

26

14

DRP Goals

� Rapidly establish an alternate processing facility

� Maintain operations at that facility for an extended period of time

� Efficiently transition back to the primary facility

27

Alternate Processing Facilities

� Hot sites contain all of the hardware, software and data you need to run

◦ Recovery time measured in seconds

� Warm sites contain hardware and software, but no data

◦ Recovery time measured in hours

� Cold sites contain support systems (HVAC, telecom) but no equipment

◦ Recovery time measured in weeks

28

15

Testing and Maintaining the Plan

� Checklist reviews

� Tabletop exercises

◦ structured walkthrough. Walk through the proposed recovery procedures in a structured manner to determine any ommissions, gaps, ...

� Soft (parallel) tests

� Hard (full-interruption) tests

29

General Rules of Backup

� Backup often!

� Encrypt backups

� Store backup media off-site

30

16

Types of Backup

� Full backups store a copy of every file on the system

� Differential backups store everything since the most recent full backup. Backs up only files that have the archive bit turned on. After backup, this bit is left on

� Incremental backups store everything since the most recent full or incremental backup. Backs up only files that have the archive bit turned on. After backup, turned off this bit.

31

Media Rotation Strategies

� Reusing media allows us to save money and act in a sustainable manner

� Common media rotation strategies include

◦ Grandfather-Father-Son (GFS)

� a full backup should occur at regular intervals. The most recent backup after the full backup is the son. As newer backups are made, the son becomes the father, and the father becomes the grandfather

◦ Tower of Hanoi

� is a backup rotation schedule, based on the Tower of Hanoi puzzle (French mathematician).

◦ Round robin32

17

Grandfather-Father-Son backup

33

Fault Tolerance

� Is the ability of a system to sustain operations in the event of a component failure.

� Identifying single points of failure

◦ Servers

◦ Power supplies

◦ Fans

◦ Hard disks

� Two key components of fault tolerance: spare parts and electrical power. Strategy N+1 and 1+1 for spare part. UPS, backup generator

34

18

Clustered Servers

� High availability clusters

◦ Clustering involves multiple systems connected together to provide fail-over capabilities.

� Load balancing clusters

◦ Install service or application onto multiple servers that are configured to share the workload.

� Compute cycle clusters

35

Disk Fault Tolerance

� Redundant Arrays of Inexpensive Disks (RAID)

� Provides fault tolerance for disk failure/corruption

� Works by spreading data across multiple disks

� Many variants

36

19

RAID

� RAID 1: Disk Mirroring

� RAID 3: Disk Striping with a Parity disk

◦ allows any single disk in the array to fail while the system continues to operate

� RAID 5: Disk Striping with parity. Most common use. The parity is spread across all the disks.

� RAID is very useful, but it is NOT a replacement for backups

37

RAID

38

20

Environmental Controls

� Power

� Fire suppression

� Climate

39

Power

� Uninterruptible Power Supplies (UPS)

� Generators

Power Issues

� Faults are momentary losses of power

� Blackouts are long-term losses of power

� Sags and Brownouts are voltage drops

� Spikes and Surges are voltage peaks

� Noise is fluctuating power

40

21

Fire Suppression

� Data center fires are often caused by electrical issues

� Water can damage electronic equipment, but often is the cheapest type of fire suppression

41

Water Fire Suppression Systems

� Wet pipe systems

� Dry pipe systems

� Deluge systems

� Reaction systems

42

22

Fire Extinguisher Classes

� Class A use water or soda acid and are suitable for common combustibles

� Class B use CO2, Halon substitutes, or soda acid for liquid fires

� Class C use CO2 or Halon substitutes for electrical fires

� Class D use dry powder for metal fires

43

Climate Control

� Temperature is critical in a data center

� Hot aisle/cold aisle

� Environmental monitoring

44