Upload
trinhanh
View
213
Download
0
Embed Size (px)
Citation preview
1
CompTIA Security+
Lecture Five
Incident ResponseDisaster Recovery & Business Continuity
Copyright 2011 - VTC
IncidentAn incident is the occurrence of any event that compromises a system or network. Examples as
� Loss of information confidentiality (data theft)
� Compromise of information integrity (damage to data or unauthorized modification).
� Theft or damage of physical IT assets including computers, storage devices, etc.
� Denial of service.
� Misuse of services, information, or assets.
� Infection of systems by unauthorized or hostile software.
� An attempt at unauthorized access.
� Unauthorized changes to organizational hardware, software, or configuration.
2
2
Incident Response� Incident response encompasses forensics and refers to the
process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.
� Security incidents happen quickly
� Important that you be prepared with an organized and methodical response process
� Ensures consistent and reliable investigation and proper evidence handling
3
Incident Response Goals� Verify that an incident occurred.
� Maintain or Restore Business Continuity.
� Reduce the incident impact.
� Determine how the attack was done or the incident happened.
� Prevent future attacks or incidents.
� Improve security and incident response.
� Prosecute illegal activity.
� Keep management informed of the situation and response.
4
3
Six-Step Incident Response Process
1. Preparation
◦ setting up systems to detect threats and policies for dealing with them.
◦ identifying roles staff will play in incident response
◦ creating emergency contact lists.
2. Identification
◦ identifying what the threat is, and/or the effects it is having on your systems/networks,
◦ keeping records of the time/systems involved/what was observed
◦ making a full system backup after the intrusion was observed to preserve as much information about the attack as you can.
5
Six-Step Incident Response Process
3. Containment
◦ limiting the effects of an incident by confining the problem to as few systems as possible
◦ freezing the scene so that nothing further happens to the compromised system(s) by disconnecting its network connections.
4. Eradication
◦ getting rid of whatever the attacker might have compromised by deleting files or doing a complete system reinstall
6
4
Six-Step Incident Response Process
5. Recovery
◦ getting back into business, by putting the system back into normal operations, reconnecting it to the network, restoring from backups if necessary, etc.
6. Follow-up
◦ tightening security so that the intrusion cannot happen again
◦ determining the “cost” of the intrusion based on staff time/lost data/lost user work time
◦ considering additional tools might have helped handle the incident better than it may have been handled
◦ reflecting on “lessons learned” from both the intrusion and the organization’s response to it and tweaking policies as required.
7
Computer Forensics
is the science of extracting information from computers in support of the investigation of crime or other malicious activity.
� Gathering evidence from computer systems to assist in an investigation
� Volatile vs. non-volatile data
� Requires special expertise and tools
8
5
Forensic Process Phases
a number of steps from the original incident alert through to reporting of findings.
1. Collection
2. Examination
3. Analysis
4. Reporting
9
Non-Volatile Operating System Data
� Configuration files
� Logs
� Data files
� Swap files
10
6
Volatile Operating System Data
� Unused disk space
� Network connections
� Running processes
� Memory contents
11
Guideline for Collecting Computer Evidence
� Keep the system powered on
� Disconnect it from the network
� Create an image and work from it
� Use forensic tools
� Document every step of the way
12
7
Network Forensics
� Many security incidents are focused on the network
� Network devices provide sources of forensic information, both volatile and non-volatile
� Advance preparation is the key to availability of quality evidence
13
Network Data Sources
� Protocol analyzers
� Firewall and routers
� Intrusion detection systems
� Remote access systems
� Security event management software
14
8
NetFlow Data
� Summary network traffic information
� Useful in reconstructing communications session data
◦ Source
◦ Destination
◦ Quantity
� No payload information
15
Identifying an Attacker� Spoofed IP addresses
� Distributed attacks: botnets, zombie
� Dynamic nature of IP addressing (DHCP log)
16
WHOIS data
9
Network Forensic Recommendations
� Provide adequate storage for network logs
� Prepare by collecting information
� Employ skilled analysts
� Consider the fidelity and value of each data source
17
Physical Forensics
� Traditional forensic and investigative techniques can help with incident response
◦ physical incidents provide valuable source of information for investigation as electrical
Physical Data Sources
� Surveillance systems: video camera
� Access control systems
� Fingerprints
� Paper records
18
10
Witnesses
� Hackers often tripped up because:
◦ Someone saw something
◦ They say something to someone
� Witnesses should be treated as a valuable source of evidence
� Interview vs. examination
19
Business Continuity and Disaster Recovery
� Business Continuity Planning (BCP)
◦ limiting the impact a disaster will have on the organization
� Disaster Recovery Planning (DRP)
◦ restoring operations as soon as possible in the face of a disruptive disaster
� DRP picks up where BCP leave off
BCP/DRP is a last line of defense against failure. If other controls have failed, BCP/DRP is the final alternative. If it fails, the business may fail.
