Cissp Domain 7
Uploaded by
bhatnagarsoamisaranCissp Domain 7
Uploaded by
bhatnagarsoamisaranCISSP Cornell Notes by
Col Subhajeet Naha, Retd, CISSP
Domain 7 : Security Operations
CISSP CORNELL NOTES
• Domain 7 – Security Operations
• How to Prepare for CISSP
• Attend an online boot camp or training session.
• Read prescribed books.
• Don’t cram but keep tab of important points – Main points covered in these
notes
• For experienced professionals, one/two reads are sufficient. The aim is to clear
the concepts.
• Practice questions from Sybex 10th edition and Sybex 4th edition practice test
• Don’t refer to any dumps; they are of no use.
• How to use these notes
• Use these notes as revision notes
• Reading the Reference books is highly recommended
• Scribble your own notes
• Reference Books
• Sybex 10th Edition
• Destination Certification
• Reach out to us if you have any questions
• Future domains being prepared
• Website : learn.protecte.io
• Mob : +91-8800642768
Security Operations
Definition and Importance of Security Operations:
• Definition and Importance of
Security Operations • Security Operations involve the continuous, day-to-day activities
performed by the security team to ensure the ongoing protection of an
• Integration of Security into
organization's systems, assets, and data.
Organizational Processes
• Role of Security Operations in • These operations are integral to maintaining a secure environment
Supporting Organizational Goals where systems remain resilient to threats and attacks.
Integration of Security into Organizational Processes:
• Security operations are not standalone but are integrated within
broader organizational processes to ensure systems are secured
ti on
throughout their lifecycle.
i b u
• Examples include implementing security controls, monitoring
s tr
network traffic, managing security incidents, patching ivulnerabilities,
and conducting audits.
f o rD
o t ensuring a balance
,N
• Security must align with the business processes,
between security and operational efficiency.
a
h Organizational Goals:
a
t N is to protect the organization while
Role of Security Operations in Supporting
e e
ajobjectives
• The goal of security operations
b h
enabling it to meet its without disruption.
• This includesu
l S and data, providing incident response capabilities,
ensuring confidentiality, integrity, and availability (CIA
triad) ofosystems
and C
B y enforcing compliance with regulations.
S P• By mitigating risks and handling security incidents effectively,
CI S security operations allow the organization to operate smoothly and
or
securely.
s f
o te
ell N
orn
C
• Security operations are essential for maintaining the security and resilience of an organization’s
systems.
• They integrate security practices with organizational processes and support the business in
achieving its goals without compromising on security.
• Effective security operations help manage risks, respond to incidents, and ensure compliance with
policies and regulations.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Securing the Scene (Investigations)
Importance of Securing the Scene:
• Importance of Securing the
Scene • Securing the scene is critical to ensuring the integrity of any
• Key Steps to Secure the Scene investigation.
• Contamination of Evidence in
• Investigators must ensure that evidence is preserved in its original state
Investigations to maintain its validity for later examination and potential legal scrutiny.
• If the scene is not properly secured, the investigation's credibility can
be compromised, rendering evidence inadmissible in court.
Key Steps to Secure the Scene:
ti on
• Seal off access: Prevent unauthorized individuals from entering the area
where the incident or crime took place.
i bu
• Take photographs: Capture detailed images of the sceneis
tr
before
anything is moved or disturbed.
fo rD
• Document evidence: Record the exact location o t of all evidence,
including digital devices, to create a clearN
a , and reliable record of the
scene.
a h
N mobile devices, and storage
tUSBs)
• Avoid touching anything: Computers,
je
media (like hard drives ande must not be physically tampered
b ha
with, as this could alter or destroy vital evidence.
l Suthetechniques
• Employ forensic for imaging or snapshotting data without
Co of Evidence in Investigations:
compromising system's integrity.
B y
Contamination
P
S state. evidence is contaminated, it cannot be restored to its original
CI S • Once
for • Example: Typing on a criminal's computer or moving files could alter
tes timestamps and data integrity, potentially invalidating it as evidence.
o
ell N • Following established forensic procedures is vital to avoid accidental
rn
tampering.
C o
• Securing the scene is essential in any investigation to preserve evidence. Investigators must follow
proper procedures like sealing off the area, documenting the scene, and avoiding any interaction
with digital devices.
• Ensuring that evidence is not contaminated allows investigators to maintain the integrity of the
investigation, leading to reliable conclusions and upholding the legal admissibility of evidence.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Forensic Investigation Process
Need for Forensic Investigation:
• Need for Forensic • Organizations using computer systems and networks may need digital
Investigation forensics for crime investigation, policy breaches, system troubleshooting,
• Methodologies in Digital etc.
Forensics • Digital forensic methodologies help find answers, solve problems, and can
aid in prosecuting crimes.
• Steps of Forensic Methodologies in Digital Forensics:
Investigation Process • Standard practices include securing the scene, collecting evidence, and
• Chain of CustodyCollection maintaining the integrity of data for admissibility in court.
of Evidence • The process ensures that evidence is preserved correctly to avoid
• Examination and Analysis of contamination.
Evidence Steps of Forensic Investigation Process:
ti on
• Final Reporting 1. Identification and Securing the Scene:
i bu
•
tr
The first step is securing the crime scene, ensuring evidence isn't
s
tampered with.
D i
for
• Protecting potential evidence from being touched or removed.
•
t
Begin the chain of custody, documenting who handled the
No
evidence.
a,
2. Collection of Evidence:
•
h
Proper collection methods are used for both physical and digital
evidence.
Na
•
jeet
Policies and standards guide the collection process to preserve
evidence integrity.
bha
3. Examination and Analysis:
•
l Su Evidence is examined through manual and automated processes
Co
to determine its relevance to the investigation.
• The analysis helps to build a case or identify the responsible party.
By 4. Final Reporting:
I SSP •
•
Results of the investigation are compiled into a detailed report.
The report outlines the entire investigation process, findings,
r C recommendations, and actions required.
fo • Reports may vary depending on the audience and level of detail
es required.
ot Chain of Custody:
ell N • Key in maintaining the integrity of evidence, it records who handled the
rn
evidence, when, and where.
C o • Ensures control and integrity, particularly for trial admissibility.
Final Reporting Considerations:
• The report should be clear, detailed, and relevant to its audience, possibly
requiring different formats for different stakeholders.
• Forensic investigation involves identifying and securing the scene, collecting evidence while
maintaining the chain of custody, and examining and analyzing the data.
• The final report is critical for summarizing findings and may need to be tailored for different
audiences.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Sources of Information and Evidence
• Oral/Written Statements:
• Sources of Information • Statements given to police or investigators by witnesses or
• Evidence TypesReal individuals with pertinent information.
Evidence • Written Documents:
• Direct Evidence • Physical documents like checks, letters, contracts, and
• Circumstantial Evidence receipts relevant to investigations.
• Corroborative Evidence • Computer Systems:
• Hearsay Evidence • The hardware storing data such as SSDs, HDDs, USB drives,
and other peripherals connected to a system during the crime.
• Best Evidence Rule
• Secondary Evidence • Visual/Audio Records:
on
• Photographs, video/audio recordings, and security footage
related to the investigation.
uti
Evidence Types:
tr i b
1. Real Evidence:
D is
for
• Tangible physical objects, such as hard drives and USBs. They
are physical evidence that can be inspected and used to prove
t
No
or disprove factual issues in trials.
a,
2. Direct Evidence:
•
h
Evidence that speaks for itself, requiring no inference (e.g.,
Na
video footage of the crime happening).
3.
et
Circumstantial Evidence:
je
ha
• Indirect evidence that suggests a fact by implication. It can
b
prove an intermediate fact, such as a witness stating the
l Su
defendant was near the crime scene.
Co
4. Corroborative Evidence:
By • Supports facts or other elements of a case by confirming
testimony or other forms of evidence, making it very powerful in
I SSP 5.
trials.
Hearsay Evidence:
r C
fo • Testimony from witnesses who were not present at the event. It
es is usually inadmissible unless exceptions apply.
ot 6. Best Evidence Rule:
ll N
• Stipulates that original evidence should be presented in court
rn e rather than copies, whenever possible.
C o 7. Secondary Evidence:
• Substitutes for original evidence, such as a printout of log files,
used when the original no longer exists.
• In an investigation, sources of information include statements, documents, systems, and
visual/audio evidence.
• Various types of evidence, such as real, direct, and corroborative evidence, play critical roles in
proving facts in court, while hearsay and secondary evidence have more limitations.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
MOM and Locard's Exchange Principle
MOM (Motive, Opportunity, Means):
• MOM (Motive, Opportunity,
• Motive:
Means)
• Locard’s Exchange Principle • Investigators assess what might have driven the suspect to
• Importance of Evidence in commit the crime. It refers to the potential reasons or
Investigations incentives behind the suspect’s actions.
• Opportunity:
• Investigates whether the suspect had the chance to commit
the crime. For example, was the suspect present at the scene
of the crime or did they have access to the necessary
systems or locations?
ti on
i bu
• Means:
s tr
• Determines if the suspect had the resources or
D i abilities
carry out the crime, such as the technicalr know-how,
to
t fo
physical tools, or access to needed information.
Locard’s Exchange Principle: N o
Definition: h a,
•
a whenever two objects interact, a
Nthat
• t
This principle posits
e occurs. Something is always taken and
je
transfer of material
somethingais always left behind.
bh
Applicationuin Forensics:
lS
•
• o In every investigation, detectives search for traces left behind
By C (e.g., fingerprints, DNA, fibers) and evidence of what might
SP • Crime scenes are examined meticulously, with photographs,
have been taken.
CI S
or
vacuuming for fibers, and fingerprint analysis, following this
s f principle to find links to the crime.
o te • Example:
ll N
A hacker breaks into a system, leaving behind IP addresses, login
rn e records, or malware traces while taking sensitive data. Both actions
C o can leave digital or physical evidence behind.
• MOM is a key investigative guide to determine a suspect's motivation, opportunity, and
means for committing a crime. Locard’s Exchange Principle reinforces that evidence is
always left behind or taken during the commission of a crime, guiding forensic
investigators on where to look for critical information.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Digital/Computer Forensics
Digital Forensics:
• Digital Forensics • Definition:
• Live Evidence • Digital forensics is the scientific process of examining, analyzing, and
• Forensic Copies preserving digital data for the purpose of investigations. It is a critical
• Digital Forensics Tools, component in understanding how a system was compromised or
breached.
Tactics, and Procedures • Purpose:
• Artifacts in Digital Forensics • Used in investigations to collect evidence, analyze it, and reconstruct
digital activities.
Live Evidence:
on
• Definition:
•
ti
Live evidence refers to data stored temporarily in a running system,
u
b
such as in RAM, cache, or system buffers.
• Example:
tr i
•
D is
Information in active memory that will be lost if the system is turned
for
off or rebooted. It’s crucial to extract this data during a live forensic
analysis.
t
Forensic Copies:
No
• Definition:
h a,
Na
• Forensic copies are bit-for-bit replicas of digital media (e.g., hard
drives, SSDs). They ensure that the integrity of the original data is
jeet
preserved for forensic analysis.
ha
• Importance:
•
bForensic copies allow investigators to analyze data without altering
l Su the original source, preserving the evidence for court or further
Co
investigation.
By Digital Forensics Tools, Tactics, and Procedures:
• Definition:
I SSP • These are specialized tools and methodologies used to properly
handle and analyze digital evidence, especially from live systems.
r C
o
•Example:
s f • Tools like FTK (Forensic Toolkit) and EnCase are often used to extract
ote and analyze forensic data while maintaining data integrity.
ll N
Artifacts in Digital Forensics:
rn e • Definition:
o
• Artifacts are traces left behind after a breach or attempted breach.
C These act as clues, often pointing to the actions or path of an
attacker.
• Example:
• Artifacts can include log files, registry changes, malware traces, or
deleted files that show tampering or unauthorized access attempts.
• Digital forensics involves the systematic collection and analysis of digital data, often crucial in legal
investigations.
• Live evidence, forensic copies, and artifacts all play key roles in this process.
• Digital forensics tools and procedures ensure the proper handling of data, maintaining the integrity of
evidence for investigation or court presentation.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Live Evidence in Digital Forensics
Definition of Live Evidence:
• Definition of Live Evidence • Definition:
• Challenges with Live
• Live evidence refers to data that resides in a running system,
Evidence stored in volatile locations such as RAM, cache, and CPU
• Specialized Tools for Live registers. This type of evidence is temporary and can disappear
Evidence when the system is turned off or rebooted.
• Impact of Disrupting a • Example:
System with Live Evidence
• Open files, active processes, and network connections in RAM
or cache that are crucial to understanding a security breach.
Challenges with Live Evidence:
• Volatility:
ti on
•
bu
Live evidence is highly volatile and can be easily altered or lost,
i
tr
making it difficult to collect without contamination. Simply
s
D i
interacting with the system (e.g., moving the mouse or typing on
for
the keyboard) can change or overwrite crucial evidence.
t
No
• Immediacy:
• The need for immediate action to collect data without disrupting
a,
the system, as powering off the system leads to the loss of live
h
Na
evidence.
et
Specialized Tools for Live Evidence:
je
ha
• Tools and Expertise:
•
b
Extracting live evidence requires expert knowledge and
l Suspecialized forensic tools that can capture volatile data without
Co
changing the system state. Tools like Volatility and FTK Imager
can be used to capture RAM content and other live system data.
By • Minimizing Contamination:
I SSP • Forensic experts must ensure minimal contamination during
evidence collection. This often involves using automated scripts
r C that extract data without further user interaction.
fo
es Impact of Disrupting a System with Live Evidence:
ot • Data Loss:
ell N • If a system is powered down or rebooted, all data in volatile
rn
storage such as RAM or CPU registers is lost. This can severely
C o • Example:
hinder an investigation as crucial evidence may be irretrievable.
• If a server is forcibly shut down during an investigation, data
related to open network connections or encrypted
communications in RAM is lost forever.
• Live evidence is volatile and requires careful handling during digital forensic investigations.
• Special tools and expertise are necessary to extract this data while minimizing the risk of
contamination.
• Disrupting the system can result in permanent loss of critical evidence, which makes live evidence
collection both challenging and urgent.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Forensic Copies in Digital Forensics
• Definition of Forensic Copies Definition of Forensic Copies:
• Process of Creating Forensic • Definition:
Copies • Forensic copies are exact, bit-for-bit replicas of a digital storage
• Handling the Original Hard Drive device (e.g., hard drive) created to preserve evidence. These
• Importance of Working Copies copies ensure that the original data remains untouched and
unchanged during an investigation.
• Example:
• When investigating a crime, investigators create two identical
copies of the suspect’s hard drive for analysis, while the original
is stored securely.
