CISM

Course Outline (The 5 Domains)

1. Information Security Governance

2. Risk Management
3. Information Security Program Management
4. Information Security Management
5. Response Management

CISM Exam

1. ISACA (Offered only Three Times per Year)

2. International Standard / 200 questions / 4 hours limit / passing score is 450
3. The Breakdown
a. Domain 1 🡪 23 % or 46 questions
b. Domain 2 🡪 22 % or 44 questions
c. Domain 3 🡪 17 % or 37 questions
d. Domain 4 🡪 24 % or 48 questions
e. Domain 5 🡪 14 % or 28 questions

Module 1: Information Security Governance

1. Outline
a. Introduction to security concepts
b. How much is enough?
c. CIA triad
d. A secure network is ….. ?
e. Who can access what?
f. Secure Design
g. Cryptography basics
h. Responsibility
i. The Law
2. The role of information security within an organization
a. First priority is to support the mission of the organization.
b. How much security is enough?
c. Requires judgment based on risk tolerance of organization, cost and benefit
d. Role of the security professionals is that of a risk advisor, not a decision maker
3. Opposites of CIA
a. Definitions:
i. Disclosure
ii. Alteration
iii. Destruction
b. Best practices to protect CIA:
i. Separation of duties (SOD)
ii. Mandatory vacations
iii. Job rotation
iv. Least privilege
v. Need to know
vi. Dual control
4. Government and military data classification
a. Security Governance
 b. Data Classification (Data labeling for the purpose of configuring baseline security based on value of
data) 🡪 3 Cs
i. Cost: value of the data
ii. Classify: criteria of classification (According to the value of data)
iii. Controls: determining the baseline security configuration for each
c. Considerations of asset valuation
i. What makes up the value of an asset?
ii. Value to organization.
iii. Loss if compromised.
iv. Legislative drivers.
v. Liabilities.
vi. Value to competitors.
vii. Acquisition costs.
viii. And many others.
d. classification types
i. Commercial (Private Sector)
1. confidential 🡪 Trade secret
2. Private 🡪 sales strategy
3. sensitive 🡪 salaries
4. public 🡪 information published on website
ii. Government and Military
1. Top secret 🡪 Grave Damage
2. Secret 🡪 Serious Damage
3. Confidential 🡪 Damage
4. sensitive but unclassified 🡪 No national damage (personal information)
5. unclassified 🡪 Not sensitive
5. Secure Network Design Concepts
a. Network Address Translation
i. NAT 🡪 one-to-one mapping
ii. PAT 🡪 multiple private IP addresses share the same public IP address
b. Virtual Private Networks
c. Firewalls 🡪 Allow/Block traffic based on its type
i. Types of firewalls
1. Stateless (Static packet filter) 🡪 filtering based on src/dest IP address or dest port
number.
2. Stateful 🡪 session table 🡪 who initiated the session? 🡪 Can block unsolicited
replies? 🡪 protocol anomaly firewalls
3. Application proxies / kernel proxies 🡪 make decisions on content, AD integration,
Time or certificates.
d. Virtual LANs 🡪 much cheaper than routers 🡪 multiple broadcast domains on a single switch
e. Secure Single Sign-on
f. Switches 🡪 help reduce collisions on the network
g. Routers 🡪 segment traffic into different networks 🡪 Isolate broadcast traffic (not natively done on a
switch)
6. Securing the Local Area Networks
a. Single Sign On
i. pros and cons
1. pros
a. Ease of use for end users
b. Centralized control
c. Ease of administration
2. cons
a. Single point of failure
 b. standards necessary
c. Keys to the kingdom
ii. Examples
1. Login scripts
2. Kerberos 🡪 a network authentication protocol 🡪 used in windows and Linux 🡪
never transfers passwords 🡪 avoids replay attacks 🡪 Kerberos components: KDC
(stores secret keys for principals – users or network services) / Tickets / TGS / AS /
Service tickets
3. LDAP
4. Sesame
7. Access Control Models
a. TCSEC
i. DAC (Discretionary Access Control)
1. Security of an object is at the owner’s discretion.
2. Granted through access control lists
3. Identity based
4. commercial products and client based systems
ii. MAC (Mandatory Access Control)
1. Data owners can’t grant access!
2. The OS makes the decision based on a security label system.
3. Subject’s label must dominate the object’s label.
4. Users and data are given a clearance level.
5. Rules for access are configured by the security officer and enforced by the OS.
b. Established Later
i. RBAC (Role-based Access Control)
1. Non DAC
2. Groups and Roles
c. IAAA of access controls
i. Identification
ii. Authentication
1. Proving the identity.
2. Types of authentication
a. Type 1 🡪 something you know
i. passwords
ii. passphrases
iii. cognitive passwords
iv. Best practices 🡪 password history / clipping level / password
expiry / not less than 8 characters / consider brute force and
dictionary attacks
b. Type 2 🡪 something you have
i. Tokens
ii. smart cards
iii. Memory cards
iv. hardware keys
v. certificates
vi. cookies
vii. cryptographic keys
c. Type 3 🡪 something you are
i. Biometrics
1. static (physiological) 🡪 fingerprint / retina / hand geometry
2. dynamic (behavioral) 🡪 voice / signatures
3. Accuracy
a. Type I error 🡪 FRR
 b. Type II error 🡪 FAR
c. As FRR goes down, FAR goes up and vice versa.
d. CER (Crossover Error Rate) is the level at which FRR
and FAR meet. The lower the CER, the more
accurate the system.
e. Iris scans are the most accurate.
