Sec+ preparation #13 (digital forensics and incident response, awareness training, data classification)

Jonas SatkauskasJonas Satkauskas
7 min read

Table of contents

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes concepts of various topics. Real professional.

You can purchase Security+ SY0-701 boot camp here

Digital Forensics and Incident Response (DFIR)

There are many types of Forensics:

  • Log forensics

  • Registry Forensics

Important steps

  • Record any time offset

    • It is always best to use a good time server (NTP)

    • It is really important to have the same time set on every device, because then you can make a timeline of event

    • Encrypt hashes with private key (signing). If it is hashed, then you cannot change stuff, because the hash will change.

EDiscovery

  • EDiscovery or EEvidence

  • Always start with the most volatile evidence first

    • Cache would be the most volatile

    • Then you could attempt to extract data in RAM

  • Take photograph

  • Always make a copy of evidence

  • Avoid contaminating the original evidence

  • Hard drive will be copied bit by bit (dd command in Linux)

    • To capture deleted files, you must have a bit by bit copy of a hard-drive

  • Do not use simple OS tools

    • They do not make forensically sound copies

Chain of custody

Before doing a forensics procedure, always copy the hash instantly.

  • Always think it might be presented in court, be careful

  • Identification, collection, preservation, present in court

First responders in a DF (Digital Forensics) case

  • First responder is really important

  • Could be a system or network admin

  • Attempt to find the root causes

  • Has to be prepared and his actions should be planned

    • Usually has a first responder toolkit

  • Before you touch anything, take photographs on how it looked before touching anything.

Damage and loss control

  • Preparation

    • Produce policies

  • Identification

  • Containment

    • Make sure that attacker cannot move further

  • Eradication

  • Recovery

  • Lesson Learned

Reporting

  • Breach law may affect you

  • Could affect your reputation

It is really important to tell if you got hacked as an organization because it can save other companies. Usually hacks happen as domino effect in organizations.

Cross Border Issues

  • Jurisdiction is a large problem

  • Where do we prosecute from?

    • If for example crime happened in Russia, through 5 different countries

  • Cross Border issues also applies to people and other data

    • Beware if you travel with hacking tools

    • Beware if you have international locations

    • Beware if you travel oversea with strong crypto tools

  • If you have laptop with Kali installed, you can become a suspect in some countries.

  • You can get laptop with KALI confiscated in some countries. It really happens

Awareness Training

It is security awareness for end users. You cannot protect other people, but you can make them aware of what possible threats there are.

Awareness should include

User habits such as:

  • Passwords

  • Data handling

  • Clean Desk policies

  • Personally owned devices

Modify employee behavior and improve attitudes towards information security.

Threat awareness:

  • New viruses

  • Phishing attacks

  • Social Network Dangers

Educate your users!

Easiest target

  • Easiest target is usually between the chair and the desk

  • Beware of insider threats

    • There is no patch for human stupidity

    • Never underestimate stupidity

    • Users are easily predictable

MOST EFFECTIVE WEAPONS ARE:

Awareness, Training, Education, Policies

Data Classification

  • Allow the identification of sensitive or classified data

  • Each classification has its own protection requirements

  • Subject must have proper security clearance

  • Usually based on Mandatory Access Control (MAC)

Data Classification Process

Classification is based on these topics:

  • Value of data

  • Sensitivity and value of the information

  • Decide on Controls

Classification Criteria

  • Usefulness of data

  • Value

  • Age

  • The level of damage that could be caused

  • Effects the data has on national security

  • Who should be accessing this data?

Process

  • Identify Data Owner

  • Identify Data Custodian (person who will be responsible for the data)

  • Develop the classification criteria based on CIA

  • Define Controls

  • Define Document exceptions

  • Document how to transfer custody of the data

  • Declassification procedures

  • Security awareness program

Classification Issues

  • Large problem is that data gets classified but it does not get declassified

  • Usually forgotten about

  • People loose trust in data classification

Awareness and Training

  • Train users on proper usage of classification

  • Attempt to keep it simple

  • If it is too complex, it will not be in use

  • KISS principle applies everywhere

Compliance with laws

  • Be familiar with the law

  • Be aware of local and national laws

Retention Policies

  • You must develop Retention Policies

    • What will be kept

    • Where it will be kept

    • For how long will it be kept

    • Who and Where will it be kept

  • Storage devices degrade

Business Continuity Plan (BCP) & Disaster Recovery Plan (DRP)

Objectives

  • Business Impact Analysis

  • Risk Management

  • Selecting, developing, testing and implementing recovery plans

  • Roles and responsibilities

  • Backup and offsite facilities

BCP

It ensures that your organization is still running. All of the processes still does their job.