Process of Creating Forensic Copies:
ti on
• Steps:
i bu
• Remove the hard drive from the system.
str
•
D i
Create two identical bit-for-bit copies using specialized forensic
tools (e.g., FTK Imager, EnCase).
t for
No
• Verify that the copies are identical using hash functions (e.g.,
a,
MD5, SHA-1) to ensure data integrity.
Handling the Original Hard Drive:
h
• Preservation:
Na
•
eet
Once the forensic copies are made, the original hard drive
j
ha
should be placed in an evidence bag, sealed, and never touched
b
again unless absolutely necessary. This ensures the chain of
l Su
custody is maintained, preserving the integrity of the evidence.
Co
• Example:
By • After removing the hard drive from a suspect's laptop,
SP
investigators immediately store the original in an evidence bag
and focus on analyzing the forensic copies.
CI S Importance of Working Copies:
for • Purpose of Copies:
es
ot
• The first forensic copy is archived, similar to the original, and is
never used. The second copy, known as the working copy, is
ell N used for analysis to avoid contaminating the original data. This
rn
working copy allows investigators to perform various tests
C o • Example:
without risking the integrity of the original evidence.
• Investigators perform data recovery or malware analysis on the
working copy, ensuring the original hard drive remains
untouched for future legal proceedings.
• Forensic copies are exact duplicates of a digital storage device, created to preserve the integrity of
evidence while allowing investigators to perform analysis.
• The original hard drive and the first copy are sealed as evidence, while the second copy, known as
the working copy, is used for forensic examination.
• This process ensures the evidence remains untainted throughout the investigation.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Live Evidence and Forensic Copies
Definition of Live Evidence:
• Definition of Live Evidence • Definition:
• Challenges with Live • Live evidence refers to data stored in volatile memory locations (e.g.,
Evidence RAM, CPU, cache, buffers) on a running system.
• Forensic Copies and • Challenges:
Handling • This type of evidence is fleeting and easily lost if the system state
changes. Actions like powering off or restarting a system cause live
• Importance of Bit-for-Bit evidence to disappear.
Copies Challenges with Live Evidence:
• Contamination Risks:
• Simply interacting with the system, such as moving the mouse or
ti on
pressing keys, alters the state of the system and can contaminate the
u
evidence.
• Specialized Tools Required:
tr i b
•
D is
Expert knowledge and forensic tools (e.g., Volatility, FTK Imager) are
essential to extract live evidence without affecting its integrity.
• Example:
t for
No
• In the case of an ongoing cyberattack, capturing data from RAM can
reveal information about active processes, encryption keys, or
a,
malware residing in volatile memory.
h
Na
Forensic Copies and Handling:
et
• Definition:
•
je
Forensic copies are exact, bit-for-bit replicas of digital storage media
ha
(e.g., hard drives). These copies preserve evidence for analysis while
bensuring the original data remains intact.
Su
• Handling Procedures:
l
Co
• After creating two bit-for-bit copies, the original hard drive is sealed in
an evidence bag and stored. One of the copies is also sealed, while the
By second copy is used for analysis.
SP
Importance of Bit-for-Bit Copies:
CI S • Definition:
• A bit-for-bit copy means the entire content of the original drive,
for including unused space, deleted files, and metadata, is duplicated
es exactly.
ot • Verification via Hashing:
ll N
• To verify the integrity of the forensic copies, hashing (e.g., using MD5 or
rn e SHA-256 algorithms) is performed on the original drive and the copies.
If the hash values match, the copies are exact.
C o • Example:
• During an investigation, the hard drive from a suspect's laptop is
copied bit-for-bit, and the hash values of the original and copies are
compared to ensure no data alteration.
• Live evidence is volatile and can be easily lost if a system’s state changes. Specialized tools are
required to extract it without contamination.
• Forensic copies, on the other hand, provide exact, bit-for-bit replicas of storage media.
• Creating these copies ensures that the original data remains untouched, allowing detailed analysis
of the duplicate.
• Verifying the integrity of the copies using hash values ensures the copies are accurate and can be
used as valid evidence in legal proceedings.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Forensic Analysis of Mobile Devices -1
• Frequent Changes in Operating Systems:
• Challenges in Mobile Device
Forensic Analysis • Mobile device manufacturers frequently update the operating
• Reporting and Documentation in
system structure, file systems, and services, making it
difficult to keep forensic tools up to date.
Forensics
• Importance of Forensic Artifacts • Lack of Universal Forensic Tools:
• No single tool can extract all the relevant data from every
mobile device, meaning investigators must often use multiple
tools.
• Application Hibernation/Suspension:
• Apps on mobile devices may enter a hibernation or
ti on
bu
suspension state, making it difficult to retrieve certain types
i
of live data during forensic analysis.
str
D i
for
• Extensive Training Required:
•
t
Forensic examiners need continual, updated training to
No
handle the evolving landscape of mobile device technology
and security mechanisms.
h a,
Na
Reporting and Documentation in Forensics:
• Ongoing Documentation:
je et
•
b hathe forensic
Throughout
documentation
investigation process,
is critical. This ensures that all evidence and
l Su stakeholders.
investigative steps are traceable and can be referenced by
o relevant
ByC • Stakeholders for Reports:
S P • Reports are essential for various audiences, including:
r CIS • Prosecution/Defense teams
s fo • Judges and Juries
ote • Regulators and Legal authorities
ell N • Investors and Insurers
orn • Content of Reports:
C • Reports must summarize the relevant evidence collected,
methods used, and provide conclusions that are clear and
comprehensible for each audience.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Forensic Analysis of Mobile Devices -2
Importance of Forensic Artifacts:
• Challenges in Mobile Device
Forensic Analysis • Definition:
• Reporting and Documentation in • Forensic artifacts are remnants of activities that occurred
Forensics during a breach or an attempted breach. These can act like
• Importance of Forensic Artifacts breadcrumbs, tracing the intruder's actions and path through
the system or network.
• Why Artifacts Matter:
• Artifacts can confirm or refute hypotheses regarding how a
breach occurred and who may have been responsible.
i on
Identifying these artifacts can help investigators build a case
t
by providing concrete evidence of malicious activity.
i bu
Examples of Forensic Artifacts:
str
D i
for
• Sources:
t
Computer systems, web browsers, mobile devices, hard
•
No
drives, and flash drives all generate artifacts.
• Common Artifacts:
h a,
• a
Nand
IP addresses, file names/types, registry keys, operating
t
echanges.
system information, logged information like account
e
updates andjfile
a
Example of Use:bh
•
u
AnSIP address found in the browser history could help identify
l
Cothe
•
location of an attacker. Similarly, registry keys might show
B y when malware was installed.
I SSP
r C
fo
es
ot
ell N
orn
C
• Mobile device forensic analysis is challenging due to rapid changes in operating systems, lack of
universal tools, and the complexity of suspended applications.
• Investigators require specialized training and tools to handle this complexity. Forensic artifacts are
crucial pieces of evidence in any investigation, acting as clues that can reveal the actions and
identity of an attacker.
• Proper reporting and documentation throughout the investigation process are necessary to ensure
the evidence is clear, accurate, and legally valid for stakeholders.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Chain of Custody
Definition of Chain of Custody:
• Definition of Chain of • Focus on Control:
Custody • The chain of custody refers to the documentation and control
• Importance of Chain of over evidence from the moment it is collected until it is
Custody in Evidence presented in court. This ensures that the evidence has not been
Collection tampered with, altered, or contaminated.
• Steps in Establishing and Importance of Chain of Custody in Evidence Collection:
Maintaining the Chain of • Maintaining Integrity for Legal Proceedings:
Custody
• The primary goal of the chain of custody is to maintain the
integrity of evidence, ensuring it is admissible in court. Proper
ti on
documentation and handling minimize the risk of the evidence
being dismissed.
i bu
• Preventing Contamination:
str
•
D i
Evidence must be handled and stored carefully to prevent any
for
form of contamination, tampering, or deterioration, especially
t
when it may need to be presented in court years later.
• Documentation:
No
•
h a,
The chain of custody involves documenting every transfer or
Na
handling of evidence, noting the time, date, and individuals
involved in each step.
jeet
Steps in Establishing and Maintaining the Chain of Custody:
•
bha
Tag the Evidence:
Su
• Evidence should be clearly tagged to document where it was
l collected, by whom, and on what date.
y
• Co
Bag the Evidence:
B • After tagging, the evidence should be stored securely in a sealed
I SSP container to prevent contamination. This step often involves
placing the evidence in tamper-proof evidence bags.
r C • Carry the Evidence:
fo
es • The evidence should be transported securely to an evidence
ot
storage location (e.g., an evidence locker) where it will remain
ll N
until it is needed for analysis or court proceedings.
rn e • Example:
C o • A hard drive collected from a crime scene is tagged with the
date, time, location, and name of the person who collected it. It
is sealed in a tamper-proof bag and stored in a secure evidence
locker until it is analyzed by forensic experts.
• The chain of custody ensures that evidence is collected, documented, and stored in a way that
maintains its integrity for use in legal proceedings.
• Key steps include tagging, bagging, and securely storing the evidence.
• Maintaining a clear chain of custody is critical to ensuring that evidence is admissible in court and
free from contamination.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Five Rules of Evidence
Definition and Importance of the Five Rules of Evidence:
• Definition and Importance • The five rules of evidence ensure that evidence is reliable and can withstand scrutiny in
of the Five Rules of Evidence legal proceedings. These rules help guarantee that evidence is presented in a manner
that is credible and can be used effectively in court.
• Rule 1: Authentic
• These rules are critical for both criminal and civil investigations to ensure that justice is
• Rule 2: Accurate upheld and that evidence can be trusted.
• Rule 3: Complete Rule 1: Authentic:
• Rule 4: Convincing or • Meaning:
Reliable • Evidence must be proven to be genuine and not fabricated or tampered with.
This can be demonstrated through photos of the crime scene or through
• Rule 5: Admissible forensic methods like bit-for-bit copies of digital media.
• Example:
•
i on
A photograph of a crime scene that was not altered or manipulated in any
t
way can be presented as authentic evidence.
i bu
Rule 2: Accurate:
str
• Meaning:
D i
for
• The evidence must retain its integrity and not be altered from the time it was
collected. This helps ensure that the data or physical objects are reliable.
t
No
• Example:
• A hard drive image that is shown to have the same hash value as the original
a,
drive, confirming it has not been modified.
h
Na
Rule 3: Complete:
• Meaning:
•
jeet
All relevant parts of the evidence must be presented, including those that
ha
may support or contradict the case. Presenting only part of the evidence can
undermine the investigation.
b
Su
• Example:
•
l Logs from a computer system must be presented in their entirety, not just
Co
selectively chosen entries.
By Rule 4: Convincing or Reliable:
• Meaning:
I SSP • Evidence must be strong enough to convince judges, juries, or other
decision-makers. It must be presented clearly and be understandable by
r C non-technical individuals.
fo • Example:
es • Presenting forensic findings in simple terms, making it easy for a jury to
ot grasp the importance of the evidence.
ll N
Rule 5: Admissible:
rn e • Meaning:
o
• Evidence must be permissible in court. Proper handling and maintaining the
C chain of custody can help ensure the evidence is admissible, but it doesn't
guarantee it.
• Example:
• Ensuring that digital evidence, like emails, is collected in a way that follows
legal standards so it can be presented in court.
• The five rules of evidence—authentic, accurate, complete, convincing/reliable, and admissible—
ensure that evidence is reliable, credible, and acceptable in legal proceedings.
• These rules help maintain the integrity of evidence throughout the investigation and trial process.
• Maintaining the chain of custody is critical to meeting these standards.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Investigative Techniques
Definition of Investigative Techniques:
• Definition of Investigative •Investigative techniques refer to specialized methods used to analyze data and
Techniques identify evidence during an investigation. These methods focus on uncovering
• Media Analysis information from various digital sources, such as media devices, software, and
networks, to understand how a security breach or incident occurred.
• Software Analysis
Media Analysis:
• Network Analysis
• Meaning:
• Media analysis involves examining physical storage devices such as
hard drives, flash drives, USBs, CDs, and other forms of digital storage.
• Key Focus:
on
• Searching for both existing and deleted files. Even when files are
erased.
uti
deleted, they often remain on the drive, with only the file pointers being
• Example:
tr i b
• is
A hard drive analysis reveals remnants of deleted files, allowing
D
for
recovery of critical evidence that could provide insight into the
incident.
t
No
Software Analysis:
a,
• Meaning:
h
Na
• This technique involves analyzing software, especially malware, to
understand its functionality, purpose, and origin.
• Key Focus:
jeet
ha
• Uncovering how malware operates and identifying clues that could
blead to the source of its creation. Attribution analysis is crucial here to
Su
determine who may be responsible for the malicious software.
l
Co
• Example:
By • Through software analysis, investigators find traces in the code
indicating the malware was created in a specific region, leading to
SP
potential attribution.
CI S Network Analysis:
for • Meaning:
• Network analysis examines how a network was accessed, how it was
es traversed, and which systems were compromised during an incident.
ot • Key Focus:
ell N • Logs from systems and network devices are typically examined to track
rn
the movement of attackers through the network and uncover potential
C o • Example:
vulnerabilities.
• Network analysis reveals that an unauthorized user accessed the
network through an open port and was able to move laterally to other
systems, eventually breaching sensitive data.
• Investigative techniques such as media analysis, software analysis, and network analysis are
essential tools in digital forensics.
• Each method focuses on different aspects of the investigation: media analysis recovers deleted
data, software analysis decodes malicious software, and network analysis traces the attacker’s
movements through a compromised network.
• All techniques together help to form a comprehensive understanding of the incident and are critical
to securing evidence.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Types of Investigations
Overview of Investigation Types:
• Overview of Investigation • Different types of investigations are conducted based on the nature of the incident, such
Types as criminal activities, civil disputes, regulatory violations, or administrative policy
breaches.
• Criminal Investigations
• These investigations can be initiated by different authorities, including law enforcement,
• Civil Investigations regulatory bodies, organizations, or individuals.
• Regulatory Investigations Criminal Investigations:
• Administrative Investigations • Definition:
• Investigations that deal with crimes, often leading to legal punishment such
as jail time or criminal records.
• Driven by:
• Primarily law enforcement, with potential support from the organization
on
where the crime occurred.
• Example:
uti
•
tr i b
A hacker breaches a company’s systems and steals sensitive customer
data. Law enforcement takes over the investigation to pursue charges of
cybercrime.
D is
for
Civil Investigations:
• Definition:
t
No
• These involve disputes between individuals or organizations, and the
outcome typically results in fines or monetary penalties rather than criminal
a,
sentences.
• Driven by:
h
•
Na
The involved organizations, individuals, or their legal representatives.
• Example:
•
jeet
Two companies are involved in a legal dispute over intellectual property,
bha
and the court assigns financial damages to the losing party.
