ISACA CISM – Domain 04 – Information Security Incident Management Part 13

77. Other Recovery Operations

Now, some of the other operations we look at in the recovery, of course, is documentation. Now, documentation is important because, number one, we can learn from previous events. It’s a great way of being able to review the entire process. Not only does it let us learn, but it lets us revamp those plans so that we can have hopefully a better response in the future. And of course, if there’s any type of legal ramification, this type of documentation can be very good, especially if perhaps there’s some liability or something that you can recoup. Your company organization can recoup from the damages that were done from somebody else. The documentation can be used by those legal teams to do that.

Now, part of your recovery operations, of course, is the storage and protection of information to be able to transfer to other locations. So you also want to make sure you have procedures in place for your data preservation. If there’s any type of a legal aspect going on as far as a criminal investigation or even a civil investigation that’s going to end up in courts, then you also want to start taking good care about how you deal with potential types of evidence, things like the chain of custody or adhering to the rules of evidence. When we talk about chain of custody, that means that if you have the idea that a criminal or civil case is going to go forward from whatever damages or whatever may have occurred, that you are able to account.

For that evidence from the time it was discovered to the time it’s being presented in court. So you can show that it was never tampered or altered with. And as well, understanding the ways in which we have to collect evidence so that we can be able to present it. In other words, there are rules of evidence. Now that’s a whole world of forensics that I’ll talk about, just ever so briefly. But it is very important that you have good procedures in place to be able to make sure that you are taking care of the evidence and that you are following the procedures you would need in handling it so that it can be utilized in a court of law.

78. Forensic Investigation

Now on the forensic investigation, remember that forensics just means that you’re making evidence that’s usable in court. I mean, some of you may have watched lots of crime scene shows. We certainly seem to have plenty of them to watch on TV, and they always talk about forensics. But if you think about it, that’s Hollywood. That’s fiction being shown to us. And our goal here is to say, all right, it’s not quite as glamorous as as it appears. Forensics is just making sure that we have collected the evidence properly, that we follow good practices so that we can show that the evidence that is being utilized has not been altered. So that goes back to that chain of custody again. Now, in brief, a chain of custody is simply saying, look, I just discovered this piece of evidence, so I’m collecting it.

Of course, that’s a whole nother area is to collect it properly without damaging, destroying, or altering that evidence. And from that point, you will start a log that says that this evidence is in my possession until you turn it over to somebody else who will sign for it, then who eventually is going to lock it away somewhere in a facility that is watched or at least being able to show that it hasn’t been able to be entered. So that we can say safely that this evidence has never been either out of our control personally or has never been accessed by anybody who could have altered it or damaged it. That means you should have technicians that are trained in the forensics. The field of forensics, especially in the world of data, is a whole different world than you see. Like I said on those fictional TV shows, you think about it, we’re talking about data that’s stored in some sort of fashion.

Whether it’s electronically encoded on a magnetized hard drive, whether it’s burned into your DVDs or however it’s stored, it is easily altered and it is easily damaged. So we have to be able to make sure that people understand how to collect the evidence and how to actually go through and investigate and examine that evidence. They have to keep good case logs, documentation. And again, the reason for that is not just chain of custody, but if you come to a conclusion on your evidence, somebody has to be able to look through your logs, follow what you did step by step, and be able to come up with the same conclusions. Or now you start having a difference of opinion and you have nothing that’s really good to use in your court case. And of course, investigative reports kind of help go along with those case logs.

And you should have good or proper lab facilities, again, so that you can avoid contamination. We sometimes use the term cross contamination, where evidence from one case might interfere with another case or get mixed up. Plus, having the right facilities for the recording of information for storing it and we just go on for a long time. Forensics cassette usually takes weeks to talk about, so these are just things that you need to make sure are in place. It doesn’t mean that you, as the manager, have to understand fully the realm of forensics to make sure you have taking care of those things, such as the chain of custody, having people trained in forensics, getting the proper documentation, having the proper facilities in place.

79. Hacker / Penetration Methodology

We make a lot of mention about the penetration testing. And so I kind of broke this down by kind of the methodology hackers and at least a professional hacker and a penetration tester would take. And I want you to realize this is a 30,000 foot view because, you know, an actual penetration test has many, many steps, and, you know, it can easily be 100 page document about some of the things that we do, but this gives you a good idea of the process of the human element. So normally we start off with reconnaissance. With reconnaissance, we actually are doing investigations using things like Google or Erin. And what are we looking for? Well, we’re looking for things like email addresses, servers, websites, information about your IP addresses. It’s really, at least first, it kind of starts off passively where we’re looking for information.