4. Biometric concerns
a. user acceptance 🡪 Time for enrollment and
verification
b. No way to revoke biometrics
c. cost/benefit analysis
d. Many users feel biometrics are intrusive 🡪 retina
scans can reveal health care information.
3. Strong authentication is the combination of 2 of these authentication types (2 factor
authentication).
iii. Authorization
1. Permissions.
2. Race condition 🡪 authorization before authentication.
iv. Accounting / Auditing
1. Logging and reviewing access to objects.
2. Auditing is a detective control.
8. Cryptography
a. Concepts
i. Algorithm (plain text + initialization vector + key) = cipher text
b. Types of cryptography
i. symmetric
1. One key for encryption and decryption. (secret /shared / private key)
2. very fast
3. Provides confidentiality. (protecting privacy data)
4. Drawbacks 🡪 out of band key exchange 🡪 not scalable : N*(N-1)/2 🡪 No
authenticity, integrity or non-repudiation (Non-repudiation = authenticity +
integrity)
ii. asymmetric
1. Public key for encryption and private key for decryption.
2. Very fast.
3. Security services 🡪 privacy, authenticity and non-repudiation
4. scalable
5. slow
6. Authenticity 🡪 Encryption with private key
c. Hybrid cryptography in SSL/TLS
d. Digital certificates
i. X.509 v.4 standard
ii. Provides authenticity of a server’s public key.
iii. Necessary to avoid MITM attacks with servers using SSL or TLS.
iv. Digitally signed by CA 🡪 Encrypting the certificate hash with the CA server private key.
9. Information security governance and the law
a. Liabilities: who is at fault?
i. Failure of management to execute due care and/or due diligence can be termed negligence.
ii. Prudent man rule
1. Due care 🡪 setting the policy.
2. Due diligence 🡪 enforcing the policy.
iii. Downstream liabilities
 iv. Integrated technology with other companies can extend one’s responsibility outside the
normal bounds.
b. Legal Liability
c. Intellectual property
i. Intellectual property law
1. Protecting products of mind.
2. Companies must take steps to protect resources covered by these laws or these laws
may not protect them.
ii. WIPO 🡪 the World International Property Organization.
iii. Licensing is the most prevalent violation, followed by plagiarism, piracy and corporate
espionage.
iv. Intellectual property protection
1. Trade secret
a. Resources must provide competitive value.
b. Must be reasonably protected from unauthorized use or disclosure.
c. Proprietary to a company and important for survival.
d. Must be genuine and not obvious.
2. Trademark
3. copyright
a. The lifetime of the author plus 70 years or 75 years for corporations.
b. Work doesn’t need to be registered or published to be protected.
c. Protects the expression of ideas rather than the ideas themselves.
d. Author to control how work is distributed, reproduced, and used.
e. Two limitations 🡪 First Sale / Fair Use
4. Patent
a. Valid for 20 years.
b. No organization enforces patents. It is up to the owner to pursue the patent
rights through the legal system.
5. Attacks on intellectual property
a. Piracy
b. Copyright infringement
c. counterfeiting
d. Dilution
e. Cybersquatting
f. Typosquatting
d. Export/Import Restrictions
i. Export Restrictions
ii. Import Restrictions
iii. International Issues
iv. Privacy issues – Employee monitoring
1. Local labor laws related to privacy can’t be violated.
2. Be mindful of the reasonable expectation of privacy (REP).
3. Notification of monitoring.
4. Monitor work-related events.
5. Four principles of privacy
a. Notice 🡪 Notify
b. Control 🡪 receive marketing solicitations or not?
c. Access 🡪 You have the opportunity to see what information have been
collected about you.
d. Security 🡪 No improper access to consumer information.
Module 2: Risk Management
1. An overview of Risk Management
a. Risk Management 🡪 Processes of identifying, analyzing, assessing, mitigating, or transferring risk.
b. Summary topic that includes all task-related actions.
c. Where do risks come from?
i. man made 🡪 Strikes / Fraud
ii. technical 🡪 Viruses / Power / Hardware Failures
iii. physical 🡪 Fire / Flood / Earthquake
2. Risk-related definitions
a. Risk Management
i. Risk Assessment
1. Identify and evaluate assets
2. Identify threats and vulnerabilities (PSE).
ii. Risk Analysis
1. Qualitative
2. Quantitative
iii. Risk Mitigation/Response
1. Reduce
2. Accept
3. Transfer
4. Avoid
5. Reject
iv. Ongoing controls Evaluation
b. Risk
c. Threat
d. Vulnerability
e. Exploit
f. Controls
i. Safeguards 🡪 Proactive
ii. Countermeasures 🡪 Reactive
g. Secondary Risk
h. Residual Risk
i. Fallback plan
j. Workaround
3. The NIST 800-30 of Risk Assessment
a. NIST 800-30 9 steps process:
i. System Characterization.
ii. Threat Identification.
iii. Vulnerability Identification.
iv. Control Analysis.
v. Likelihood Determination.
vi. Impact Analysis.
vii. Risk Determination.
viii. Control Recommendations.
ix. Results Documentation.
b. Risk Analysis
i. Qualitative
1. Subjective analysis to help prioritize probability and impact of risk events.
2. May use Delphi technique.
ii. Quantitative
1. Providing a dollar value to a particular risk event.
2. Much more sophisticated in nature.
 3. Business decisions are made on quantitative analysis.
4. Can’t exist on its own. Quantitative analysis depends on qualitative information.