20
11
Four Phases of BCP
� Project scope and planning
� Business impact assessment
� Continuity planning
� Approval and implementation
21
Phase 1: Project Scope and Planning
� 1. Identify stakeholders
◦ Operational departments
◦ Critical support services
◦ Senior leadership
� 2. Select team members
◦ Representatives of stakeholders
◦ Technical experts in each BCP area
◦ Security professionals
◦ Legal
� 3. Determine resource requirements to:
◦ Develop the plan
◦ Test, train and maintain the plan
◦ Implement in an emergency
22
12
Phase 2: Business Impact Assessment
� Gap analysis of business processes that identifies:
◦ Recovery Time Objective (RTO)
� describes the maximum time allowed to recover business or IT systems
◦ Maximum Tolerable Outage (MTO)
� the maximum amount of time that an organization can survive without the business process in any form
◦ Recovery Point Objective (RPO)
� determines the minimum frequency with which backups must be made.
23
Phase 3: Continuity Planning
� For each risk, select one of the four risk management strategies
◦ Avoid
◦ Mitigate
◦ Accept
◦ Transfer
24
13
Phase 4: Approval and Implementation
� Document the plan
◦ Written documentation is key
◦ Place copies where everyone can locate it
◦ Provides an historical record
� Training and education
◦ Everyone needs to know their role
◦ Leaders need the big picture
◦ Initial and refresher training should be used in combination
25
Disaster Recovery Planning
� When the BCP fails (and it will!), disaster recovery steps in
� Two types of disaster
◦ Natural disasters
◦ Man-made disasters
26
14
DRP Goals
� Rapidly establish an alternate processing facility
� Maintain operations at that facility for an extended period of time
� Efficiently transition back to the primary facility
27
Alternate Processing Facilities
� Hot sites contain all of the hardware, software and data you need to run
◦ Recovery time measured in seconds
� Warm sites contain hardware and software, but no data
◦ Recovery time measured in hours
� Cold sites contain support systems (HVAC, telecom) but no equipment
◦ Recovery time measured in weeks
28
15
Testing and Maintaining the Plan
� Checklist reviews
� Tabletop exercises
◦ structured walkthrough. Walk through the proposed recovery procedures in a structured manner to determine any ommissions, gaps, ...
� Soft (parallel) tests
� Hard (full-interruption) tests
29
General Rules of Backup
� Backup often!
� Encrypt backups
� Store backup media off-site
30
16
Types of Backup
� Full backups store a copy of every file on the system
� Differential backups store everything since the most recent full backup. Backs up only files that have the archive bit turned on. After backup, this bit is left on
� Incremental backups store everything since the most recent full or incremental backup. Backs up only files that have the archive bit turned on. After backup, turned off this bit.
31
Media Rotation Strategies
� Reusing media allows us to save money and act in a sustainable manner
� Common media rotation strategies include
◦ Grandfather-Father-Son (GFS)
� a full backup should occur at regular intervals. The most recent backup after the full backup is the son. As newer backups are made, the son becomes the father, and the father becomes the grandfather
◦ Tower of Hanoi
� is a backup rotation schedule, based on the Tower of Hanoi puzzle (French mathematician).
◦ Round robin32
17
Grandfather-Father-Son backup
33
Fault Tolerance
� Is the ability of a system to sustain operations in the event of a component failure.
� Identifying single points of failure
◦ Servers
◦ Power supplies
◦ Fans
◦ Hard disks
� Two key components of fault tolerance: spare parts and electrical power. Strategy N+1 and 1+1 for spare part. UPS, backup generator
34
18
Clustered Servers
� High availability clusters
◦ Clustering involves multiple systems connected together to provide fail-over capabilities.
� Load balancing clusters
◦ Install service or application onto multiple servers that are configured to share the workload.
� Compute cycle clusters
35
Disk Fault Tolerance
� Redundant Arrays of Inexpensive Disks (RAID)
� Provides fault tolerance for disk failure/corruption
� Works by spreading data across multiple disks
� Many variants
36
19
RAID
� RAID 1: Disk Mirroring
� RAID 3: Disk Striping with a Parity disk
◦ allows any single disk in the array to fail while the system continues to operate
� RAID 5: Disk Striping with parity. Most common use. The parity is spread across all the disks.
� RAID is very useful, but it is NOT a replacement for backups
37
RAID
38
20
Environmental Controls
� Power
� Fire suppression
� Climate
39
Power
� Uninterruptible Power Supplies (UPS)
� Generators
Power Issues
� Faults are momentary losses of power
� Blackouts are long-term losses of power
� Sags and Brownouts are voltage drops
� Spikes and Surges are voltage peaks
� Noise is fluctuating power
40
21
Fire Suppression
� Data center fires are often caused by electrical issues
� Water can damage electronic equipment, but often is the cheapest type of fire suppression
41
Water Fire Suppression Systems
� Wet pipe systems
� Dry pipe systems
� Deluge systems
� Reaction systems
42
22
Fire Extinguisher Classes
� Class A use water or soda acid and are suitable for common combustibles
� Class B use CO2, Halon substitutes, or soda acid for liquid fires
� Class C use CO2 or Halon substitutes for electrical fires
� Class D use dry powder for metal fires
43
Climate Control
� Temperature is critical in a data center
� Hot aisle/cold aisle
� Environmental monitoring
44