Su
Regulatory Investigations:
l
• Definition:
Co
• These investigations focus on violations of regulatory requirements
y
governing specific industries.
B • Driven by:
SP
• The relevant regulatory body overseeing the compliance of organizations.
CI S • Example:
• A company is investigated by a financial regulatory body for failing to
for comply with anti-money laundering regulations.
s
Administrative Investigations:
ote • Definition:
• These deal with internal violations of an organization’s policies or
ll N
procedures. The focus is on resolving organizational issues without
rn e involving law enforcement, unless criminal activity is suspected.
o
• Driven by:
C • Example:
• The organization itself.
• An employee is found to have violated internal data security policies by
sharing confidential company information with an unauthorized third party.
• Different types of investigations—criminal, civil, regulatory, and administrative—are used to handle
incidents depending on the severity and nature of the violation.
• Criminal investigations are driven by law enforcement and can lead to legal penalties, civil
investigations focus on monetary damages, regulatory investigations involve oversight bodies, and
administrative investigations deal with internal policy violations.
• Understanding the type of investigation helps determine the appropriate authorities to involve and
the course of action.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Conduct Logging and Monitoring Activities - SIEM
Definition of SIEM (Security Information and Event Management):
• Definition of SIEM • SIEM systems aggregate, analyze, and manage logs and events from
• Functionality of SIEM various sources across an organization's network. The goal is to
Systems provide centralized log management and alerting capabilities to
• Benefits of SIEM support security operations.
Functionality of SIEM Systems:
• Ingesting Logs:
• SIEM tools collect logs from diverse sources, such as firewalls,
routers, switches, IDS/IPS, endpoint security tools, servers,
and applications.
• Analyzing Logs:
ti on
•
i bu
SIEM analyzes these logs for patterns or anomalies that may
str
indicate suspicious activities or potential threats.
• Reporting and Alerts:
D i
for
• The system generates reports and real-time alerts on
t
important security events, facilitating quick detection and
response to incidents.
No
• Correlation and Centralization:
h a,
Na
• SIEM systems correlate data from different systems to identify
et
potential security incidents that may not be apparent when
je
viewed in isolation.
ha
Benefits of SIEM:
b
Su
• Centralized Monitoring:
l
Co
• Provides a single pane of glass for monitoring security events
across an organization.
By • Real-Time Threat Detection:
I SSP • Helps in the real-time detection of potential security incidents
by correlating data and providing actionable intelligence.
r C
fo • Compliance Support:
es • SIEM systems can assist in regulatory compliance by
ot generating reports that demonstrate adherence to security
ll N
standards and requirements.
rn e • Improved Incident Response:
C o • SIEMs allow security teams to investigate and respond to
incidents more effectively by consolidating relevant data in one
place.
• SIEM systems play a critical role in security operations by aggregating and analyzing log data from
multiple sources to detect, monitor, and respond to security threats.
• They enable centralized visibility, enhance incident response capabilities, and support compliance
efforts, making them essential for robust security operations.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Understanding SIEM Systems in Security Operations - 1
Overview of SIEM (Security Information and Event Management):
• Overview of SIEM • SIEM systems are used to aggregate, correlate, and analyze logs from various
• Purpose and Functionality devices across an organization to detect potential security incidents. They
of SIEM provide centralized management for log data and support incident response
efforts.
• Key Capabilities of SIEM
• Example Sources of Event Purpose and Functionality of SIEM:
Data for SIEM • Log Aggregation and Correlation:
• SIEMs collect logs from disparate devices, standardize the data
(normalization), and correlate events to find meaningful patterns.
• Alerting and Reporting:
on
• SIEM systems alert security analysts when suspicious activity is
ti
detected, allowing them to respond to potential incidents in real-
u
time.
tr i b
•
D is
Example: Analyzing login activity from different users to detect if
they share the same IP address, which could indicate a
for
compromised account.
Human and Process Integration: t
No
•
• Beyond technology, SIEM requires trained personnel to analyze
a,
alerts effectively and escalation procedures to handle incidents
h
Na
appropriately.
et
Key Capabilities of SIEM:
1.
j
Aggregation:
e
•
bha
Brings together logs from multiple sources across an organization
Su
under a unified platform.
2.
l
Normalization:
y Co
• Converts logs from different formats (e.g., time/date formats) into a
B standardized format.
SP
3. Deduplication:
CI S • Eliminates duplicate events, streamlining analysis and reducing
for 4.
redundant data.
Correlation:
es
ot
• Identifies relationships between events that may indicate a security
ll N
issue (e.g., multiple failed login attempts followed by a successful
login).
rn e 5. Secure Storage:
C o • Ensures logs are securely stored and read-only to prevent tampering
or accidental deletion.
6. Analysis and Reporting:
• Analyzes events based on programmed rules and reports significant
incidents for further investigation.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Understanding SIEM Systems in Security Operations - 2
Example Sources of Event Data for SIEM:
• Overview of SIEM
• Security Appliances:
• Purpose and Functionality
• Firewalls, antivirus, and data loss prevention (DLP) tools.
of SIEM
• Key Capabilities of SIEM • Network Devices:
• Example Sources of Event • Routers, switches, and load balancers.
Data for SIEM
• Applications and Servers:
• Logs from critical applications and servers.
• Operating Systems:
• Logs from Windows, Linux, and other OS.
t i on
Intrusion Prevention and Detection Systems (IPS/IDS):
i b u
r
•
Logs related to intrusion attempts and suspicious traffict patterns.
•
D is
t for
N o
h a,
t Na
je e
b ha
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C
• SIEM systems are integral to security operations, allowing organizations to collect, normalize, and
correlate logs from multiple sources to detect security incidents.
• Key functionalities like aggregation, secure storage, and correlation enable faster threat detection,
real-time alerts, and support for compliance requirements.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Understanding Threat Intelligence in Security Operations
• Definition of Threat Intelligence Definition of Threat Intelligence:
• Purpose of Threat Intelligence in • Threat intelligence involves the research, analysis, and tracking of threat
Security trends to help organizations proactively identify and respond to security
• Threat Intelligence Sources risks.
• Threat Intelligence in SIEM • It provides insights into potential threats that an organization might face,
Systems allowing security teams to anticipate and prepare.
Purpose of Threat Intelligence in Security:
• Enhances the ability of security teams to recognize and respond to
emerging threats by providing relevant, timely information on potential
on
vulnerabilities and threat actors.
• Helps organizations move from reactive to proactive defense,
uti
strengthening their digital security posture.
tr i b
Threat Intelligence Sources:
D is
1. Vendor Trend Reports:
t f or
•
N omethods,
Reports published by security vendors detailing recent and
a ,
significant threats, common attack and known
ah
vulnerabilities.
2. Public Sector Reports (e.g., N
t and detailed guidance for handling and
US-CERT):
ealerts
•
je
Provides critical
mitigatinga
h current threats, particularly for infrastructure and
publicbsectors.
l SuSharing and Analysis Centers (ISACs):
C• o ISACs are sector-specific hubs where organizations can share
3. Information
B y threat data and insights (e.g., Financial Services ISAC,
P
S 4. Other Sources:Healthcare ISAC).
CI S
for • Includes open-source threat intelligence platforms, government
tes advisories, and commercial threat feeds.
o
ll N
Threat Intelligence in SIEM Systems:
rn e • Many SIEM solutions offer threat intelligence subscriptions to integrate
C o •
external threat data, adding enhanced detection and alerting capabilities.
Allows SIEMs to correlate internal events with known threat data, helping
to identify suspicious activity more accurately.
• Threat intelligence is a critical component of an organization’s cybersecurity strategy, enabling
proactive identification and response to threats.
• It provides actionable insights that can be integrated into SIEM systems, enhancing real-time
detection and allowing for a more proactive approach to security by leveraging insights from both
commercial and public sources.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Understanding User and Entity Behavior Analytics (UEBA)
Definition of UEBA:
• Definition of UEBA
• UEBA, short for User and Entity Behavior Analytics, focuses on
• Core Functionality of UEBA
analyzing the behavior patterns of users and system entities (devices,
• Application and Use Cases of
networks, etc.).
UEBA
• Benefits of UEBA in Cybersecurity • It uses machine learning to establish baseline behaviors for each user
and entity, allowing for the detection of deviations from normal
activity.
Core Functionality of UEBA:
• Behavior Monitoring: Tracks patterns and trends in user and system
entity actions.
• Data Correlation and Analysis: Logs data, correlates relevant
ti on
patterns, and analyzes deviations.
i bu
•
str
Alert Triggering: Sends alerts when behavior deviates significantly
D
from established baselines, indicating potential risks.i
Application and Use Cases of UEBA:
t for
No
1. Insider Threats:
•
h a,
UEBA helps detect unusual activities from internal users,
Na
such as unauthorized data access or privilege misuse.
et
2. Hacked Privileged Accounts:
•
je
Monitors for abnormal actions performed by privileged
bha
accounts, indicating a potential compromise.
3.
Su
Brute-Force Attacks:
l
Co
• Identifies patterns of repeated access attempts and login
By 4.
failures as indicators of brute-force attacks.
General Anomaly Detection:
I SSP • UEBA’s machine learning models allow it to identify patterns
r C that may signal a security breach before it escalates.
fo Benefits of UEBA in Cybersecurity:
es
ot
• Proactive Detection: Identifies suspicious behavior proactively,
ll N
providing security teams with alerts before a breach progresses.
rn e • Machine Learning Advantage: ML-based analysis allows for dynamic
and precise detection of anomalies without requiring predefined
C o rules.
• Enhanced Response to Advanced Threats: UEBA is particularly
effective against sophisticated attacks, as it adapts to the unique
baseline of each user/entity.
• UEBA enhances an organization’s cybersecurity defenses by using machine learning to establish
behavioral baselines for users and entities.
• Deviations from these baselines trigger alerts, enabling timely detection of insider threats,
compromised accounts, and other advanced attacks.
• This predictive and adaptive capability provides a proactive layer of security in identifying and
mitigating potential risks.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Continuous Monitoring in Security Operations
Definition of Continuous Monitoring:
• Definition of Continuous
• Continuous Monitoring refers to the ongoing, proactive monitoring of
Monitoring systems, networks, and environments to detect, analyze, and respond
• Importance of Continuous to potential security threats in real time.
Monitoring Importance of Continuous Monitoring:
• Key Components of Effective
• Threat Detection: Enables organizations to identify potential threats
Continuous Monitoring quickly, reducing response time.
• Role of SIEM in Continuous
Monitoring • Compliance Maintenance: Ensures compliance with regulatory
standards by maintaining visibility into security controls.
on
• Adaptation to Changes: Allows rapid detection and adaptation to
threats.
uti
changes in the environment, such as new vulnerabilities or emerging
Key Components of Effective Continuous Monitoring:
tr i b
is
r D for
1. Technology:
•
t
aggregating, and analyzing log data fo
Technology like a SIEM system is essential
across
gathering,
systems.
N o
a,
2. Processes:
•
a
necessary to keep the h
Regular updates, configurations,
monitoring
and tuning are
system aligned with
N
et
evolving security needs.
3. People:
a je
Skilledh
•
u
true b personnel
threats,
are required to interpret data, recognize
and determine escalation procedures for
S
l response.
Role ofC
o
By SIEM in Continuous Monitoring:
S P• Amonitoring
SIEM, once set up and tuned, plays a pivotal role in the continuous
process by:
CI S • Aggregating Logs: Collecting logs from various sources
for for unified analysis.
tes • Correlating Events: Detecting patterns across events
that may indicate a potential attack.
N o • Generating Alerts: Promptly alerting security personnel
rn ell •
when suspicious activities are detected.
Supporting Compliance: Enabling continuous
C o monitoring for compliance requirements, including
record-keeping and audit readiness.
• Continuous Monitoring is essential for maintaining a strong security posture. It integrates
technology, processes, and people to detect, assess, and respond to potential security risks.
• SIEM systems form the backbone of continuous monitoring, centralizing data for real -time threat
detection and helping organizations adapt to evolving cyber threats.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Continuous Monitoring Concept and Value in Organizations
Purpose of Continuous Monitoring:
• Definition and Purpose of
• Continuous Monitoring is a security approach involving the ongoing,
Continuous Monitoring
real-time review of an organization's IT environment to identify and
• Key Components of Continuous respond to security threats before they can impact the organization
Monitoring significantly. It’s not a one-time setup; it requires ongoing attention
• Importance of Continuous and updates.
Monitoring for a SIEM System
Key Components of Continuous Monitoring:
• Value of Continuous Monitoring to
an Organization 1. Threat Adaptation:
• Constantly adjusts to a dynamic threat environment, with
new threats and vulnerabilities emerging regularly.
2. Asset Management:
ti on
i bu
•
str
Tracks and updates changes in the organization’s assets,
i
ensuring new assets are covered and monitored.
D
for
3. Rule Configuration:
•
t
Establishes new monitoring rules in response to identified
No
threats, requiring continuous configuration.
4. Balancing Alerts:
h a,
Na
• Manages false-positives and false-negatives, refining
jeet
monitoring to focus on actionable alerts.
ha
Importance of Continuous Monitoring for a SIEM System:
•
b
Initial Setup: While the SIEM setup process can take months to
Su
complete due to complexities, the work doesn’t stop once it’s
l
Co
operational. Regular updates and monitoring are essential for
By •
optimal functioning.
Ongoing Adjustments: To maintain effectiveness, the SIEM must
I SSP evolve with the organization’s needs, adapting to updated rules,
tuning to prevent alert fatigue, and refining to ensure alerts are
r C
fo meaningful and timely.
es Value of Continuous Monitoring to an Organization:
ot • Proactive Threat Mitigation: Identifies and responds to threats
ell N quickly, minimizing damage before a breach escalates.
orn • Regulatory Compliance: Helps in meeting and maintaining
compliance standards through continuous visibility into security
C posture.
• Operational Efficiency: Maintains a balance between necessary
alerts and operational efficiency, reducing unnecessary distractions
and focusing on real threats.
• Continuous Monitoring provides significant value to organizations by offering real-time threat
detection and response.
• It ensures that a SIEM system is continuously updated to address new vulnerabilities, adapt to
changes in assets, and refine alerting mechanisms.
• This proactive approach not only safeguards the organization but also supports regulatory
compliance and operational resilience.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Security Orchestration, Automation, and Response (SOAR)
Definition and Purpose of SOAR:
• Definition and Purpose of SOAR • SOAR (Security Orchestration, Automation, and Response) is a suite of
• Key Focus Areas of SOAR tools and technologies that collect and analyze data from various
• SOAR Integration and sources, such as SIEM systems, devices, emails, and manual inputs.
Automation Capabilities Its primary role is to apply predefined rules and workflows based on an
• Benefits of SOAR for SOC organization’s security procedures to manage threats effectively.