Asset Single Loss Annualized Rate Annualized Loss

Exposure
Asset Value Threats Expectancy occurrence Expectancy
Factor (EF)
(AV) (SLE) (ARO) (ALE)

Threat SLE = AV * EF 0 < ARO < very ALE = SLE * ARO

%
X ($) Large number ($)

Asset Threat SLE = AV * EF 0 < ARO < very ALE = SLE * ARO
$ %
Name Y ($) Large number ($)

Threat SLE = AV * EF 0 < ARO < very ALE = SLE * ARO

%
Z ($) Large number ($)

Total Cost of Ownership (TCO) is the total cost of implementing a safeguard + yearly maintenance

Return on Investment (ROI) is the amount of money saved by implementing a safeguard. TCO = ALE
(Before) – ALE (After) – Yearly TCO of control 🡪 ROI has to be positive.

The (ALE before implementing the control – the ALE after implementing the control) should be >
the TCO 🡪 If the ROI is negative, it is a bad decision to implement the control. (Cost benefit
analysis)

4. Additional Risk Terms

a. Total Risk
b. Residual Risk
c. Secondary Risk
d. Risk Calculations
i. Total Risk = Vulnerability * Asset Value * Threat
ii. Residual Risk = Total Risk * Control Gap
e. Risk must be managed, as it can’t be totally eliminated.
5. other costs associated with security
a. Performance
b. Ease of use
c. User Acceptance
d. Backward Compatibility

Module 3: Security Architecture

1. An Overview of Information Security Program Management
a. Security Architecture (when designing a secure system)
i. Trusted Computing
1. Operating systems are often designed upon a ringed architecture to isolate
protection layers.
2. 4 Layers of Trust
a. Kernel 🡪 Ring 0 🡪 Very high privilege level 🡪 Trusted Computing Base (TCB)
b. Drivers 🡪 Ring 1 🡪 High privilege level
c. Drivers 🡪 Ring 2 🡪 Medium privilege level
d. Users App 🡪 Ring 3 🡪 Low privilege level
ii. Isolation
iii. Layering
iv. Boundaries
 b. Vulnerabilities
i. Covert channels 🡪 Hidden means of communication
1. Storage 🡪 Data placed somewhere unexpected (Loki Attack)
2. Timing 🡪 Communication through modulation of resources.
ii. Maintenance Hooks 🡪 Allow easy access for programmers to access code. Must be
removed.
iii. TOC/TOU 🡪 A type of race condition that creates a variation between when a file is verified
and when it is used.
iv. A system must be designed to fail in such a way that its resources are secure
1. Secure state model 🡪 the system is secure at all its states.
2. Fail secure 🡪 Fail safe
3. Maintenance mode
2. Security Models
a. State machine models
b. ** The Bell-LaPadula Model
i. Focuses on data confidentiality.
ii. Built on the concept of state machine.
iii. Has 3 rules :
1. Simple security property 🡪 No read up
2. *_Security property 🡪 No write down
3. Strong * Property 🡪 No read/write up or down
c. ** The Biba Model
i. Focuses on data integrity.
ii. Has 3 rules:
1. Simple integrity axiom 🡪 No read down
2. * Integrity axiom 🡪 No write up
3. Invocation property 🡪 a subject cannot invoke subjects at a higher integrity level.
d. The Clark-Wilson Model
i. Focuses on data integrity.
ii. commercial model
iii. enforces well-formed transactions through the use of access triple : User 🡪 Transformation
Procedure () 🡪 CDI (Constrained Data Interface)
iv. Deals with all 3 integrity goals 🡪 Separation of duties
1. Prevents unauthorized users from making modifications.
2. Prevents authorized users from making improper modifications.
3. Maintain internal and external consistency – reinforces separation of duties.
e. The Brewer and Nash model 🡪 Chinese wall
i. commercial
ii. database control
f. The Information flow model
i. Hold data in distinct compartments.
ii. Seeks to eliminate covert channels.
iii. Ensures that information always flows from a low security level to a higher security level and
from a high integrity level to a low integrity level.
iv. Data is compartmentalized based on classification and the need to know.
g. The Non-Interference model
i. Ensures that actions at a higher security level doesn’t interfere with the actions at lower
security level.
ii. The goal of this model is to protect the state of an entity at the lower security level by
actions at the higher security level so that data doesn’t pass through covert or timing
channels.
h. The Lattice model
i. Protect confidentiality.
 ii. Consists of a set of objects constrained between the least upper bound and the greatest
lower bound values.
3. Evaluation Criteria 🡪 How to evaluate the system we built?
a. TCSEC 🡪 The orange Book
i. Trusted Computer System Evaluation Criteria
1. Trust vs. Assurance
a. Trust 🡪 what the product does? – The function of the product.
b. Assurance 🡪 The reliability of the product.
2. D Minimal Protection
3. C1, C2 Discretionary Protection 🡪 The higher the number, the greater the security
4. B1, B2, B3 Mandatory Protection 🡪 The higher the number, the greater the security
5. A1 Verified Protection
ii. ITSEC
1. Function vs. Assurance
b. Common Criteria
c. CMMI
d. IDEAL Model
4. Additional Evaluation Criteria
a. Common Criteria (ISO 15408)
i. Protection Profile
ii. Target of Evaluation
iii. Security Target
iv. Security Packages
v. EAL Rating
b. Capabilities Maturity Model Integrated
i. Level 1 🡪 Initiating
ii. Level 2 🡪 Repeatable
iii. Level 3 🡪 Defined
iv. Level 4 🡪 Managed
v. Level 5 🡪 Optimized
c. Certification and Accreditation
i. Niacap
1. Certification 🡪 Technical evaluation of the security components of a system in a
particular environment.
2. Designed to ensure that all national security systems meet the requirements for
certification and accreditation.
3. Main document 🡪 SSAA
ii. Diacap
1. Certification/Accreditation process for all DoD-owned and/or controlled information
systems.
2. Baseline DoD Information Assurance Controls.
3. Main document
a. POA&M
b. DIACAP SCORECARD
iii. RMF (Risk Management Framework)
1. System Security Plan (SSP)
2. Statement of Records Notice (SORN)
3. Minimum Security Baseline (MSB)
4. POA&M (Plan of Action and Milestones)
5. Technical Project Management
a. The project management lifecycle consists of the following:
i. Initiating
ii. Planning
 iii. Execution
iv. Collection “actuals”
v. Monitoring and Controlling
vi. Closing
b. Key documents in project management
i. Project charter
ii. PM Plan
iii. Scope statement
iv. Work breakdown structure
v. Scope, schedule and cost baselines
vi. Stockholder register
vii. Risk register
viii. Quality Baseline
ix. Schedule
x. Budget
xi. Resource Assignments
xii. Gantt and PERT charts
xiii. Numerous others