And here’s the thing. When I get emails for addresses, for employees, maybe even for the CEO, I want to start trying to do some fishing to see if I can get even more information from them, like potential passwords and usernames and other types of reconnaissance. And again, most of this is passive because I’m not really attacking your system. You could say email is detectable, but I’m asking other organizations about your organization. But once I start getting information and I’m really looking for targets, then I’m going to start doing some of the things that are all set off alarms. Potentially, once I have those targets determined, what I’m going to start doing is I’m going to start hitting them with port scans and ping sweeps to see what’s out there and what services are running.

I might even do a little bit of extra information to see if I can figure out all the services that are running. And the idea here is, as I’m validating that the targets are alive, so I’m not going to waste my time going after addresses and servers that might not even exist. Once I have my list of targets, then I start the enumeration. That’s where I’m going to query machines about what’s happening. I’m going to see if I can find the user accounts that are on there. And believe me, there are a lot of easy ways to be able to grab that information right from your servers. Not only am I going to do that, but I’m going to do a little fingerprinting. Now, fingerprinting is where I’m going to try to identify what the operating system is. If I determine through fingerprinting that it’s a Windows 2008 server and it’s running maybe, IIS version seven, I’m going to say, all right, I know.

Now to go do some more research, maybe even go back to Google and look at what types of vulnerabilities and successful attacks I might have to go after those very specific bits of information. Now that I’ve gathered a lot of information, I’m going to go on to the attack phase. Now, here’s where I mentioned somewhere within the course about a tool called Core Impact. It’s a commercial tool that you can purchase to run your own penetration test. It’s a very successful tool that will do everything I’ve just talked about up to this point, including launching attacks. But we can utilize other types of things like a free program called Metasploit. Metasploit has a lot of open sourced modules that I can use to start doing attacks. I can also create my own exploits and load them into Metasploit and begin the attack.

And the purpose of the attack in today’s world is to take ownership of your systems. Now, once that attack is on its way, if I am not successful, it seems that today if I’m not successful that we actually then do the denial of service. Why? Well, it’s kind of a sour grapes idea that if I can’t break into the system, then let’s make sure that nobody can use that system. But really my goal is to break in to gain remote access. Now, once I have this remote access, I’m going to go out and see if I can raise my privileges. I want to become the root or the admin or maybe even run as a service. And many buffer overflows will allow me to run as a Windows service because now I have full capabilities to do anything that I want to do. And of course, I am going to create a backdoor because I may have to make a return trip.

Now, what’s interesting is that many hackers will also help harden your system so that nobody else can get in. It’s kind of like, hey, I found it. It’s mine and no one else can have it. So sometimes you’re getting a free courtesy service of patching this thing up after I’ve got the back door. Now, once I have that back door, I’m going to create a pivot point. Now this is interesting because at this point we’re going to repeat everything we just did, but we’re going to repeat it from the inside of your network on a pivot point here. I’m going to upload all of the software that I need my tools to be able to do my best from that new point of view, start this process over and see what’s available on the inside of your network. Now, having just said that, sometimes we also have to make sure when we’re actually done with the entire attack, we want to be able to erase our history. We want to cover our tracks. One of the things we say is that if you’re a good hacker, everybody knows who you are.

But if you’re a great hacker, nobody knows who you are. So now that I’ve kind of given you this idea of these different steps, let me try to see if I can illustrate it with a diagram. So we’re going to assume that you’re having access from the Internet. So we’ll put the www here. And that at some point, I’m going to be entering into your domain, into your network, and trying to access what we often call as the demilitarized zone. The DMZ is an area that you allow public access into your network. Web servers, email servers, maybe even DNS. And remember, I’m out here working as this hacker trying to do bad things to your systems. And one of the first things, of course I said is, I’m going to go out here and I’m going to hit Google and I’m going to see what web services or what information I can find.

Like I said, because if I can get to Google and Aaron and I’m getting a list of targets and I’m doing my reconnaissance, I said I might also hit that person at home. Email. Why at home? Well, I mean, certainly they may answer their email while they’re at work, but the goal of trying to hit somebody with their corporate email account at home is that often they have less security at a person’s home than they do in their actual enterprise. And so I have a better chance of learning where that person is and doing some of the same attacks on them. And if I can own their systems, maybe I can then hijack one of their VPNs into your system. All right, so now it’s getting a little out of hand here, but once I get all that information, then I start the attacks. I start hitting those designs or those machines inside the DMZ. And that’s again, where I’m hitting those ports, doing pings, maybe some trace route.