Operations Key Focus Areas of SOAR:
1. Threat and Vulnerability Management:
• Manages and prioritizes vulnerabilities within the
organization's assets, ensuring quick response to emerging
on
threats.
2. Incident Response:
uti
•
tr i
Automates and streamlines the response process for
b
of security events.
D is
incidents, ensuring quick detection, response, and resolution
3. Security Operations Automation:
t for
No
• Automates repetitive security tasks and processes, reducing
the workload for SOC analysts and allowing them to focus on
higher-priority tasks.
h a,
Na
SOAR Integration and Automation Capabilities:
et
• SOAR tools are designed to integrate with other security technologies,
je
providing a unified approach to security management.
•
bha
Automation: SOAR uses automated workflows and responses based
Su
on established policies, which enable quicker and more consistent
l
incident handling.
y
•
Co
Machine Learning: Employs machine learning to assist with threat
B detection and to improve SOC efficiency, helping security teams
SP
continuously enhance their response tactics.
CI S Benefits of SOAR for SOC Operations:
for • Enhanced Visibility: Consolidates data from different security
systems, giving SOC teams a clearer picture of the security landscape.
es Streamlined Incident Response: By automating response workflows,
ot
•
SOAR reduces response time for incidents, improving organizational
ell N resilience.
rn
• Consistent Threat Management: Automated workflows ensure
C o threats are managed in a standardized and effective manner across
the organization.
• Data Analytics and Reporting: Offers built-in analytics for data-driven
decision-making and creates detailed reports for compliance and
security posture improvement.
• SOAR combines compatible technologies to streamline threat management, incident response, and
operational automation.
• By consolidating data from diverse sources, automating workflows, and leveraging machine learning,
SOAR enhances SOC capabilities, improves incident response times, and enables more efficient and
consistent security operations.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Configuration Management (CM)
Definition and Importance of Configuration Management (CM):
• Definition and Importance of • Configuration Management is the systematic approach to handling changes in an
Configuration Management (CM) organization's systems and software. CM ensures that assets are provisioned,
configured, tracked, and maintained in a consistent and secure state to support security
• Key Elements of CM: Provisioning, and operational goals.
Baselining, and Automation • Importance: CM helps prevent configuration drift, minimizes vulnerabilities, and ensures
• CM Lifecycle and Processes that all systems comply with organizational standards and baselines.
• Benefits of Effective CM Key Elements of CM:
1. Provisioning:
• Definition: Provisioning involves setting up and configuring resources (like
servers, applications, and network devices) based on specific requirements.
• Example: When a new server is added, provisioning includes installing
on
software, applying security patches, and ensuring it meets baseline
standards.
uti
2. Baselining:
tr i b
s
• Definition: Baselining is creating a standard configuration for systems and
i
applications, defining the security and performance parameters each asset
D
for
must meet.
t
• Example: Establishing a baseline for a server OS that includes approved
No
software, specific configurations, and security settings. Baselines act as
reference points for compliance and change management.
3. Automation:
h a,
Na
• Definition: Automation within CM involves using tools and scripts to apply
et
configurations, manage updates, and track changes consistently and with
minimal human intervention.
je
ha
• Example: Automated patch management tools update systems as per the
baseline requirements, reducing the chances of human error and ensuring
b
Su
consistency.
l
CM Lifecycle and Processes:
Co
• Establish Baselines: Identify and set configurations and standards for systems and
By •
assets.
Provision Assets: Deploy systems and apply baseline configurations.
I SSP •
•
Monitor Changes: Continuously monitor systems to detect deviations from the baseline.
Update and Maintain: Apply updates and make necessary configuration adjustments to
r C maintain compliance with security policies.
fo • Audit and Document: Regularly audit systems against the baseline and maintain
es documentation to track changes over time.
ot Benefits of Effective CM:
ll N
• Improved Security: Consistent configurations reduce vulnerabilities and make it easier
rn e •
to detect unauthorized changes.
Operational Efficiency: Automation and standard baselines streamline the deployment,
C o •
maintenance, and troubleshooting of systems.
Compliance: Maintains alignment with industry regulations and organizational policies,
ensuring all systems meet required security and operational standards.
• Reduced Downtime: Standardized configurations help prevent compatibility issues and
configuration drift that could cause system failures.
• Configuration Management is a structured approach that includes provisioning, baselining, and
automation to ensure systems are deployed, configured, and maintained consistently.
• Effective CM improves security, operational efficiency, and compliance, with baseline standards and
automation playing key roles in minimizing human error and enhancing system reliability.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Asset Inventory in Configuration Management
Definition and Role of Asset Inventory:
• Definition and Role of Asset • An asset inventory is a comprehensive list of all hardware, software,
Inventory and devices within an organization. It serves as a foundational
• Provisioning and Secure component of Configuration Management (CM) to maintain oversight
Deployment of the organization’s assets.
• Asset Inventory Database • Purpose: Helps in tracking, maintaining, and securing assets,
• Asset Management Life Cycle forming a critical part of managing the organization’s attack surface
by identifying all points that could potentially be targeted by
attackers.
Provisioning and Secure Deployment:
• Provisioning: Refers to the deployment and setup of assets within
ti on
the organization, including configuring them for secure use.
i bu
•
tr
Secure Deployment: When provisioning assets (like firewalls,
s
i
routers, or software), security best practices such as changing
D
for
default settings and applying system hardening measures are
essential to prevent vulnerabilities.
t
•
No
Example: Deploying a new firewall without the vendor’s
a,
default credentials and applying strict access control
h
configurations aligned with the organization’s baseline.
Asset Inventory Database: Na
•
eet
The database should be updated each time an asset is added or
j
ha
removed to ensure the inventory remains current.
b
Su
• Importance: A current asset inventory helps track asset ownership,
l
status, and condition, facilitating timely patching, scanning, and
y Co
configuration compliance.
B • Example: When new software is installed, the asset
SP
database should reflect its version, deployment date, and
CI S responsible owner for oversight.
Asset Management Life Cycle:
for • Planning and Procurement: Identifying and planning what assets
es are needed, followed by procurement.
ot
ll N
• Secure Provisioning: Deploying the assets while ensuring they are
configured according to security policies.
rn e • Management and Maintenance: Regular updates, patches, and
C o audits to maintain compliance with security standards.
• Disposal or Decommissioning: Removing assets securely when
they are no longer needed, with updates to the asset inventory to
reflect changes.
• An asset inventory is essential for tracking organizational assets and reducing vulnerabilities by
maintaining control over all hardware and software.
• Secure provisioning during asset deployment, coupled with an up-to-date inventory database,
supports asset management, providing visibility, accountability, and regular maintenance
throughout the asset life cycle.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Configuration Management
• Configuration management ensures devices and software are
• Definition and Role of configured correctly from the moment of deployment to maintain
Configuration Management security and functionality standards.
• Importance of Baselines, • Purpose: Helps achieve a secure, stable environment by enforcing
Policies, and Standards standard configurations across all devices, reducing potential
• Role of Hardening in vulnerabilities from misconfigurations.
Configuration Management Importance of Baselines, Policies, and Standards:
• Automation in Provisioning • Baselines, policies, and standards guide configuration
• Key Steps in Configuration management by establishing the expected settings for each type of
Management asset.
• These guidelines ensure that configurations align with the
ti on
organization’s security goals and regulatory requirements.
i bu
•
tr
Example: A baseline configuration for a server might specify
s
i
firewall settings, active protocols, and password policies.
D
for
Role of Hardening in Configuration Management:
•
t
Hardening removes unnecessary services and features from
devices, minimizing the attack surface.
No
•
h a,
Objective: Reduces the risk of exploitation by limiting functions to
Na
only what is required for operational purposes.
et
• Example: Disabling unused ports and services on network
je
devices as part of the deployment process.
ha
Automation in Provisioning:
b
•
l Su
Automated provisioning tools support consistency in configurations,
Co
especially in larger environments, reducing human error and saving
time.
By • Benefits: Automation ensures uniformity in device settings across
I SSP the network and enables quick, reliable deployment.
• Example: Automated scripts for setting up new devices with
r C baseline security configurations and updates.
fo
es Key Steps in Configuration Management:
ot 1. Identify assets to control: Track each hardware and software
ll N
asset under management.
rn e 2. Configure assets: Apply baseline configurations and hardening
C o 3.
measures.
Document configuration: Record settings for reference, audits,
and troubleshooting.
4. Verify configuration: Use tools like credentialed vulnerability
scans to confirm compliance with configurations.
• Configuration management enforces standardized, secure settings across devices, supported by
baselines, policies, and hardening practices.
• Automation enhances consistency and efficiency, especially in large environments.
• Documentation and periodic reviews of configurations ensure ongoing alignment with security
policies, reducing the risk of misconfigurations.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Foundational Security Operations Concepts
Need to Know / Least Privilege:
• Need to Know / Least
• Definition: Users are given the minimum level of access necessary to
Privilege
perform their tasks.
• Separation of Duties (SoD)
• Objective: Limits data exposure and reduces security risks by ensuring
• Privileged Account
users cannot access information beyond their scope of work.
Management (PAM)
• Job Rotation • Example: An employee in HR might have access to payroll data
but not sensitive IT infrastructure details.
• Service Level Agreements
(SLA) Separation of Duties (SoD):
• Definition: Critical tasks are divided among multiple individuals to
prevent fraud, errors, and conflicts of interest.
• Objective: Reduces the risk of abuse of power or authority by
ti on
distributing roles and responsibilities.
i bu
•
str
Example: In financial transactions, one employee initiates the
payment, while another approves it.
D i
Privileged Account Management (PAM):
t for
No
• Definition: Controls access to highly privileged accounts with special
a,
rights or access within systems.
•
h
Objective: Ensures sensitive accounts are monitored and accessed
Na
securely, reducing the risk of misuse.
•
jeet
Example: Administrative accounts with access to core servers
ha
are only accessible to authorized personnel with multi-factor
bauthentication.
Su
Job Rotation:
l
Co
• Definition: Regularly rotating employees through different roles to
By expose them to various functions and responsibilities.
SP
• Objective: Reduces fraud by preventing employees from having
prolonged control over sensitive areas, encouraging cross-training.
CI S • Example: IT staff may rotate between support, operations, and
for cybersecurity teams periodically.
es Service Level Agreements (SLA):
ot • Definition: Formal agreements outlining expected service levels
ell N between service providers and clients.
orn • Objective: Establishes measurable performance standards,
responsibilities, and penalties for non-compliance.
C • Example: An SLA with a cloud provider might stipulate a 99.9%
uptime guarantee and response times for critical issues.
• Foundational security operations concepts enforce secure, structured, and monitored access within
organizations.
• Principles like need to know, least privilege, and separation of duties prevent unauthorized data
access and misuse.
• PAM focuses on protecting privileged accounts, while job rotation helps deter fraud.
• SLAs formalize expectations between parties, enhancing accountability and service standards.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Foundational Security Operations Concepts
Privileged Account Management (PAM):
• Privileged Account • Definition: PAM involves securing and monitoring accounts that have extensive
Management (PAM) system access, like "root" or "admin" accounts.
• Need to Know vs. Least • Key Measures:
Privilege • Restricted Access: Limited only to users who need high-level system
control for specific tasks.
• Job Rotation
• Dual Accounts: Personnel have regular user accounts and separate
• Service Level Agreements privileged accounts.
(SLAs) • Multifactor Authentication (MFA): Privileged accounts must require
MFA for added security.
• Increased Monitoring: Activities performed with privileged accounts
on
should be logged and monitored in detail.
•
ti
Example: An IT admin has a regular user account for daily tasks and a
u
Need to Know vs. Least Privilege:
tr b
separate privileged account used strictly for system maintenance.
i
•
D is
Need to Know: Restricts a user’s knowledge or access to only the data
for
necessary for their role.
•
t
Example: An HR employee can access employee records but cannot
No
view financial data.
a,
• Least Privilege: Limits a user’s actions and privileges to those required for their
specific duties.
h
•
Na
Example: A network technician can view network configurations but
Job Rotation:
jeet
cannot make system-wide changes.
•
bha
Definition: Periodically rotating employees through different roles to prevent
Su
prolonged control over sensitive functions.
•
l
Benefits:
y Co
• Fraud Deterrence: Reduces opportunity for fraudulent behavior.
B • Process Verification: Ensures transparency and process checks.
SP
• Cross-Training: Prepares employees to cover multiple roles,
CI S •
preventing single points of failure.
Example: Employees in finance rotate through different audit
for functions every six months.
es Service Level Agreements (SLAs):
ot
• Definition: Legal contracts between a customer and vendor detailing
ll N
performance standards, response times, and other agreed-upon operational
specifics.
rn e • Key Elements:
C o •
•
Response Times: Define time frames for specific incident responses.
Performance Standards: Set benchmarks for acceptable service
quality and availability.
• Example: A cloud service provider agrees in an SLA to address critical
incidents within one hour.
• Foundational security concepts—PAM, need to know, least privilege, job rotation, and SLAs—
enhance security within an organization.
• PAM restricts and monitors high-access accounts to prevent misuse.
• Need to know and least privilege principles ensure access and actions are limited to job -specific
requirements, reducing exposure risk.
• Job rotation minimizes fraud potential and encourages skill development.
• SLAs provide structured agreements, establishing expectations for service quality and response.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Resource Protection Techniques
Media Management:
• Media Management • Importance of Data Protection: Critical to ensure data remains
• Mean Time Between Failure accessible and secure over time, given its role as a valuable asset for
(MTBF)Media Types organizations.
• Key Media Management • Long-term Data Storage: Different media types are chosen based on
Considerations storage needs, portability, and data retention requirements. Media
• Media Protection Techniques must often be refreshed or transferred to new formats over time.
• Hardware and Software Asset Mean Time Between Failure (MTBF):
Management • Definition: MTBF is a criterion for evaluating the durability and lifespan
of storage media.
• Consideration: When storing valuable data, organizations should
ti on
i bu
assess the reliability of storage media, keeping MTBF in mind for data
requiring long-term retention.
str
Media Types:
D i
for
• Variety of Media: Includes paper, microforms (microfilm, microfiche),
t
magnetic (HD, disks, tapes), flash memory (SSD, memory cards), and
optical (CD, DVD).
No
•
h a,
Periodic Data Migration: Regular data migration to new media ensures
Na
compatibility and data preservation.
et
Key Media Management Considerations:
•
je
Factors to Consider: Confidentiality, access speeds, portability,
ha
durability, media format, and data format.
b
Su
• Example - Confidentiality: Encryption algorithms should be
l evaluated for long-term use; strong cryptography today may be
y Co outdated in the future.