Module 4: Information Security Management

1. An Overview of Information Security Management
a. As defined by ISACA the goal of this domain is to oversee and direct information security activities to
execute the information security program.
b. Procurements and Contracts
i. Managing outside services 🡪 Develop and follow a set of procedures and standards that is
consistent with the business organization’s overall procurement process and acquisition
strategy to acquire IT-related infrastructure, facilities, hardware, software and services
needed by the business.
ii. NSA/CSS (Circular NO. 500R)
iii. SA-CMM (Software Acquisition Capability Maturity Module)
1. Same concept as CMMI
2. Five phases of maturity
a. Initial
b. Repeatable
c. Defined
d. Quantified
e. Optimized
iv. OSD Acquisition Reform
v. Contracts
1. Legally binding agreement between parties.
2. should be in writing and modified in writing
3. Five elements necessary for a contract to be legally binding.
a. competency/capacity
b. consideration
c. offer
d. legal
e. Acknowledgement
4. Breaches are violations of contract.
5. Damages are often awarded in response to a breach of contract.
vi. SLAs
 1. Usually a legally binding contract that offers guarantees usually centering on
performance and reliability of procured systems, as well as response times from the
vendor.
2. Could also be used internally from department to department.
3. A form of risk transference.
4. Metrics should be clearly defined in the SLA.
5. Usually offer some sort of financial compensation if the metrics are not met.
c. Configuration Management and change control
i. Configuration Management
1. ISC2 🡪 The process of identifying and documenting hardware components, software
and the associated settings.
2. The goal is to move beyond the original design to a hardened, operationally sound
configuration.
3. Identifying, controlling, accounting for and auditing changes made to the baseline
TCB.
4. These changes came about as we perform system hardening tasks to secure a
system.
5. Will control changes and test documentation through the operational life cycle of a
system.
6. Implemented hand in hand with change control.
7. Essential to disaster recovery.
8. configuration management documentation
a. Make
b. Model
c. MAC Address
d. Serial Number
e. Operating system/firmware version
f. Location
g. BIOS or other passwords
h. Permanent IP if applicable
i. Organizational department label
9. System Hardening and Baselining
a. Removing unnecessary services.
b. Installing the latest services pack and patches.
c. Renaming default accounts.
d. Changing default settings.
e. Enable security configuration like auditing, firewalls and etc.
f. Don’t forget physical security.
ii. Change Management
1. Directive, administrative control that should be incorporated into organizational
policy.
2. The formal review of all process changes—no “on-the-fly” changes.
3. Only approved changes will be implemented.
4. The ultimate goal is system stability.
5. Periodic reassessment of the environment to evaluate the need for
upgrades/modifications.
6. The change management process
a. Request submittal
b. Risk/Impact Assessment
c. Approval or rejection of change
d. Testing
e. Scheduling/User Notification/Training
f. Implementation
 g. Notification
h. Documentation
7. Patch Management
a. An essential part of configuration and change management.
b. May come as a result of vendor notification or pen testing.
c. cve.mitre.org (Common Vulnerability and Exposures) database provides
standard conventions for known vulnerabilities.
d. nv.nist.gov enables automation of vulnerability management, security
measurement, and compliance. NVD includes databases of security
checklists, security related software flaws, incorrect configurations, product
names, and impact metrics.
e. www.cert.gov: Online resource concerning common vulnerabilities and
attacks.
d. Monitoring and Audit
i. Violation analysis
1. First step of any incident response should always include violation analysis.
2. Has an actual security incident transpired, or do we simply have abnormal system
activity?
3. Is this event malicious or accidental?
4. Is it internal/external?
5. What is the scope of the incident?
ii. Auditing
1. Security Review
a. conducted by system maintenance or security personnel
b. Goal is determine vulnerabilities within a system. Also known as a
