Domain 7: Security Operations Western Governors UniversityCISSP 101Notes - Domain 7 - EDT_JAN18

Document Content and Description Below

Domain 7: Security Operations SLIDE 3: Domain Objectives • Protect and control information processing assets in centralized and distributed environments • Execute the daily tasks required to ke... ep security services operating reliably and efficiently SLIDE 4 ‐ 7: Domain Agenda • Understand and Support Investigations • Understand Requirements for Investigation Types • Conduct Logging and Monitoring Activities • Secure the Provisioning of Resources through Configuration Management • Understand and Apply Foundational Security Operations Concepts • Employ Resource Protection Techniques • Conduct Incident Response • Operate and Maintain Preventative Measures • Implement and Support Patch and Vulnerability Management • Participate In and Understand Change Management Processes • Implement Recovery Strategies • Implement Disaster Recovery Processes • Test Disaster Recovery Plan • Participate in Business Continuity Planning Exercises • Implement and Manage Physical Security • Participate in Personnel Safety Design and Validate Assessment and Test Strategies SLIDE 8: Module Topics • The Incident Scene • Evidence Collection Handling • Incident Handling and Response • Digital ForensicsD7 P2 V.01_2018 Understand and Support Investigations SLIDE 9: The Incident Scene Must be established before a security professional can begin to identify evidence Incident scene ‐ the environment in which potential evidence may exist. The principles of criminal‐istics apply in both forensic and computer forensic cases. Principles include: ■ Identify the scene ■ Protect the environment ■ Identify evidence and potential sources of evidence ■ Collect evidence ■ Minimize the degree of contamination SLIDE 10: Live Evidence Live evidence ‐ data that is dynamic and exist in running processes or other volatile locations Volatile – meaning that the data disappears in a relatively short amount of time. EX: after the system is powered down. NOTE: that It is more difficult for the security professional to protect the virtual evidence scene. SLIDE 11: Locard’s Exchange Principle States that when a crime is committed, the perpetrators leave something behind and take something with them. This principle allows us to identify aspects of the persons responsible, even with a purely digital crime scene. This also applies to first responders and investigators. They will leave a part of themselves at the scene as well as take a piece of the crime scene with them. Be sure to understanding MOM  Means, Opportunity, and Motives (MOM) – Courts must prove MOM  Modus operandi or ‐ the way the crime was committed Both allow for a more thorough investigation or root cause analysis. Identifying the root cause correctly and quickly is extremely important when dealing with an incident; criminal or not.D7 P3 V.01_2018 SLIDE 12: General Guidelines Several international entities have developed general guidelines that are based on the IOCE. EX: SWGDE ‐ Scientific Working Group on Digital Evidence IOCE ‐ International Organization for Cooperation in Evaluation “Group of 8 Nations” (G8) principles for computer forensics and digital / electronic evidence: ■ When dealing with digital evidence, all of the general forensic and procedural principles must be applied ■ Upon seizing digital evidence, actions taken should not change that evidence ■ When it is necessary for a person to access original digital evidence, that person should be trained. ■ All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and made available for review ■ An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in his possession ■ Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these Principles Only those individuals with knowledge of basic crime scene analysis should be allowed in the scene. The logical choice will be members of the incident response or handling teams. Formal approach and thorough documentation is essential Deal with a scene in a manner that minimizes the amount of disruption, contamination, or destruction of evidence. Once a scene has been contaminated, there is no undo or redo button to push; the damage is done [Show More]

Last updated: 1 year ago

Preview 1 out of 112 pages