B Media Protection Techniques:
I SSP • Associated Measures: Policies, access control, labeling, storage,
transport, sanitization, and end-of-life disposal.
r C • Purpose: The degree of protection aligns with the data’s value and
fo organizational risk management strategies.
es
ot
Hardware and Software Asset Management:
ll N
• Inventory Management: Complete asset inventory is essential to track
rn e hardware and software.
C o • Asset Lifecycle Management: Assign ownership, ensure patching,
secure configurations, and maintain proper licensing for each asset.
• Examples: Routine patching, secure configuration before
deployment, and monitoring for ongoing security.
• Media management is crucial for protecting and retaining data over time.
• With diverse storage media and durability requirements, managing assets effectively requires regular
inventory, careful consideration of MTBF, and data migration to maintain accessibility and security.
• Asset management practices are essential, covering hardware/software lifecycle, secure
configurations, and regulatory compliance, to minimize risks and optimize asset value.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Incident Response Process
Incident Response:
• Incident Response • Definition: A structured approach for identifying, managing, and mitigating
• Event vs. Incident incidents in an organization.
• Goal: Minimize damage, restore normal operations, and prevent future incidents.
• Incident Response Phases
Event vs. Incident:
• Event: An observable occurrence (e.g., a login attempt, file access).
• Incident: An adverse event that negatively affects confidentiality, integrity, or
availability of data or systems.
• Key Distinction: Not all events are incidents; an incident requires a response due
to its potential harm to the organization.
Incident Response Phases:
1. Preparation:
• Developing incident response policies, procedures, and
ti on
communication plans.
i bu
r
• Training team members and ensuring tools are available (e.g., SIEM
systems, threat intelligence).
ist
2. Detection:
D
for
• Identifying unusual or malicious activity through monitoring tools and
threat intelligence.
t
•
No
Determine if the activity qualifies as an incident requiring action.
a,
3. Response:
•
h
Confirm the incident, assemble the incident response team, and
Na
activate response protocols.
•
4. Mitigation:
jeet
Take initial steps to contain the incident and prevent further damage.
•
bha
Implement containment actions (e.g., isolating affected systems,
Su
blocking malicious IPs).
l
• Stop the incident from spreading and limit its impact on other systems.
Co
5. Reporting:
By • Document findings, activities, and communications throughout the
incident lifecycle.
I SSP • Notify relevant stakeholders (e.g., management, legal teams) as
necessary.
r C 6. Recovery:
fo • Restore systems to operational status with backups or secure
es replacements.
ot • Test affected systems to ensure no residual threats remain.
ll N
7. Remediation:
rn e •
•
Identify and eliminate the root cause to prevent recurrence.
Update security controls, policies, or procedures as needed.
C o 8. Lessons Learned:
• Conduct a post-incident review to analyze the incident and response
effectiveness.
• Document improvements to refine future incident response and
resilience.
• The incident response process involves preparing for potential incidents, detecting threats, and
responding quickly to contain and mitigate impact.
• Post-incident, a thorough analysis and lessons learned help strengthen future response capabilities
and improve organizational resilience.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Events vs. Incidents in Incident Management
Definition of Event:
• Definition of Event • Event: Any observable occurrence within an environment, like a user
• Definition of Incident logging in, accessing a file, or a system updating software.
• Examples of Detection Tools • Characteristics: Continuous, mostly routine activities that don't
• Examples of Incidents negatively impact security or system function.
Definition of Incident:
• Incident: An event or series of events that disrupt normal operations,
posing potential harm to data, systems, or organization assets.
• Trigger for Incident Response: Incidents are adverse events that
should initiate the incident response process to mitigate risk.
Difference Between Events and Incidents:
ti on
•
i bu
Key Distinction: Events happen constantly and are mostly benign,
tr
while incidents represent a deviation from expected behavior that
s
may indicate a threat.
D i
for
• Response Needs: While events are typically logged, incidents
t
require immediate assessment, containment, and remediation.
Examples of Detection Tools:
No
1.
a,
IPS/IDS (Intrusion Prevention/Detection Systems): Monitors
h
Na
network traffic to identify suspicious behavior.
2.
jeet
DLP (Data Loss Prevention): Tracks sensitive data to prevent
unauthorized access or leaks.
3. ha
Anti-malware Software: Detects and removes malicious code.
b
4.
Su
SIEM (Security Information and Event Management): Aggregates
l
Co
and correlates logs from multiple sources for in-depth monitoring.
By 5. Physical Security: Motion sensors, cameras, and security guards
monitor physical premises.
I SSP Examples of Incidents:
r C • Malware Attack: Detection of malware that could harm systems or
fo data.
es • Hacker Attack: External attacker gains unauthorized access.
ot • Insider Attack: A legitimate user with malicious intent misuses their
ell N access.
rn
• Employee Error: Unintentional mistakes that compromise security.
C o • System Error: Software or hardware malfunction causing potential
vulnerabilities.
• Data Corruption: Loss or alteration of essential data.
• Workplace Injury: Physical incidents that may indicate security or
safety protocol failures.
• An event is a routine occurrence with no immediate threat, while an incident is an adverse event
requiring a structured response.
• Distinguishing between the two ensures resources are used efficiently, with incident response
reserved for cases that demand urgent security action and containment.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Incident Response Process
Preparation:
• Preparation
• Objective: Establish readiness for incidents.
• Detection
• Response (IR Team) • Actions: Develop the Incident Response (IR) process, assign IR team
members, and outline protocols for when an incident occurs.
• Mitigation (Containment)
• Reporting Detection:
• Recovery (Return to Normal) • Objective: Identify when an event becomes an incident.
• Remediation (Prevention)
• Lessons Learned (Process • Actions: Distinguish adverse incidents from regular events to initiate the
response process.
Improvement)
on
Response (IR Team):
• Objective: Activate the Incident Response team after detection.
u ti
•
tr b
Actions: Conduct an impact assessment to gauge the scale,iimpact,
and required resources or departments.
is
Mitigation (Containment):
fo rD
Objective: Limit the impact of the incident. t
•
N o
•
,
Actions: Focus on containing the issue to prevent further damage
aisolating
h
without necessarily resolving it (e.g., affected systems).
Reporting:
t Na
•
j
Objective: Communicate
ee incident status to stakeholders.
a updates during containment and designate a
Actions: Providehongoing
•
spokespersonu bto ensure message consistency.
S
ol to Normal):
Recovery (Return
C
•
B yObjective: Restore normal operations.
S P• Actions: Clean up, repair affected areas, and ensure systems return to
CIS
functional status.
or
Remediation (Prevention):
s f Objective: Address root causes to prevent recurrence.
o te •
ll N
• Actions: Implement system improvements and fixes to mitigate similar
incidents in the future.
rn e Lessons Learned (Process Improvement):
C o • Objective: Reflect on the incident to enhance future response.
• Actions: Review the incident holistically to identify areas for
improvement in processes, training, and system protection.
• The Incident Response Process involves structured steps starting with preparation, detecting
incidents, responding, containing the impact, and then moving to recovery and preventative
measures.
• Effective incident response relies on organized communication, clear roles, and continuous
improvement based on lessons learned to strengthen the organization’s security posture.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Malware Types and Concepts
Malware Definition:
• Malware DefinitionTypes of • Definition: Malicious software that disrupts, damages, or gains
Malware:Virus unauthorized access to systems.
• Worm Types of Malware:
• Logic Bomb Virus:
• Trojan Horse • Characteristics: Requires user action to activate.
• Polymorphic Malware • Example: A virus that infects a file, and only spreads when the file is
• Ransomware opened by the user.
• Rootkit Worm:
• Zero-Day • Characteristics: Self-propagates and spreads through networks
on
without user action.
•
t
Example: A worm infecting one device in a network, spreading to
u i
others autonomously.
Logic Bomb:
tr i b
•
D is
Characteristics: Executes malicious actions based on a specific
for
trigger condition in the code.
•
t
Example: Deletes files if a certain date or condition is met.
Trojan Horse:
No
•
h a,
Characteristics: Appears harmless but contains hidden malicious
Na
code.
• Example: An application disguised as a utility but steals data once
installed.
jeet
ha
Polymorphic Malware:
•
b
Characteristics: Changes its code or appearance to evade detection.
•
l Su
Example: Malware that alters its binary pattern to bypass antivirus
Co
scans.
By Ransomware:
• Characteristics: Encrypts files or systems and demands ransom for
I SSP •
the decryption key.
Example: Locks users out of critical systems until a ransom payment
r C is made.
fo Rootkit:
es
ot
• Characteristics: Conceals malicious tools or processes, often giving
ll N
attackers hidden access.
• Example: A rootkit that embeds itself in a system kernel, hiding its
rn e activities.
C o Zero-Day:
• Characteristics: Newly discovered malware without known detection
signatures.
• Example: Malware exploiting an undisclosed vulnerability, making it
undetectable by current security measures.
• Malware encompasses a range of harmful software types, each with unique behaviors and impacts.
• Understanding specific types, like viruses, worms, and ransomware, helps in identifying preventive
and remedial actions.
• Emerging malware like polymorphic and zero-day variants require adaptive and proactive security
measures to counter evolving threats effectively.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Types of Malware
Malware Definition:
• Definition of Malware • Description: Malicious software designed to harm, exploit, or damage a system.
• Types of Malware Types of Malware and Characteristics:
• Virus • Virus:
• Worm • Needs user action to activate (e.g., opening an infected file).
• Companion Malware • Worm:
• Self-propagates and spreads autonomously, often more damaging than a virus.
• Macro
• Companion Malware:
• Multipartite • Attaches to legitimate files, running alongside them by creating similar
• Polymorphic filenames.
• Trojan • Macro:
on
• Botnet • Found in documents like Excel, uses simple code that can automate malicious
• Boot Sector Infector actions.
Multipartite:
uti
b
•
• Hoaxes/Pranks •
tr i
Spreads through multiple vectors (e.g., Stuxnet spreading via USB then targeting
•
•
Logic Bomb
Stealth
systems).
D is
for
• Polymorphic:
• Ransomware • Changes form (file name, size, structure) each time it replicates to avoid
detection.
t
No
• Rootkit
• Trojan Horse:
a,
• Data Diddler • Disguised as legitimate software but contains hidden malicious code.
• Zero-Day
h
Na
• Botnet:
• Network of infected devices under an attacker's control, often used in DDoS
•
j et
attacks or spamming.
e
Boot Sector Infector:
•
bha
Installs in the boot sector of a hard drive, making it hard to detect and remove.
Su
• Hoaxes/Pranks:
•
l Not actual software, typically social engineering attempts causing harm or
Co
amusement.
By • Logic Bomb:
• Code that activates when certain conditions are met (e.g., deletion of files if a
SP
user is no longer employed).
CI S • Stealth Malware:
• Actively hides its presence, disabling security measures on the infected system.
for • Ransomware:
es • Encrypts files/systems, demands ransom for decryption key; often involves
ot
data exfiltration.
ll N
• Rootkit:
Collection of tools to hide malware presence, typically provides ongoing control
e
•
rn
to attacker.
C o • Data Diddler:
• Makes subtle changes to data over time, often used in financial fraud (e.g.,
salami attacks).
• Zero-Day:
• Newly discovered, no existing detection signatures; dangerous due to lack of
awareness.
• Malware encompasses a variety of types, each with specific characteristics and potential impacts on
system security.
• Understanding the distinctions among viruses, worms, Trojans, ransomware, rootkits, and zero-day
attacks allows for better detection, prevention, and response strategies, supporting comprehensive
defense in an evolving threat landscape.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Third-Party Provided Security Services
Third-Party Provided Security Services:
• Definition of Third-Party
Provided Security Services • Definition: Refers to security services that an organization can
• Types of Security Services outsource to external providers.
Available from Third-Party • Trend: With the growth of cloud technology, contracting third-party
Providers security services has become increasingly common.
• Role and Importance in
Modern Security Strategies Types of Services Provided by Third-Party Vendors:
• SIEM (Security Information and Event Management):
on
• Continuous monitoring and log analysis across the
organization’s infrastructure.
uti
• Auditing Services:
tr i b
is
rD
• Regular or ad-hoc audits to ensure compliance with
t fo
regulatory standards and internal policies.
• Penetration Testing: o
Nvulnerabilities through
•
a ,
External testers attempt to find
simulated attacks, oftenhperformed annually or biannually.
t Na
•
je e and response to evolving malware
Antivirus and Malware Management:
• a through continuously updated protection.
Managed detection
hoften
b
threats,
u
l SServices:
•
C o Specialized in analyzing incidents post-breach, recovering
Forensic
B y •
data, and assessing the impact of an attack.
P
S Importance of Third-Party Security Services:
I S
C • Cost-Effectiveness: Reduces the need for in-house infrastructure
for
es and specialized staff for every security task.
ot
ll N
• Expertise: Access to specialized skills and the latest technology
rn e without direct investment in personnel and systems.
C o • Scalability: Services can scale with the organization’s needs, from
small businesses to large enterprises.
• Third-party provided security services allow organizations to enhance their security posture by
leveraging external expertise and infrastructure.
• Services like SIEM, penetration testing, and forensic analysis offer flexibility, scalability, and access
to advanced skills, supporting robust security without extensive internal resource allocation.
• This approach is integral in cloud environments where specialized, ongoing security support is often
required.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Anti-Malware
Anti-Malware Software Purpose:
• Purpose of Anti-Malware
Software • Primary Goal: To prevent malware from being activated or spreading
• Key Approaches in Anti- within an organization’s systems and networks.
Malware Protection Key Approaches in Anti-Malware Protection:
• Importance of Policy and
User Training 1. Signature-Based Detection:
1. Mechanism: Compares files against a database of known
malware signatures.
2. Strengths: Effective for detecting previously identified
malware.
ti on
3. Limitations: Unable to detect new or modified malware
i bu
without existing signatures.
str
2. Heuristic-Based Detection: D i
1.
t for
Mechanism: Analyzes behavior of code and files to identify
potentially malicious activity.
No
2.
a,
Strengths: Can detect new and unknown malware by
h
Na in false positives due to its predictive
identifying suspicious patterns.
3. Limitations: Mayt result
nature.
je e
Role of Policy andb haTraining in Anti-Malware:
User
Su
• Policies: lOrganizations
o should implement clear anti-malware policies
B yC
to guide behavior and protocol.
S P• User•Training and Awareness:
CIS
Objective: Educate users on recognizing suspicious files,
or
avoiding risky websites, and following safe email practices.
s f • Effectiveness: Reduces the risk of malware activation due to
o te human error or lack of awareness.
ell N
orn
C
• Anti-malware software is essential in safeguarding systems from malicious software, utilizing both
signature-based and heuristic detection to identify and neutralize threats.
• While technology is critical, robust policies and regular user training are equally important in
creating an effective defense against malware outbreaks.