vulnerability assessment
c. Security review/vulnerability assessments and penetration testing
i. vulnerability assessment 🡪 looks for known weaknesses
1. physical/administrative/logical
2. identify weaknesses
ii. penetration testing
1. Ethical hacking to validate discovered weaknesses
2. Red Teams (Attack)/Blue Teams (Defend)
3. Steps
a. Discovery
b. Enumeration
c. Vulnerability mapping
d. Exploitation
e. Reporting
4. Degree of knowledge
a. Zero knowledge 🡪 Black box testing 🡪 this
simulates external attack.
b. Partial Knowledge 🡪 Gray box testing
c. Full Knowledge 🡪 white box testing 🡪 this simulates
internal attack.
5. Overt or Covert Testing
a. Blind
b. Double Blind 🡪 conducting pen testing and the
security team doesn’t know to test their response.
c. Targeted 🡪
6. Testing Guidelines
a. Reasons for evaluating an organization’s systems
i. Risk analysis
 ii. certification
iii. accreditation
iv. security architectures
v. policy development
b. Develop a cohesive, well-planned, and operational
security testing program.
7. Why are penetration tests successful?
a. Lack of awareness
b. Policies not enforced
c. Procedures not followed
d. Disjointed operations between departments
e. Systems not patched
8. Penetration testing goals
a. Check for unauthorized hosts connected to the
organization’s network.
b. Identify vulnerable services.
c. Identify deviations from the allowed services
defined in the organization’s security policy.
d. Assist in the configuration of the IDS.
e. Collect forensics evidence.
9. Penetration Testing Issues
a. Three basic requirements:
i. Defined goal, which should be clearly
documented.
ii. Limited timeline outlined.
iii. Approved by senior management; only
management should approve this type of
activity.
b. Issue: it could disrupt productivity and systems
c. Overall purpose is to determine subject’s ability to
withstand an attack and determine effectiveness of
current security measures.
d. Tester should determine effectiveness of safeguards
and identify areas of improvement. ***Testers
should not be the one suggesting remediation. This
violates separation of duties***
10. Roles and responsibilities
a. Approval for the tests may need to come from as
high as CIO.
b. Customary for the testing organization to alert other
security officers, management, and users.
c. Avoid confusion and unnecessary expense.
d. In some cases, it may be wise to alert local law
enforcement officials.
11. Rules of engagement
a. Specific IP addresses/ranges to be tested.
i. Any restricted hosts.
b. A list of acceptable testing techniques.
c. Times when testing is to be conducted.
d. Points of contact for the penetration testing team,
the targeted systems, and the networks.
e. Measures to prevent law enforcement being called
with false alarms.
 f. Handling of information collected by penetration
testing teams.
12. Types of penetration tests
a. physical security
i. access into building or department
ii. Wiring closets, locked file cabinets, offices,
server room, sensitive areas.
iii. Remove materials from the building.
b. administrative security
i. Help desk giving out sensitive information,
data on disposed disks.
c. logical security
i. Attacks on systems, networks,
communication
13. Approaches to testing
a. Do not rely on single method of attack
i. Get creative
b. Path of least resistance
i. Easiest route to valuable data, maybe not
through the firewall but hanging modem
c. Break the rules
i. Even if a company follows its own policy,
standards and procedures, it does not mean
that there are no vulnerabilities.
ii. Attempt things not expected.
d. Don’t rely exclusively on high-tech tools.
i. Dumpster diving
e. Stealth methods may be required.
f. Do not damage systems or data.
g. Do not overlook small weaknesses in search of the
big ones.
h. Have a toolkit of techniques.
iii. NIST SP (special publications) 800-42 guideline on security testing
2. Security audits
a. conducted by 3rd party
b. determines the degree to which required controls are implemented
iii. Audit trails
iv. Problem management
e. Security Testing
f. Knowledge Transfer
i. End users should understand policies and procedures as well as why they are important and
why we put them in place.
ii. Training 🡪 classroom, online, CBT
iii. Awareness 🡪 Posters, memos, security mindedness
iv. Education 🡪 making resources available / Encouraging certification and skill enhancement