I might even do a firewalk, which is a way of testing your firewall rules to see what’s allowed. Now let’s make the DMZ a little bit bigger. Now I have a little bigger DMZ, and I’m going to create a web server here. So we’ll cross out DMZ. So here’s your web server. And again, my goal is that now I’m attacking it and I’m finding out the information, as I said, through the enumeration, and I’m hopefully getting successful. And let’s say that I now own the system. Well, what do we know about the DMZ? Well, usually I know that these web servers have to go through your security, unlike a firewall to be able to get to maybe a back end database server. But here’s the thing. Now that I own the DMZ, I can upload all of my tools into that server. And because the firewall is trusting the device that I have, that’s where I have that pivot point. And that pivot point is now saying I’m going to start all over again.

And I’m going to start the process of pings, discovering that SQL Server and any other server that I’m allowed to see in that firewall. And I’m going to enumerate information from it, I’m going to attack it. And hey, who knows, maybe I can own the SQL Server. And if I do own the SQL Server. Hey, I’m going to load all my tools on that machine. And now that my tools are on that machine, I guess what I have a new pivot point that is, oh, get this, already inside your local area network because I can now launch my attacks from that machine I own. There is no more protection devices other than any host based solutions that you might be running on your workstations for me to be able to attack, gather information, and just go to town.

And maybe my ultimate goal was your database server and I can retrieve information. But remember, most firewalls say that they allow traffic. So because I was able to get into the DMZ and get to your Web server through your firewall, that was easy. Or it can be easy. And then I took advantage of that trust relationship to get through the firewall into the SQL Server, own the SQL Server that’s supplying data for the web page. And then, like I said, I’m now free to roam inside of your network. Now, having been in that position again, I can take my time because what am I doing? I’m creating back doors in all these processes so that I can come back at a later date if I need to. Now, that’s really kind of the methodology of how a lot of attacks go.

And of course, when I’m complete, like I said, I’m going to get rid of all of the evidence as much as I can, wipe out your events and your logs, and do my best to make myself appear to be invisible. All right, these processes are not all that hard to do. There are some folks who wrote a book a few years ago, and it’s still a very valid book, even by today’s technology standards. That was all about writing secure software, and they estimated really that well. Not 10% of most of your major networks, banks, military, not 20%. I feel like I’m an infomercial, but nearly 100% of all major financial institutions, military organizations, anybody who has a network of information that somebody wants to see that almost all of them have currently hackers inside that network at some layer or another. And a lot of it is because of the ease of the tools that we have to use, the vulnerabilities, and the fact that sometimes folks don’t look at every aspect of security.

Now, one little side note. Had we had intrusion detection running here, my job of getting in would have been almost insurmountable. No, I can still get through. Don’t get me wrong, there are ways we can fool intrusion detection, but they would have seen the attack packets. They would have been able to catch on to that information. That’s why a lot of the actual attacks we do is getting some unsuspecting happy go lucky user inside of this system to come visit my website and download the malware so that I now can just start from this position and then have free roaming access. Yeah. And sometimes that defeats even the best of our security, is people having a lack of awareness and education about what they should and shouldn’t do. And that’s that’s why you hear us talk a lot about having standards that talk about what is the acceptable use.

80. Domain 04 Review

So our domain was on the incident management and response. What we looked at is we talked about developing and implementing processes to detect, identify, analyze and respond to our information security incidences. We also talked about establishing an escalation and communication process to the people involved on the team, to the upper management. We looked at ways of developing plans to respond to and to be able to document those security incidents. We looked at establishing the capability to be able to investigate the types of incidences that are occurring. We also had a process to communicate with the internal and external parties that would be affected. We took a way of integrating the incident response into the disaster recovery and the business continuity.

We also talked about organizing, training and equipped teams to be able to respond to the information security incident. And we talked about making periodic tests and refining the actual information security response plan. We looked at managing the actual response to an information security incident and how to conduct reviews to be able to utilize that information if we needed to, for forensic examinations, for legal issues, or if anything, just to help improve our response the next time.

81. Course Closure

All right. I want to thank you for taking our class on CISM. As you saw, we went through four different domains, updated for the 2013 version. So we started off in domain one, talking about governance as it deals with information security. We looked at all of the different types of information risk management. We talked about how that can help feed into the creation of the information security program development. And then, of course, finally we talked about how we can be prepared, or at least audit, to make sure that we’re prepared for some sort of incident management in what we call the Information Security incident Management.

• Category: Uncategorized