• Heuristic detection offers a broader protection spectrum, while user awareness minimizes human-
initiated infections, making anti-malware efforts more comprehensive and resilient.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Anti-malware and Preventing Malware Outbreaks
Anti-malware Practices:
• Effective anti-malware
• Anti-malware tools aim to prevent malware from being activated.
practices
• Effective policies and user training are among the best defenses
• User training and policy against malware outbreaks.
• Types of detection: signature-
• Training helps users recognize suspicious links and attachments,
based vs. heuristic-based reducing the risk of unintentional activation.
• Activity monitoring
User Training and Policy Awareness:
• Change detection
• Training covers basic security practices and safe internet behaviors,
targeting common triggers for malware like email phishing.
• Awareness programs reduce reliance on automated systems by
equipping staff with threat recognition skills.
ti on
Detection Types:
i bu
1. Signature-based Detection:
str
i
1. Uses definition files with known malware signatures.
D
for
2. Only effective against known threats and needs frequent
updates.
t
3. Limited against zero-day malware.
No
2. Heuristic Detection:
h a,
Na
1. Analyzes code behavior to detect unusual activities.
et
2. Two Methods:
je
1. Static scanning: examines code structure.
bha 2. Dynamic/sandboxing: runs code in an isolated
Su
environment.
l
Co
3. Pros: Can detect new, unknown malware.
By 4. Cons: Higher false-positive rate; some malware can evade
detection in sandboxed environments.
I SSP Activity Monitoring:
• Monitors ongoing processes for suspicious activity.
r C
fo • Raises alerts if malware-like behavior is detected, catching malware that
es might try to hide in background processes.
ot
Change Detection (File Integrity Monitoring):
ll N
• Common in Linux systems; checks for modifications in key system files.
rn e • Works by hashing files and comparing new hashes over time.
C o • Alerts generated if hashes do not match, indicating potential tampering or
malware activity.
• Requires continual updating to be effective.
• Effective malware prevention combines user training, policies, and multiple technical detection
approaches.
• Signature-based and heuristic-based methods target known and unknown threats, respectively,
while activity monitoring and change detection add layers of defense.
• Regular updates to both detection tools and user training are critical to maintaining protection
against evolving threats.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
ML and AI-Based Tools in Security
Understanding AI and ML:
• Definitions and relationship
between AI and ML • Artificial Intelligence (AI):
• Applications in security • AI focuses on using human-like intelligence models to solve
• Benefits and capabilities problems, not necessarily replicating human thought.
• AI encompasses a broader spectrum of technology-driven
intelligence to enhance decision-making.
• Machine Learning (ML):
• A subset of AI, focused on pattern recognition and
predictions.
• ML systems learn from historical data (input) to make
ti on
predictions for future events.
i bu
•
tr
Requires networked computers and powerful processors
s
to handle large data and complex algorithms.
D i
Capabilities of ML/AI Tools:
t for
No
1. Data-Driven Learning: AI/ML enables systems to analyze data
patterns and improve continuously without explicit reprogramming.
2.
h a,
Predictive Modeling: Uses mathematical models to analyze
Na
historical data, uncover trends, and make informed future
predictions.
jeet
ha
Security Applications of ML/AI:
b
Threat Detection and Classification: ML/AI can identify and
Su
•
l
categorize security threats by analyzing anomalies in data patterns.
y
•
Co
Network Risk Scoring: Assigns risk scores to network activities,
B helping prioritize security responses based on detected risk levels.
SP
• Automation of Security Tasks: Automates repetitive security tasks,
CI S enabling human analysts to focus on more complex issues.
for • Cybercrime Response: Detects and responds to incidents like:
es • Unauthorized Access: Identifies and blocks unauthorized
ot
attempts.
ll N
• Evasive Malware: Detects malware that uses advanced
rn e techniques to avoid traditional security measures.
C o • Spear Phishing: Uses pattern recognition to identify targeted
phishing attempts.
• ML and AI-based tools offer enhanced security capabilities through predictive modeling and
automation.
• In security, they support threat detection, risk scoring, and cybercrime response by learning from
past data, analyzing patterns, and enabling quicker response to threats.
• This application of ML/AI transforms security processes, enhancing both system protection and
efficiency in managing complex security challenges.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Patch Management in Security Operations - 1
Patch Management Overview:
• Importance of Patch
Management •Patch Management Purpose:
• Determining Patch Levels • Proactive process to fix security flaws, vulnerabilities, improve
• Methods for Deploying performance, and sometimes add functionality.
Patches • Objective: Maintain a secure and consistently configured
environment.
• Key Step: Patching secures systems only against known
vulnerabilities.
•Benefits of Timely Patch Application:
• Reduces risk by protecting against known vulnerabilities.
ti on
• Creates a consistent environment across systems.
i bu
str
• Many systems alert users to available patches, while others may
rely on system owners for updates.
D i
Integration with Change Management:
t for
No
• Change Management Process: Vital to ensure patches don’t disrupt
a,
critical operations.
h
Na
• Threat Intelligence: Important to stay updated on new vulnerabilities,
et
often sourced from internal intelligence, vendor updates, and news feeds.
je
Determining Patch Levels:
ha
• Agent-Based Monitoring:
b
Su
• Agent installed on host: Checks software versions against a
l
Co
master database and initiates updates if needed.
By
• Agentless Monitoring:
• External monitoring tool connects to each device and assesses
I SSP patch needs without a host-based agent.
r C • Passive Detection:
fo • Uses fingerprinting techniques to infer system versions and
es
ot
patch levels from network traffic.
N
ell
Method Description
rn
Software on each host, auto-
Agent
C o updates
Remote monitoring, no installation
Agentless
on host
Passive Uses traffic to infer patch levels
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Patch Management in Security Operations - 2
• Importance of Patch Patch Deployment Methods:
Management • Manual Deployment:
• Determining Patch Levels • Advantages: Best for high-value systems to reduce risk of
• Methods for Deploying unexpected issues.
Patches • Process: Requires someone to log in and install patches
individually.
• Automated Deployment:
• Advantages: Efficient for standard systems.
on
• Process: Uses tools like Windows Server Update Services
(WSUS) for consistent updates.
uti
tr i b
D is
t for
Deployment
N o
Description
, ideal for critical systems
aDirect,
h
Na
Manual
jeet Software-based, best for wide-scale
ha
Automated
updates
b
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C
• Patch Management is essential for a secure IT environment, addressing vulnerabilities,
improving performance, and adding features.
• Patch levels are determined by agent-based, agentless, or passive methods.
• Deployment is done manually for high-priority systems or automated for general
updates, balancing security with operational efficiency.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Change Management in Security Operations - 1
Change Management Overview:
• Importance of Change • Purpose: Ensures changes are made deliberately and risks are minimized.
Management • Benefits: Analyzes costs/benefits and implements changes in a controlled manner
• Steps in the Change to reduce risks.
Management Process Steps in Change Management:
1.Change Request:
• Definition: Initiated from any department for any topic (e.g., new
functionality, misconfiguration fix, patch for a vulnerable system).
• Process: Usually submitted through a change management software
tool.
2. Assess Impact:
• Purpose: Evaluates the impact and size of the proposed change.
ti on
•
the process through emergency change management.
i bu
Considerations: Critical changes (e.g., security patch) might expedite
str
3. Approval:
•
D i
Multiple Stages: Based on the importance of the change.
•
t for
Key Personnel: System owner, stakeholders, and possibly a Change
No
Advisory Board (CAB) for major changes.
• Flexible Levels: Less review for minor changes; high review for costly or
high-impact changes.
h a,
Na
4. Build and Test:
et
• Testing Environment: Conduct development and testing in a controlled
e
test environment.
j
ha
• Types of Testing: Includes regression and validation testing to ensure
b
functionality and stability.
Su
5. Notification:
l
Co
• Prior to Implementation: Inform key stakeholders of the impending
change to allow for input or readiness.
By
6. Implement:
SP
• Execution: Apply the tested and approved change in the live
CI S 7. Validation:
environment.
for • Post-Implementation Check: Notify management and stakeholders to
es confirm the change was successful.
ot 8. Version and Baseline Documentation:
ll N
• Documentation: Critical to keep detailed records at each step.
rn e • Purpose: Maintains operational discipline, ensures consistency, and
helps future change tracking.
C o Balancing Change Management:
• Too Little Management: Leads to a chaotic, reactive environment.
• Too Much Management: Can slow progress, resulting in people bypassing the
process.
• Optimal Approach: Strikes a balance for controlled, efficient changes.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Change Management in Security Operations -2
• Importance of Change Step Description
Management
Change Request Initiated request from any department
• Steps in the Change
Management Process Assess Impact Evaluate impact and size of change
Multiple stages and stakeholders
Approval
involved
Develop and test in a controlled
Build and Test
environment
on
Inform key stakeholders before
Notification
implementation
Apply the approved change to the live u
ti
Implement
environment
s trib
r Di
Confirm successful implementation
fo for version
Validation
with management and stakeholders
t
otracking
N
Complete documentation
Documentation
a,
and baseline
h
Na
jeet
bha
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C
• Change Management provides a structured approach for implementing changes in a secure,
controlled way to mitigate risks.
• Following each step—from request through validation—ensures that changes benefit the
organization without introducing unnecessary risks.
• Proper documentation and adherence to the process create a balanced environment, supporting
effective change while maintaining stability.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Failure Modes in Recovery Strategies
Failure Modes Overview:
• Understanding failure modes in
systems • Definition: Failure modes determine what occurs when a system
• Types of failure modes: fail-soft, component, the entire system, or a facility experiences failure.
fail-secure, fail-safe • Purpose: Each mode addresses system continuity, security, and
safety needs during failures.
Types of Failure Modes:
1. Fail-Soft (Fail-Open):
on
• Description: Allows systems to remain operational, often at
reduced capacity, despite component or system failure.
u ti
Usage Example: In network switches or firewalls, abfail-open
•
tr i
is
mode allows traffic to continue flowing in case of a failure.
•
o r D less secure.
Goal: Ensures availability over security, minimizing
downtime but potentially leaving the fsystem
o t
, N or restricts access in
2. Fail-Secure (Fail-Closed):
Description: Shuts downasystems
•
response to a failure,a h
t Ndoor with a fail-closed
prioritizing security over availability.
• Usage Example:
jeeof a power failure.
A lock will remain
ha access or operations to protect sensitive
locked in case
Goal:bLimits
Su prioritizing security even if it disrupts operations.
•
lassets,
3.
y Co
Fail-Safe:
P B • Description: Focuses on ensuring the safety of people
I SS during a failure, which may involve disabling or shutting
C down certain functions.
for • Usage Example: In industrial systems, fail-safe
tes mechanisms shut down machinery to prevent accidents or
o injuries.
ell N • Goal: Protects human life and safety above all else.
orn
C
• Failure Modes are critical components of recovery strategies in environments where system
resilience, security, and human safety need to be preserved during failures.
• Understanding the appropriate failure mode for each system—fail-soft, fail-secure, or fail-safe—
ensures that systems are designed to handle failures effectively based on the organization’s
priorities, whether that’s maintaining operational continuity, securing assets, or safeguarding
people.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Backup Storage Strategies
Overview of Backup Strategies:
• Importance of backup • Purpose: Backup strategies align with organizational needs, focusing on backup
strategies for meeting frequency, restoration time, and storage efficiency.
organizational goals • Archive Bit: Metadata marker showing if a file requires backup.
• Types of backup methods • 0: No changes since last backup.
• Backup rotations and retention • 1: File modified; backup required.
• Role of checksums in data
Types of Backup Strategies:
integrity
1. Incremental Backup:
• Backs up changes since the last incremental backup.
on
• Benefit: Efficient storage, faster backups.
• Limitation: Slower restoration due to multiple backup sets.
u t i
2. Differential Backup:
tr i b
Benefit: Faster restoration than incremental, as onlyis
• Backs up changes since the last full backup.
rD
• two sets (full +
•
differential) are needed.
Limitation: Larger storage requirement over
t f otime.
o
,N
3. Full Backup:
•
a
Benefit: Easiest and fastesthfor full restoration.
Backs up all data regardless of changes.
Nause and backup time.
•
•
e t
Limitation: High storage
je
ana
4. Mirror Backup:
Creates h
•
b exact copy of data with no compression.
u Highaccess
•
l S
Benefit: Direct to data copy; near-instantaneous restoration.
Backup C
•
o Limitation: storage space requirement.
By Rotations:
S P• Purpose: Establish a schedule for tape use, retention, and rotation to ensure
reliable and organized data recovery.
CIS • Common Rotation Types:
for • First In, First Out (FIFO): Oldest backup tape used first.
tes • Grandfather-Father-Son (GFS): Rotates backups on weekly, monthly,
and yearly schedules.
N o • Tower of Hanoi: Complex rotation minimizing the number of backups
ell
for data retention.
orn Checksum (Cyclic Redundancy Check - CRC):
C • Purpose: Verifies data integrity by detecting changes in data over time.
• Application: Ensures reliability in backup data, safeguarding against corruption
during storage and transfer.
• Backup Storage Strategies ensure that data is securely stored and recoverable, balancing storage
needs, backup and restore times, and data integrity checks.
• Incremental and differential backups are efficient methods, while full and mirror backups provide
complete data snapshots.
• Backup rotations ensure data freshness and organization, and CRC checksums verify data integrity
across all backup types, enhancing reliability and security.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Backup Storage Strategies:
Types of Backup Storage Locations:
• Types of storage locations: 1. Onsite Backup:
onsite, offsite, cloud • Stored in the same physical location as the original data.
• Importance of geographic • Pros: Quick access for data recovery; lower cost.
separation • Cons: Vulnerable to local disasters (e.g., fire, flood) impacting
• Other storage strategies: both original and backup data.
electronic vaulting, tape 2. Offsite Backup:
rotation • Data stored at a different, geographically remote location.
• Reasons for tape rotation • Pros: Protects against regional risks (natural disasters, political
events).
•
i on
Cons: Longer retrieval times; may involve additional cost for
t
secure transfer and storage.
i bu
3. Cloud Backup:
str
•
D i
Data is stored in the cloud, managed by a third-party provider.
for
• Pros: High availability, scalable, low-cost for storage and
recovery.
t
•
No
Cons: Dependent on internet connection; potential privacy and
security concerns.
h a,
Na
Additional Backup Storage Strategies:
et
• Electronic Vaulting:
•
je
Automated tape management system (e.g., tape jukebox)
ha
controlled by robotic arms.
b
Su
• Purpose: Efficiently manage multiple tapes; suited for large data
l storage needs.
y Co
• Benefit: Streamlines backup process with automated scheduling.
B • Tape Rotation Strategies:
SP
• Definition: Techniques for managing backup tapes to optimize
CI S storage and recovery.
for • Popular Methods:
• FIFO (First-In, First-Out): Oldest backup tapes are used
es
ot
first for new backups.