Module 5: Incident Response and Business Continuity

1. An Overview of Information Security Program Management
a. The goal of this domain is to develop and prepare the ability to plan, respond and recover from
disruptive events affecting our information assets.
b. Intrusion Detection
 c. Incident Response
d. Business Continuity Planning and Disaster Recovery
2. IDS/IPS
a. IPS 🡪 Proactive
b. IDS 🡪 Reactive
i. Used to detect attacks.
ii. Software is used to monitor a network segment or an individual computer.
iii. Dynamic in nature.
iv. 2 main types
1. network-based 🡪 packet sniffer + analysis engine
2. host-based 🡪 local host only
v. protocol analyzers (sniffers) and IDS
1. Promiscuous mode (NIC)
2. Switching can affect the packet capture. solution is PORTSPAN
c. Most systems today are IDS/IPS
3. Security Incident Response
a. Security Incident Response
i. Event 🡪 Negative occurrence that can be observed, verified and documented.
ii. Incident 🡪 Series of events that has a negative impact on the company and its security 🡪
malicious cyber-attack.
iii. Incident Response focuses on containing the damage of an attack and restoring normal
operations.
iv. Investigations focuses on gathering evidence of an attack with the goal of prosecuting the
attacker.
v. Framework should include:
1. Response Capability 🡪 Incident Response Considerations
a. Items the computer incident response team must have at its disposal.
b. List of outside agencies and resources to contact or report to.
c. Computer Emergency Response Team (CERT).
d. List of computer or forensics experts to contact.
e. Steps on how to secure and preserve evidence.
f. Steps on how to search for evidence.
g. List of items that should be included on the report.
h. A list that indicates how the different systems should be treated in this type
of situation.
2. Incident Response and handling.
3. Recovery and feedback.
a. Recovery and Repair 🡪 Restoration of the system to operations. Remember,
it does no good to restore its original status-must provide greater security
last if fall prey to the same attack again.
b. Provide Feedback 🡪 One of the most important steps. Document,
Document, Document!
b. Computer Forensics
i. Computer Forensics 🡪 The discipline of using proven methods toward the collection,
preservation, validation, identification, analysis, interpretation, documentation and
presentation of digital evidence.
ii. IOCE and SWGDE are two entities that provide forensics guidelines and principles as follows
1. All forensics principles must be applied to digital evidence.
2. Evidence should not be alerted as a result of collection.
3. If a person is to access original data evidence, that person must be trained for such
purpose.
4. All activity relating to the seizure, access, storage, and transfer of digital evidence
must be fully documented and available for review.
 5. An individual is responsible for actions affecting digital evidence while that evidence
is in their possession.
6. Any entity is responsible for compliance with these principles.
iii. Five Rules of digital evidence (Digital evidence must be)
1. Authentic
2. Accurate
3. Complete
4. Convincing
5. Admissible
iv. The forensics investigation process
1. Identification 🡪 Locard’s principle of exchange: when a crime committed the
attacker takes something and leaves something behind. What they leave behind can
help us identify aspects of the responsible party.
2. Preservation
a. Chain of custody must be well documented.
i. A history of how the evidence was
1. Collected
2. Analyzed
3. Transported
4. Preserved
ii. Necessary because digital evidence can be manipulated so easily.
b. Hashing algorithms are used to show the integrity of the evidence has not
been modified by the investigation process.
3. Collection
a. Minimize handling/corruption of evidence.
b. Keep detailed logs of your actions.
c. Comply with the 5 rules of digital evidence.
d. Do not exceed your knowledge.
e. Follow organization’s security policy.
f. Capture an accurate image of the system.
g. Ensure actions are repeatable.
h. Work fast (Digital evidence may have a short lifespan).
i. Work from volatile to persistent evidence.
j. Do not run any programs or open any files on the infected system until a
forensic copy of the disk has been made.
k. Steps to evidence collection:
i. Photographs area, record what is on the screen.
ii. Dump contents from memory.
iii. Power down system.
iv. Photograph inside of system.
v. Label each piece of evidence.
vi. Record who collected what and how.
vii. Have a legal department and possibly human resources involved.
l. The fourth amendment protects against illegal search and seizure.
m. Exceptions to previous statement
i. Private Citizen not subject to fourth amendment rules unless acting
as a police agent.
ii. Citizen may be subject to restrictions of electronic communications
privacy act.
n. Computer evidence can be obtained by law enforcement only through:
i. Subpoena
ii. Search warrant
iii. Voluntary consent
 iv. Exigent circumstances
4. Examination
a. Look for signatures of known attacks.
b. Review audit logs.
c. Hidden data recovery.
5. Analysis
a. Primary image (original) vs. working image (copy)
b. Working image should be a bit by bit copy of original.
c. Both copies must be hashed and the working copy should be write-
protected.
d. What is the root cause?
e. What files were altered/installed?
f. What communications channels were opened?
6. Presentation
a. Interpreting the results of the investigation and presenting the findings in an
appropriate format.
b. Documentation
c. Expert Testimony
7. Decision (What are the results of the investigation?)
a. Suspects?
b. Corrective actions?
v. Evidence Life cycle
1. Evidence life cycle
a. Collection and identification
b. Analysis
c. Storage, preservation, transportation
d. Present in court
e. Return to victim (owner)
2. Integrity and authenticity of evidence must be preserved throughout the life cycle.
vi. Controlling the crime scene
1. The scene of the crime should be immediately secured with only authorized