  • Think on what happens to business if disaster happens

  • It can affect your

    • Reputation

    • Operations

    • Market Position

Roles and Responsibilities

Senior Executives:

  • Consistent support and final approval of plans (will be in exam)

  • Setting the business continuity policy

  • Prioritizing critical business functions

  • Allocating sufficient resources and personnel

  • Providing oversight for and approving the BCP

Senior functional management:

  • Develop and document maintenance and testing strategy

  • Identify and prioritize mission-critical systems

  • Monitor progress of plan development

  • Monitor progress of plan execution

Mean time to repair (MTTR) and Mean time between failure (MTBF)

MTTR

  • Average time needed to repair a failure

  • Ability to recover quickly from a failure

  • Spare equipment could be useful

MTBF

Hardrives usually have MTBF value. They test it when producing and then write how long the hardware will last.

  • Average time between each failure

  • Amount of failure

Uninterruptible Power Supply (UPS) [BATTERY]

  • Computers are connected to the UPS

  • Usually a large room with batteries

  • Must have two power inverter

Standby UPS:

  • Smaller UPS model

  • Provide energy when a power failure happen

  • Must consider size versus total load

Backup generator

Some organizations such as hospitals have backup energy generators

Some key points:

  • It is essential for long term interruption

  • Large data centers uses these things

  • Must gave fuel supply for a month

  • Must be of proper size

  • It should be tested regularly

Single point of failure

  • Avoid any single point of failure

    • It includes UTM (Unified Threat managemenet).

  • Redundant network connections

  • Redundant server for critical services

  • Spare equipment

    • Hard drive

    • Router

    • Switches

RAID (ALWAYS ON EXAM)

  • Redundant array of independent disks

  • Redundant array of inexpensive disks

  • HARD DRIVES ARE THE WEAKEST LINK IN BUSINESS

  • Goals could be:

    • Increase of speed on read and write

RAID-0 - striped disk array without fault tolerance

RAID-1 - Mirroring & Duplexing

RAID-5 - Block-level striping and distributed parity

RAID-6 - Block-level striping and dual parity - can sustain the loss of two disks

RAID-10 - Combo RAID-1 + RAID-0

Business Impact Analysis (BIA)

  • Helps identify and prioritize information systems

  • Determine mission/business functions

  • Determine recovery criticality

  • Identify resource requirements

  • Allow you to research other disasters

Tests & Recovery Exercises

  • Checlist Test

  • Structured Walk through Test

    • This one is really good. It’s best remembered

  • Simulation Test

  • Parallel Test

  • Full Interruption Test

Hot, Warm, Cold sites

  • Can be owned or rented

  • Choice is driven by Maximum Tolerable Downtime (MTD)

  • Choice is also driven by money losses per minute

OUTRO

Time flies. It was final section of the boot camp. It’s a very good feeling when you understand that the first journey of cybersecurity is close to finish.

Of course in cybersecurity learning never ends. I’m okay with that never ending learning journey and I can’t wait to meet all of the challenges that are waiting in this field.

What’s next?

Now I’ll start taking practice exams @Boson that I’ve purchased. I’ll start with Security+ 601, and after some additional final studying steps I’ll try the 701 practice exam (I have 2 practice exams available).

After that I’ll buy entry to the real CompTIA Security+ exam.

Keep following for thoughts about my experience in this final phase of my journey.

Once again, I’d like to say a BIG thank you to Master Occupy The Web. I love his teaching style. To see more courses of his, visit Hackers-Arise.

Have a good one!

0
Subscribe to my newsletter

Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.

learningLearning Journey#cybersecuritycybersecurityCyberSeccybercybrcyber securityCybersecurityAwarenesscomptia security+comptiaSecurity

Written by

Jonas Satkauskas
Jonas Satkauskas