• Grandfather-Father-Son (GFS): Cycles backups with
ell N daily, weekly, and monthly retention.
orn • Tower of Hanoi: A complex rotation method to maximize
backup coverage with fewer tapes.
C • Purpose of Tape Rotation: Ensures timely backups, manages
storage efficiently, and maintains historical backup records.
• Backup storage strategies vary by location and function. Onsite storage allows easy access but is
vulnerable to local incidents.
• Offsite storage provides a geographic safety net, ideal for disaster recovery, while cloud storage
offers scalable, high-availability solutions but depends on network access.
• Electronic vaulting automates tape management, and tape rotation strategies (like GFS and FIFO)
help maintain organized, secure, and accessible backup systems, ensuring backup reliability and
recovery efficiency.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Redundant Array of Independent Disks (RAID)
Definition and Purpose:
• Purpose of RAID
• Enhancing data speed and • RAID (Redundant Array of Independent Disks):
A configuration of multiple disk drives working together to provide enhanced
availability performance or data redundancy.
• Types of RAID: RAID 0, RAID
1, RAID 5, and RAID 10 • Benefits of RAID:
Offers increased data speed and reliability, based on configuration.
Types of RAID:
1. RAID 0 (Striping):
on
• Function: Data is split across multiple drives, allowing for faster
read and write speeds.
uti
•
tr i b
Disadvantage: No redundancy—if one disk fails, all data is lost.
•
is
Use Case: Ideal for non-critical systems where speed is
D
for
prioritized.
2. RAID 1 (Mirroring):
t
• No
Function: Data is duplicated across multiple disks, providing
redundancy.
h a,
Na
• Advantage: Offers high data availability—if one disk fails, data
et
remains accessible.
•
je
Use Case: Suitable for systems where data reliability is crucial.
ha
RAID 5 (ParitybProtection):
3.
u Uses parity to store data redundantly across three or
SFunction:
•
l
y C• o more drives.
PB
Advantage: Balances speed and redundancy, with cost-effective
storage.
I SS • Use Case: Widely used in environments where both data
r C protection and performance are needed.
fo
es 4. RAID 10 (Mirroring and Striping):
ot • Function: Combines the benefits of RAID 0 (speed) and RAID 1
ll N
(redundancy) by striping and mirroring data across at least four
rn e drives.
C o • Advantage: High performance with redundancy; however, it is
one of the most costly RAID solutions.
• Use Case: Preferred for critical applications requiring both high
speed and availability.
• RAID (Redundant Array of Independent Disks) provides enhanced speed or redundancy by using
multiple disks together in a system.
• Key RAID types include RAID 0 (striping for speed), RAID 1 (mirroring for reliability), RAID 5 (parity for
balance of performance and cost), and RAID 10 (combining mirroring and striping for high speed and
availability).
• RAID setups support various business needs, from improving data access speed to ensuring high
availability and data recovery.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Clustering and Redundancy
Definitions:
• High Availability (HA) as a key
outcome • Clustering:
• Clustering vs. Redundancy • Involves multiple systems working together to handle a load.
approaches
• Commonly used for web servers managed by a load
balancer.
• If one system fails, performance is reduced, but overall
functionality continues.
• Each system in a cluster actively contributes to handling
on
incoming requests.
• Redundancy:
uti
•
tr i b
Consists of a primary system actively handling all work, with
secondary systems in standby.
D is
•
t for
If the primary system fails, a secondary system takes over
No
seamlessly.
a,
• No performance drop if primary fails, as the secondary
h
system is configured identically to the primary.
Na
et
Primary By-product:
je
ha
• Both clustering and redundancy aim for High Availability (HA) to
b
minimize downtime from planned/unplanned outages or component
failures.
l Su
y Co
B
I SSP
r C
fo
es
ot
ell N
orn
C
• Clustering and Redundancy are recovery strategies that enhance high availability (HA).
• Clustering distributes workload among multiple active systems, reducing performance
proportionally if one fails.
• Redundancy, by contrast, designates a primary system for handling tasks, with secondary systems
on standby, resulting in no performance loss if the primary fails.
• Both approaches are fundamental in ensuring continuous operations, with clustering focusing on
shared workload and redundancy on seamless backup.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Recovery Site Strategies
Recovery Site Types:
• Site recovery plans for continuity • Cold Site:
• Types of recovery sites: Cold, • Provides a basic shell with infrastructure and HVAC.
Warm, Hot, Mobile, and
• Does not include computer hardware, data, or people.
Redundant
• Cost vs. Recovery Time for each
• Cost: Lowest ($)
strategy • Recovery Time: Weeks, as it requires setup and equipment
installation.
• Warm Site:
• Includes basic infrastructure and equipment (racks, cabling).
on
• Lacks computer hardware, data, and people.
• Cost: Moderate ($$)
uti
•
r i b
Recovery Time: Days, as basic setup is in place, but systems
t
need to be added.
D is
for
• Hot Site:
•
t
Fully equipped with servers, network equipment; lacks only
data and personnel.
No
• Cost: High ($$$)
h a,
Na
• Recovery Time: Hours, as most infrastructure is already in
et
place.
• Mobile Site:
je
•
bha
A hot site on wheels, often in a shipping container; flexible for
Su
relocation.
l Cost: High ($$$)
Co
•
• Recovery Time: Days to hours, depending on transportation
By time to the needed location.
I SSP • Redundant Site:
• Fully equipped, with mirrored data and ready personnel.
r C
fo • Architected for automatic failover from the primary site.
es • Cost: Extremely high ($$$)
ot • Recovery Time: Instant to seconds, as systems are always
ell N online and synced.
orn
C
• Recovery Site Strategies aim to maintain operational continuity by enabling data
recovery based on urgency and budget.
• Cold sites are the cheapest, requiring weeks to bring online, while redundant sites
offer instant failover at the highest cost.
• Other strategies—warm, hot, and mobile sites—balance setup costs with recovery
speed, accommodating varying recovery needs and ensuring businesses are prepared
for significant disruptions.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Geographic Disparity in Recovery Site Strategies
• Importance of geographic Geographic Disparity:
distance between primary and • Definition: A recovery site is geographically remote if it’s located far
recovery sites enough from the primary site to avoid being impacted by the same
disaster (e.g., a site on the East Coast should have a recovery site in the
• Internal vs. external recovery Midwest or West Coast).
sites • Purpose: Ensures that primary site outages (e.g., natural disasters) do
• Other recovery agreements not affect the recovery site.
(Reciprocal Agreements, Internal vs. External Recovery Sites:
Resource Capacity Agreements,
Multiple Processing Sites) • Internal Recovery Site: Owned by the organization; organization has
full control.
• Key metrics: Recovery Point
Objective (RPO) and Recovery • External Recovery Site: Provided by third-party providers, such as
Sungard, which offers a global network of recovery sites. ti on
Time Objective (RTO)
i bu
•
tr
Cloud Services: Increasingly popular as part of disaster recovery,
s
offering remote storage and scalability.
i
Reciprocal Agreements:
fo rD
•
o
Definition: An arrangement where two companiest downtime.
agree to support
N to dependency risks.
each other’s recovery needs if one experiences
, due
•
h a
Practicality: Rare in private enterprise
Resource Capacity Agreements: a
N
t vendors
•
je
Purpose: Agreements with e to ensure availability of resources
a
during a disaster, essential
hSites:
for continuity.
b
SuRedundant processing sites geographically dispersed, used
Multiple Processing
•
forC
l
o functions (e.g., credit card processing).
Definition:
critical
y
• B Benefit: Ensures continuity by processing transactions simultaneously
S P at different locations.
CIS RPO and RTO (Key Metrics for Disaster Recovery):
for • Recovery Point Objective (RPO): Defines how much data loss an
tes organization can tolerate. Drives backup strategies.
o
ll N
• Recovery Time Objective (RTO): Time required to resume operations at
a defined service level. Essential for assessing recovery site needs.
rn e Achieving System Resilience and High Availability:
C o • Recovery strategies and tools: Clustering, redundancy, replication,
spare parts, and RAID contribute to system resilience, high availability,
and quality of service (QoS).
• Geographic Disparity ensures that recovery sites remain unaffected by local disruptions at the
primary site.
• Internal vs. external recovery sites balance control with convenience, and options like reciprocal
agreements, resource capacity agreements, and multiple processing sites offer additional
recovery support.
• Metrics like RPO and RTO help define acceptable data loss and recovery time, guiding strategic
decisions around recovery and continuity plans.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Business Continuity and Disaster Recovery Processes (BCM, BCP, DRP)
• Disaster: An event disrupting Disaster Definition:
normal business operations
• BCM (Business Continuity
• A disaster is any event or circumstance that disrupts the normal
functioning of business operations, impacting the ability to continue
Management): Framework for BCP
routine processes.
and DRP
• BCP (Business Continuity Plan): Business Continuity Management (BCM):
Business process survival strategy
• DRP (Disaster Recovery Plan): • Definition: The overarching management process that includes
Technology infrastructure recovery developing, implementing, testing, and maintaining business continuity
(BCP) and disaster recovery (DRP) plans.
• Purpose: Ensures that organizations can manage unexpected events
ti on
and continue operations with minimal impact.
i bu
Business Continuity Plan (BCP):
s t r
i
o rD
• Focus: Continuation and survival of business operations.
f
• Objective: Outlines strategies and actions too tkeep critical business
, N event.
processes running during and after a disruptive
a
a
• Coverage: Addresses key processes, h resources, personnel, and
e tN
procedures to maintain essential functions when disruptions occur.
aje
Disaster Recovery Plan (DRP):
h
S ubof essential IT systems and infrastructure.
• Focus: Recovery
C ol Restores critical technology and data systems that are
• Objective:
B y for resuming operations after a disaster.
necessary
I SSP• Coverage: Encompasses IT assets, networks, hardware, software, and
data to support operational continuity.
C
for
tes
o
ell N
orn
C
• BCM is a comprehensive framework for maintaining BCP and DRP plans to handle disruptions.
• BCP focuses on sustaining critical business processes, while DRP is dedicated to recovering vital
technology and infrastructure needed to resume business operations.
• Together, they ensure organizational resilience against unforeseen disruptions.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
BCP/DRP Process Steps
Key BCP/DRP Steps:
• BCP Focus: Maintain operational
continuity post-incident. 1. Develop Contingency Planning Policy
• DRP Focus: Recover and restore • Establish a formal policy with authority and guidance to
systems to a Business As Usual create a robust contingency plan.
(BAU) state.
2. Conduct Business Impact Analysis (BIA)
• External Dependencies:
Consider how external resources • Identify and prioritize critical information systems and
may impact continuity. business components essential for mission continuity.
3. Identify Controls
• Implement measures that minimize disruption effects,
ti on
bu
improve system availability, and manage lifecycle costs.
i
str
4. Create Contingency Strategies
D i
for
• Define recovery strategies to ensure rapid and effective
t
system restoration post-disruption.
No
a,
5. Develop Contingency Plan
h
Na
• Document an actionable plan with steps for system
et
recovery in case of an incident.
je
ha
6. Ensure Testing, Training, and Exercises
b
1. Testing: Validates the efficacy of recovery steps.
l Su
2. Training: Prepares personnel for plan activation.
y Co
3. Exercises: Identifies gaps in the plan to enhance
B preparedness.
I SSP7. Maintenance
r C • Keep the plan current by regularly updating it to align with
fo system and organizational changes.
s
ote External Dependencies:
ell N • Consider critical suppliers, like fuel delivery services for generators,
orn as dependencies during disaster scenarios.
C • Develop strategies for dependable external support, such as having
backup suppliers or service providers.
• The BCP/DRP process emphasizes continuity and rapid recovery from disruptions. BCP keeps
operations functioning, while DRP focuses on returning systems to normal.
• Key steps include policy creation, impact analysis, controls, contingency strategies, and rigorous
testing.
• Additionally, addressing external dependencies ensures that resources essential to recovery are
accessible during a disaster.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Definitions and Cost Implications of RPO, RTO, WRT, and MTD
• RPO (Recovery Point Objective): Definitions:
Maximum data loss tolerable (in 1. Recovery Point Objective (RPO):
time). 1. Measures data loss tolerance in terms of time (e.g., seconds, minutes,
hours).
• RTO (Recovery Time Objective): 2. Defines how much recent data the business can afford to lose.
Time to restore systems to a 3. Cost Implications: Lower RPO (e.g., seconds of data loss) requires
defined service level. high-cost solutions (real-time backup/replication). Higher RPO (e.g.,
daily backups) is less costly.
• WRT (Work Recovery Time):
Time to verify system/data 2. Recovery Time Objective (RTO):
1. Maximum allowable time to recover systems to a functional level after
integrity post-recovery. a disruption.
on
• MTD (Maximum Tolerable 2. Shorter RTOs lead to faster system recovery but increase costs.
Downtime): Total acceptable 3.
ti
Cost Implications: The shorter the RTO, the higher the investment in
u
downtime for business resources and technology to ensure rapid recovery.
tr i b
continuity. 3. Work Recovery Time (WRT):
is
r Dissues.
1. Time required to confirm system/data functionality post-restoration.
2.
fo
Ensures that operations can fully resume without
t for thorough testing.
3.
o
Component of MTD, highlighting the need
4. Maximum Tolerable Downtime (MTD):
,N
Total time a business processacan
1.
a h be down before severe impact.
tN
2. Formula: MTD = RTO + WRT
3.
e
Key metric in deciding disaster declaration timing.
h aje
Example Scenario (Bank Disaster):
•
u b RPO would accept a day’s data loss with daily backups.
Bank with a 24-hour
S
l loss tolerance (e.g., few seconds), continuous replication and
streamo
• For minimal
• BMTDy Crepresents the ultimate threshold before significant operational loss and
backups are necessary.
S PRelationships
reputational damage.
CIS
for • Timeline: BAU -> Disaster -> RPO -> RTO -> WRT -> MTD
tes • Each component illustrates steps from initial data loss to full business continuity
o
restoration.
ell N
orn
C
• RPO, RTO, WRT, and MTD are essential metrics in continuity planning, each defining
recovery objectives and potential downtime impact. RPO and RTO have direct cost
implications—the lower these objectives, the higher the cost of maintaining them. MTD
(comprising RTO + WRT) serves as a critical threshold for decision-making in disaster
recovery, ensuring the business can continue to operate with minimal interruption.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Business Impact Analysis (BIA)
• Purpose of BIA: Predict Purpose of the BIA Process:
consequences of a disaster and • The BIA is essential to Business Continuity Planning (BCP).
gather data for recovery strategy
development. • Predicts the impact of disruptions on critical business functions and
• Key Measurements of Time: determines recovery objectives.