individuals allowed in.
2. Document, document, and document – the integrity of the evidence could be called
in to question if it is not properly documented.
a. Who is at the crime scene/who has interaction with the systems and to what
degree. Also, any contamination at the crime scene must be documented
(contamination does not always negate the evidence)
3. Logs should be kept detailing all activities. In most instances, an investigator’s
notebook is not admissible as evidence, however the investigator can use it to refer
during testimony.
4. Business continuity and disaster recovery
a. BCP vs. DRP
i. BCP 🡪 Focuses on sustaining operations and protecting the viability of business following a
disaster, until normal business conditions can be restored. The BCP is an “umbrella” term
that includes many other plans including the DRP. Long term focused.
ii. DRP 🡪 Goal is to minimize the effects of a disaster and to take the necessary steps to ensure
that the resources, personnel and business processes are able to resume operations in a
timely manner. Deals with the immediate aftermath of the disaster, and is often IT focused.
Short Term focused.
b. BCP relations ships to risk management
i. Potential Risks (Natural/Human/Technological) 🡪 Risk Assessment
(Natural/Human/Technological) 🡪 Security Controls (Management Controls/Operational
 Controls/Technical Controls) 🡪 Residual Risks (Natural/Human/Technological) 🡪
Contingency Plan (Scope: Hurricane – operator error – hardware failure – data corruption)
c. Mitigate risks
i. Reduce negative effects:
ii. - Life safety is the number 1 priority!
iii. – Reputation: is the second most important asset of an organization. Though specific
systems are certainly essential, don’t forget to focus on the big picture-protect the company
as a whole.
d. Business Continuity planning
i. Disaster recovery and continuity planning deal with uncertainty and chance
1. Must identify all possible threats and estimate possible damage.
2. Develop viable alternatives.
ii. Threat Types
1. Man-made 🡪 strikes, riots, fires, terrorism, vandals
2. Natural 🡪 Tornado, flood, earthquake
3. Technical 🡪 power outage, device failure, loss of a T1 line
iii. Categories of disruptions (Companies should understand and be prepared for each category)
1. Non-disaster: inconvenience. Hard drive failure
a. Disruption of service
b. Device malfunction
2. Emergency/crisis
a. Urgent, immediate event where there is the potential for loss of life or
property.
3. Disaster
a. Entire facility unusable for a day or longer.
4. Catastrophe
a. Destroys facility
e. ISO 27031 (For your information 🡪 Not testable)
i. Approved in 2011
ii. Provides a standard that didn’t exist previously
iii. Will solve the issues of inconsistency in terms, definitions and documents (so for now, there
may be inconsistencies on the exam. Look for concepts more than specific terms)
iv. Until this ISO standard is included on the test, the following institutes will provide guidance
on BCP/DGP:
1. DRII (Disaster Recovery Institute International)
2. NIST 800-34
3. BCI GPG (Business Continuity International Good Practice Guidelines)
5. Business Continuity Plan sub-plans (NIST 800-34)
a. BCP
i. BRP (Business Recovery Plan)
1. Purpose 🡪 provide procedures for recovering business operations immediately
following a disaster.
2. Scope 🡪 Addresses business processes; not IT-focused; IT addressed based only on
its support for business process.
ii. COOP (Continuity of Operations Plan)
1. Purpose 🡪 provide procedures and capabilities to sustain an organization’s essential,
strategic functions at an alternate site for up to 30 days. This term is sometimes
used in US government to refer to the field of business continuity management, but
per NIST 800-34, it is a unique sub-plan of the BCP. **Note, BCP addresses all
business processes, not just mission critical.
2. Scope 🡪 Addresses the subset of an organization’s missions that are deemed most
critical; usually written at headquarters level; not IT-focused.
iii. Continuity of support plan/IT contingency plan
 1. Purpose 🡪 Provide procedures and capabilities for recovering a major application or
general support team.
2. Scope 🡪 Same as IT contingency plan; addresses IT system disruptions; not business
process focused.
iv. Crisis communication plan
1. Purpose 🡪 Provides procedures for disseminating status reports to personnel and
the public.
2. Scope 🡪 Addresses communications with personnel and the public; not IT focused.
v. Cyber incident response plan
1. Purpose 🡪 Provide strategies to detect, respond to, and limit consequences of
malicious cyber incident.
2. Scope 🡪 Focuses on information security responses to incidents affecting systems
and/or networks.
vi. DRP (Disaster Recovery Plan)
1. Purpose 🡪 Provide detailed procedures to facilitate recovery of capabilities at an
alternate site.
2. Scope 🡪 Often IT-focused; limited to major disruptions with long-term effects.
vii. OEP (Occupant Emergency Plan)
1. Purpose 🡪 Provide coordinated procedures for minimizing loss of life or injury and
protecting property damage in response to a physical threat.
2. Scope 🡪 Focuses on personnel and property particular to the specific facility; not
business process or IT system functionality based. May also be referred to as crises
or incident management plans. However, the OEP concept should be recognizable as
the “initial response to the emergency event”
b. 7 phases of business continuity plan
i. Phases of plan
1. Project initiation
a. Obtain senior management’s support
b. Secure funding and resource allocation
c. Name BCP coordinator/Project manager
d. Develop project charter
e. Determine scope of the plan
f. Select members of the BCP team
2. Business impact analysis (BIA)
a. Initiated by BCP committee
b. Identifies and prioritizes all business processes based on criticality
c. Addresses the impact on the organization in the in the event of loss of a
specific services or process.
i. Quantitative
ii. Qualitative