RPO, RTO, WRT, MTD for critical • Key output: Establishes RPO (Recovery Point Objective), RTO
functions/processes. (Recovery Time Objective), WRT (Work Recovery Time), and MTD
• Process Steps: Identify business (Maximum Tolerable Downtime).
functions, assess impacts, and
• Helps prioritize systems and processes in a disaster, enabling
on
establish recovery priorities.
u ti
resource allocation for the recovery of the most critical functions.
Process Steps
r i b
t Criticality:
is
rD
1. Determine Mission/Business Processes and Recovery
• Identify key business processes.
fo
t estimate tolerable
• Determine impacts of disruptiono and
downtime (using RPO, RTO,,WRT, N MTD metrics).
h a
2. a
Identify Resource Requirements:
•
e t N to restore critical business
Assess what is needed
h aje ensures
operations (e.g., staff, data, equipment, facilities).
•
u b dependencies.realistic recovery efforts by
This evaluation
l S
identifying
3. o
C Recovery Priorities for System Resources:
Identify
y
B • Link system resources to essential processes and establish
S P dependency-based priorities.
CI S • Set recovery order based on business impact and
for dependency structure.
tes Process Insights:
o
ell N • Involves staff from various functions for insights on critical systems
orn and recovery needs.
C • Uses a combination of quantitative (e.g., financial records) and
qualitative (e.g., interviews, observation) data.
• The BIA is iterative and collaborative, often requiring detailed analysis
across teams and departments.
• The Business Impact Analysis (BIA) is a structured process to identify critical business functions and
assess the potential impacts of disruptions.
• It defines essential recovery times (RPO, RTO, WRT, and MTD) and prioritizes resources and
processes for efficient recovery.
• This proactive planning enables an organization to protect vital assets and maintain operations
during and after a disaster.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Disaster Response Process
• MTD (Maximum Tolerable MTD Role in Disaster Declaration:
Downtime): Determines when to • A disaster is declared if the incident response shows that recovery within the
MTD is impossible.
declare a disaster.
• Disaster Declaration: Made by • MTD is the maximum downtime a business can endure without risking
viability.
an authoritative entity when MTD • Example: If a data center fire occurs and MTD is 4 hours, a disaster is declared
will be exceeded. if recovery will exceed this time.
• Disaster Response Team: Disaster Declaration Process:
Includes personnel from key • Disasters are officially declared when incidents surpass MTD and threaten
organizational functions. operations.
on
• Communication: Internal and • Decision made by CEO or Business Continuity Board/Committee.
external, involving all relevant
ti
• Clear criteria are necessary to differentiate between incidents and disasters.
u
stakeholders. Incident Assessment Prior to Declaration:
tr i b
• Training & Awareness: Essential
for effective disaster response. the MTD.
D s
• The incident response team evaluates severity and the likelihood of meeting
i
for
• If MTD is at risk, the Disaster Recovery Plan (DRP) is activated.
t
No
Personnel Involved:
• The Disaster Response Team includes members from:
• Executive Management
h a,
Na
• Legal
•
• IT
jeet
Human Resources
•
bha
Public Relations
•
l Su Security
Co
• Team members should be trained in response protocols and participate in
regular DR tests.
By Training and Awareness:
I SSP • Regular training, at least annually, is crucial for ensuring effective disaster
recovery.
r C • Prepares the team for quick and accurate response to real disaster situations.
fo Lessons Learned:
es
ot
• Post-disaster analysis to evaluate what worked, what needs improvement,
and plan adjustments.
ell N • Continuous improvement for future incidents and disasters.
orn Communication During Disaster:
C • Internal: Communication with senior management, legal, HR, Board
members, and PR.
• External: Coordination with regulators, law enforcement, media, and
customers.
• The Disaster Response Process activates the Disaster Recovery Plan (DRP) when an incident
threatens to exceed MTD.
• Declaring a disaster involves an assessment of impact, engaging a trained response team, and
executing a well-communicated response.
• Training and reviewing lessons learned improve future resilience, while effective internal and external
communication ensures coordinated management during a crisis.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Restoration Order
• BIA (Business Impact Analysis) System Recovery Priority Determined by BIA:
determines the recovery priority • BIA prioritizes systems for recovery based on criticality to business
of systems. operations.
• Dependency Charts: Map out
dependencies to inform • Ensures limited recovery resources focus on the most essential
restoration sequence. systems first.
• DR Site Restoration Order: Most Dependency Charts for Restoration Order:
critical systems are restored first.
• Primary Site Restoration Order: • Dependency Charts map the necessary components and sequence for
each system.
on
Least critical systems are
restored first to test stability. • Example: Restoring a website requires activating dependencies like
uti
r i
load balancers, database servers, and web clusters before the web
t b
server.
D is
Disaster Recovery Site Restoration Order:
t for
• After a disaster is declared, recovery effortsofocus on bringing critical
N
a, operational impact and
systems online at the DR site.
• Critical systems are prioritized to a h
minimize
maintain essential services.t N
je e
b hais ready, least critical systems are restored first
Primary Site Restoration Post-Disaster:
• Once the primary
to ensure lthe
u
Senvironment
site
o is stable.
B yC
• After initial testing and adjustments, critical systems are restored,
SP
ensuring smooth operation and reliability at the main site.
CI S
for
tes
o
ell N
orn
C
• Restoration order in disaster recovery is guided by the BIA, which prioritizes critical systems.
• Dependency charts clarify restoration order by mapping component dependencies.
• At a DR site, critical systems are restored first, while at the primary site, least critical systems are
restored first to test stability, followed by critical systems to ensure a seamless transition back to
normal operations.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
BCP and DRP Testing
Read-through/Checklist Test:
• Types of DRP tests: Read-
through, Walkthrough, • Purpose: Ensures all major DRP components are included.
Simulation, Parallel, Full-
• Process: Review DRP for essential information (first steps, contact
interruption/Full-scale. lists, etc.).
• Order of Testing: Start with the
least impactful (Read-through) • Impact: Minimal; no effect on systems.
and progress to the most
Walkthrough Test:
impactful (Full-scale).
• Impact on Systems: Parallel • Purpose: Allows stakeholders to review and discuss the plan.
tests affect only backup
ti on
• Process: All stakeholders (IT, legal, management) gather to go through
systems; Full-scale tests impact the plan, identifying gaps.
i bu
production.
str
• Impact: Paper-based; no effect on systems.
D i
Simulation Test:
t for
• Purpose: Tests response to a hypothetical N odisaster with scenario-
based guidance.
h a,
• Process: Facilitator presentsN aascenario (e.g., fire, virus outbreak);
stakeholders respond ase iftreal.
h
• Impact: Paper-based;ajeno effect on systems.
Parallel Test:Su
b
C olVerifies plan effectiveness on backup systems without
B y
• Purpose:
impacting production.
I SSP• Process: Staff work on backup (parallel) systems at recovery sites.
C
for • Impact: Affects backup systems; no risk to production.
tes Full-interruption/Full-scale Test:
o
ell N • Purpose: Comprehensive test to assess DRP readiness by impacting
rn
production.
C o • Process: Simulates actual disaster; both backup and production
systems are involved.
• Impact: Highest risk; affects production systems. Requires
management approval and prior testing success.
• BCP and DRP testing is essential to validate recovery plans. Tests progress from low-impact (Read-
through, Walkthrough) to high-impact (Parallel, Full-interruption).
• Full-interruption tests are the most conclusive but require management approval due to the impact
on production.
• Each test type ensures preparedness across different disaster scenarios and validates various
aspects of the DRP, contributing to the overall resilience of the organization.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
Goals of Business Continuity Management (BCM)
1. Safety of People:
• BCM encompasses BCP and
DRP. • Highest Priority: BCM’s foremost goal is ensuring the safety of
personnel during any business continuity or disaster recovery efforts.
• Primary Goals:Safety of People,
Minimization of Damage,Survival • All BCM processes should focus on protecting human life above all
of Business else.
• Top Priority: Safety of people.
2. Minimization of Damage:
• Goal: Reduce the damage to facilities and business operations.
physical, operational, and reputational damage. ti on
• Includes safeguarding business assets, infrastructure, and minimizing
i bu
3. Survival of Business:
st r
D ofi
operations. fo r
• Objective: Maintain business continuity and avoid cessation
o t
N functions to sustain
• Focus on preserving the essential business
,
ha
business viability post-disaster.
Additional Considerations: Na
• Personnel Safety andje et Concerns: Extend beyond the
a and managing situations under duress.
Security
hsafety
b
workplace to travel
uOrganizations should provide security, medical, and
l S
• Travel Safety:
y Co assistance for employees traveling to potentially unsafe
emergency
regions.
P B
I SS situations, such as using code words or silent alarms, is critical for
• Handling Duress: Training on responding calmly in high-pressure
C
or
employee safety.
s f
o te
ell N
orn
C
• The primary goals of Business Continuity Management are to ensure people's safety, minimize
damage, and ensure business survival.
• Safety of personnel is the highest priority in BCM, followed by actions that protect physical and
business assets.
• Addressing security concerns, including during travel or duress situations, is essential for a
comprehensive BCM approach.
Cornell Notes by Col Subhajeet Naha, Retd, CISSP 2024
You might also like
- JrqpOQnGQD2xE6jIJAZV - 2024 CISSP Mentor Program - Class 5No ratings yetJrqpOQnGQD2xE6jIJAZV - 2024 CISSP Mentor Program - Class 5123 pages
- Session 1 - 2024 FRSecure CISSP Mentor Program100% (1)Session 1 - 2024 FRSecure CISSP Mentor Program166 pages
- Gghy5tyRkiJWps2QB2xQ - 2024 FRSecure CISSP Mentor Program - Class 10No ratings yetGghy5tyRkiJWps2QB2xQ - 2024 FRSecure CISSP Mentor Program - Class 10146 pages
- (Class Note) Module 10 - Security MetricsNo ratings yet(Class Note) Module 10 - Security Metrics71 pages
- Ebook CISSP Domain 05 Identity and Access Management (IAM)100% (1)Ebook CISSP Domain 05 Identity and Access Management (IAM)84 pages
- NIST Privacy Framework Course AssessmentNo ratings yetNIST Privacy Framework Course Assessment7 pages
- CISSP Certified Information Systems Security ProfessionalsNo ratings yetCISSP Certified Information Systems Security Professionals10 pages
- Session 2 - 2024 FRSecure CISSP Mentor ProgramNo ratings yetSession 2 - 2024 FRSecure CISSP Mentor Program117 pages
- Session 3 - 2024 FRSecure CISSP Mentor ProgramNo ratings yetSession 3 - 2024 FRSecure CISSP Mentor Program152 pages
- Ebook CISSP Domain 08 Software Development SecurityNo ratings yetEbook CISSP Domain 08 Software Development Security113 pages
- 985YslWAQEughLycwyGw - 2024 FRSecure CISSP Mentor Program - Class Eight100% (1)985YslWAQEughLycwyGw - 2024 FRSecure CISSP Mentor Program - Class Eight122 pages
- CompTIA ActualTests CAS-002 v2017-03-07 by Cyrenity-Windsword 465q PDFNo ratings yetCompTIA ActualTests CAS-002 v2017-03-07 by Cyrenity-Windsword 465q PDF239 pages
- Ebook CISSP Domain 06 Security Assessment and TestingNo ratings yetEbook CISSP Domain 06 Security Assessment and Testing109 pages
- CISSP Official Study Guide Mike Chapple Digital Download50% (2)CISSP Official Study Guide Mike Chapple Digital Download129 pages
- 0YgDVEpBQwy46ztPbVIB - 2024 FRSecure CISSP Mentor Program - Class 7 Domain 4 Pt2No ratings yet0YgDVEpBQwy46ztPbVIB - 2024 FRSecure CISSP Mentor Program - Class 7 Domain 4 Pt2128 pages
- 2023+CISSP+Domain+3+Study+Guide+by+ThorTeaches Com+v3 1100% (1)2023+CISSP+Domain+3+Study+Guide+by+ThorTeaches Com+v3 167 pages
- CISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION!No ratings yetCISSP Exam Cram Full Course (All 8 Domains) UPDATED - 2022 EDITION!7 pages
- Domain 01 - Information Security Governance & Risk Management100% (1)Domain 01 - Information Security Governance & Risk Management75 pages
- CISSP 8 Domain Refresh Summary Guide 15042015100% (1)CISSP 8 Domain Refresh Summary Guide 1504201525 pages
- Ebook - CISSP - Domain - 07 - Security OperationsNo ratings yetEbook - CISSP - Domain - 07 - Security Operations193 pages
- INCS-712: Computer Forensics Cyber Forensics, Crime Scene AnalysisNo ratings yetINCS-712: Computer Forensics Cyber Forensics, Crime Scene Analysis50 pages
- Building A Home Security System With Arduino - Sample Chapter100% (1)Building A Home Security System With Arduino - Sample Chapter14 pages
- Crypto Transaction Dispute Resolution - SSRN-id2992962No ratings yetCrypto Transaction Dispute Resolution - SSRN-id299296259 pages
- PlayReady App Creation Tutorial (V0.94)No ratings yetPlayReady App Creation Tutorial (V0.94)13 pages
- Uk3 - The Capacity and Circulation of Passenger Terminal Building in Regional Airport (Case Minangkabau and Adisutjipto International Airports of Indonesia)No ratings yetUk3 - The Capacity and Circulation of Passenger Terminal Building in Regional Airport (Case Minangkabau and Adisutjipto International Airports of Indonesia)8 pages
- Gmail - FWD - Bravofly Booking For Tiruchirappalli - Dammam With Sri Lankan AirlinesNo ratings yetGmail - FWD - Bravofly Booking For Tiruchirappalli - Dammam With Sri Lankan Airlines4 pages
- Unmasking of Packet Drop Attack in ManetNo ratings yetUnmasking of Packet Drop Attack in Manet4 pages
- Visa Consumer Authentication Service VCAS InfographicNo ratings yetVisa Consumer Authentication Service VCAS Infographic1 page
- Combivert: GB Installation Manual F5 With Safety Function STO" Control CircuitNo ratings yetCombivert: GB Installation Manual F5 With Safety Function STO" Control Circuit30 pages
- SSH and SCP: Howto, Tips & Tricks: RSS FeedsNo ratings yetSSH and SCP: Howto, Tips & Tricks: RSS Feeds7 pages
- Sunnyside Up With Red Ketchup by Ashley AndrewsNo ratings yetSunnyside Up With Red Ketchup by Ashley Andrews181 pages
- CISSP-Certified Information Systems Security Professional Exam Q&A Pack0% (1)CISSP-Certified Information Systems Security Professional Exam Q&A Pack16 pages
- BSCI - Questionnaire For Offer PreparationNo ratings yetBSCI - Questionnaire For Offer Preparation3 pages
- Deye Cloud App Operation Manual For Data MigrationNo ratings yetDeye Cloud App Operation Manual For Data Migration7 pages