d. Establish key metrics for use in determining appropriate counter-measures
and recovery strategy
e. Importance (relevance) vs. Criticality (downtime)
i. The auditing department is certainly important, though not usually
critical. The BIA focuses on criticality.
f. Key metrics to establish
i. Service level objects
ii. RPO (Recovery Point Objective)
iii. MTD (Maximum Tolerable Downtime)
1. RTO 🡪 Recovery Time Objective
2. WRT 🡪 Work Recovery Time
iv. MTBF 🡪 Mean Time Between Failures / MTTR 🡪 Mean Time To
Repair / MOR 🡪 Minimum Operating Requirements
 g. Management should establish recovery priorities for business processes that
identify:
i. Essential personnel
1. Succession plans
2. MOAs/MOUs (Memorandums of agreement/understanding)
ii. Technologies
iii. Facilities
iv. Communications Systems
v. Vital records and data
h. Results of BIA
i. contain
1. Identified all business processes and assets, not just those
considered critical.
2. Impact Company can handle dealing with each risk.
3. Outage time that would be critical vs those which would not
be critical.
4. Preventive controls.
ii. Document and present to management for approval.
iii. Results are used to create recovery plans.
3. Recovery strategy
a. When preventive controls don’t work, recovery strategies are necessary
i. Facility Recovery
1. Subscription services 🡪 Hot, warm, cold sites
2. Reciprocal Agreements
a. Specialized businesses sometimes enter into a
reciprocal agreement with another company
providing the same services.
b. Usually not legally binding.
c. Not a good solution long term
3. Others
a. Redundant/Mirrored site (Partial or full)
b. Outsourcing
c. Rolling hot site
d. Prefabricated building
4. Offsite facilities should be no less than 15 miles away for low
to medium environments. Critical operations should have an
offsite facility 50-200 miles away.
ii. Hardware and Software Recovery
1. Hardware Recovery
a. Dependent upon good configuration management
documentation.
b. May include
i. PCs/servers
ii. Network equipment
iii. Supplies
iv. Voice and data communications equipment
v. SLA’s can play an essential role in hardware
recovery.
2. Software Recovery
a. BIOS configuration information
b. Operating systems
c. Licensing information
d. Configuration settings
 e. Applications
f. Plans for what to do in the event that the operating
system/applications are no longer available to be
purchased
iii. Personnel Recovery
1. Identify essential personnel/
2. How to handle personnel if the offsite facility is a great
distance away.
3. Eliminate single points of failure in staffing and ensure
backups are properly trained.
4. Don’t forget payroll.
iv. Data Recovery
1. Metrics 🡪 MTD/RTO/RPO/etc
2. Backups
3. Database shadowing
a. Mirroring technology
b. Updating one or more copies of data at the same
time
c. Data saved to two media types for redundancy
4. Remote journaling
a. Copy a modified file is sent to a remote location
where an original backup is stored.
b. Transfers bulk backup information.
c. Batch process of moving data.
5. Electronic Vaulting
a. Moves the journal or transaction log to a remote
location, not the actual files.
4. Plan design and development
a. Now that all the research and planning has been done, this phase is where
the actual plan is written.
b. Should address
i. Responsibility
ii. Authority
iii. Priorities
iv. testing
5. Implementation
a. Plan is often created for an enterprise with individual functional managers
responsible for plans specific to their departments.
b. Copies of plan should be kept in multiple locations.
c. Both electronic and paper copies should be kept.
d. Plan should be distributed to those with a need to know. Most employees
will only see a small portion of the plan.
e. Three Phases following a disruption
i. Notification/activation
1. Notifying recovery personnel
2. Performing a damage assessment
ii. Recovery phase – failover
1. Actions taken by recovery teams and personnel to restore IT
operations at an alternate site or using contingency
capabilities – performed by recovery team.
iii. Reconstitution – failback
1. Outlines actions taken to return the system to normal
operating conditions – performing by salvage team
6. Testing
a. Should happen once per year, as the result of a major change (very testable)
b. The purpose of testing is to improve the response (never to find fault or
blame)
c. The type of testing is based upon the criticality of the organization,
resources available and risk tolerance
i. Testing 🡪 happens before implementation of a plan. The goal is to
ensure the accuracy and the effectiveness of the plan.
ii. Exercises/Drills 🡪 Employees walk through step by step. Happens
periodically. Main goal is to train employees.
iii. Auditing 🡪 3rd party observer ensures that components of a plan are
being carried out and that they are effective.
d. Types of tests
i. Checklist test
1. Copies of plan distributed to different departments.
2. Functional managers review.
ii. Structured walk-through test
1. Representatives from each department go over the plan.
iii. Simulation test
1. Going through a disaster scenario
2. Continues up to the actual relocation to an offsite facility
iv. Parallel test
1. Systems moved to alternate site, and processing takes place
there.
v. Full-interruption test
1. Original site shutdown.
2. All of processing moved to offsite facility.
e. Post-incident review (After a test or disaster has taken place)
i. Focus on how to improve
ii. What should have happened
iii. What should happen next
iv. Not who’s fault it was; this is not productive
7. Maintenance
a. Change management:
i. Technical – hardware/software
ii. People
iii. Environment
iv. laws
b. Large plans can take a lot of work to maintain
c. Does not have a direct line to profitability
d. Keeping plan in date
i. Make it a part of business meetings and decisions
ii. Centralize responsibility for updates
iii. Part of job description
iv. Personnel evaluations
v. Report regularly
vi. Audits
vii. As plans get revised, original copies should b retrieved and
destroyed