Security Operations: CISSP, #7

By Selwyn Classen

Security Operations is the 7th domain of the CISSP's common body of knowledge. In thie course we will cover some of the following topics: digital forensics, incident management, logging and monitoring, vulnerability and change management, investigative types, evidence handlingan, recovery strategies, personnel privacy and safety, business continuity and disaster recovery, internal physical security, external physical security, and securing assets.

• Language: English
• Publisher: Selwyn Classen
• Release date: Apr 2, 2020
• ISBN: 9781393054795

Selwyn Classen

A seasoned and highly qualified IT/IS professional with over 20 years working experience within the Petrochemical industry (i.e. Supply chain management, Knowledge management, Product and Quality management, Business analysis and processing) including the Telecommunications industry.

Book preview

While every precaution has been taken in the preparation of this book, the publisher assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.

SECURITY OPERATIONS

First edition. April 2, 2020.

Copyright © 2020 Selwyn Classen.

Written by Selwyn Classen.

Table of Contents

Introduction

Security Operations Foundations

Conclusion

Digital Forensics

Introduction to Digital Forensics

Digital Forensics Foundations

Creating a Digital Forensics Capability

Conclusion

Logging and Monitoring

Introduction

Logging and Monitoring Basics

Log Management

Logging and Monitoring Concerns

Conclusion

Vulnerability Management

Introduction

Vulnerability Assessment

Patch Management

Conclusion

Change Management

Introduction

Change Control Process

Conclusion

Operate and Maintain Protective Controls

Introduction

Maintaining and Operating Protective Controls

Important Terms and Conclusion

Incident Management

Introduction

Creating an Incident Response Capability

Incident Response Life Cycle

Conclusion

Investigative Types

Introduction

Investigative Types

Conclusion

Evidence Handling

Introduction

Rules of Evidence

Conclusion

Resource Provisioning

Introduction

Provisioning Assets

Conclusion

Recovery Strategies

Introduction

Recovery Strategies

Conclusion

Personnel Privacy and Safety

Introduction

Privacy

Safety Matters

Conclusion

Business Continuity and Disaster Recovery

Introduction

Disaster Recovery and Business Continuity

Conclusion

Internal Physical Security

Introduction

Alarms, Access Cards, Biometrics, and Locks

Key Controls

Mantraps, Safes, Vaults, and Turnstiles

Conclusion

Securing Assets

Introduction

Protecting Security Equipment

Conclusion

External Physical Security

Introduction

Barriers

Lighting

Closed Circuit Television

Conclusion

Introduction

The information provided within is based on the material that you will need to know before taking the CISSP exam. Specifically, those topics found in the 7th domain of the Common Body of Knowledge (CBK). The primary role of a security operations team is to maintain the security of systems that are found in production environments. These are live systems that organizations rely on to perform business-critical duties on a day-to-day basis. This course is going to cover many different areas, such as digital forensics, incident management, and evidence collection, incident response, logging and monitoring, vulnerability and change management, and protective controls that are typically operated by security operations teams.

I will also outline the different investigative types that are commonly used. When there is an incident, there will need to be a need for proper evidence handling. We will cover that as well. We will also cover different aspects of physical security, such as internal and external security controls that can delay, deter, or detect a tax on our environments. Additionally, we will also address the need to protect our personnel and keeping them safe. Moreover, as if that is not enough to cram into one single domain of the CBK, we will also cover the steps needed to deal with disasters and how to perform recovery operations. 

Security Operations Foundations

As you can see, there is much information that will be covered in this course. Just try to remember that the important part is understanding the foundational concepts and how they all work together to protect confidentiality, availability, and integrity. The duties performed by security operations teams are what keep attackers at bay on a day-to-day basis. Organizations face the challenge of making services available to their workers and customers while at the same time attempting to reduce the risk associated with providing these very same services. By having a well-trained and staffed security operations team, the organizations can respond to the changing threat landscape on a proactive basis. A standard security operations team will contain several functions. Some of these include a team to handle vulnerability management and possibly other operational toolings, such as data loss prevention tools and firewall configurations.

There may also be a team that handles incident response duties. This team will work with human resources, and possibly even law enforcement to collect and analyze data that can be used by the organization for various purposes. There may also be a security operations center that will employ individuals to monitor and track threat events. This may be the first line of defense and is extremely useful when the timing is important. Due to the critical nature of the duties performed by these teams, several key factors need to be considered. We will briefly discuss each of these before diving into each of the focus areas for the security operations domain. The first of these concepts is known as job rotation. This control will assist in the prevention of collusion or other malicious activity such as fraud. When people are forced to rotate positions, there is a possibility that malicious activities might be detected by the person that is taking on the new role. Another benefit of having employees rotate job positions is that you will end up with a well-rounded workforce with a diverse skill set that has a greater understanding of how all of the roles work together.

The downside is that it is challenging for people to specialize if they must rotate to different positions frequently. Separation of duties is precisely what it sounds like. The goal of this concept is to eliminate the potential for fraud or other malicious activities. It is very useful for situations that involve access to sensitive information, such as credit card numbers or other financial info. Mandatory vacations are also a useful security control that prevents fraud. Sometimes malicious activities will require that someone is available and has constant access to a system regularly in order to hide their activities. By forcing someone to go on vacation, it gives the organization time to have someone review their work and possibly even perform audits of their systems. This is especially important in cases where the person on vacation typically has elevated privileges to the network and its systems. 

Conclusion

You should now have a good idea of what we will cover in this course. You have been presented with a quick overview of what security operations are, and have been provided with a quick listing of some of the topics that we will cover within this course. I have also introduced some important terms that you may come across in regards to security operations teams, such as mandatory vacations and separation of duties. Now that you have the basics out of the way, let us get started with the first module in this course, Digital Forensics. 

Digital Forensics

Introduction to Digital Forensics

For centuries, crimes have been solved by identifying evidence that points to the who, what, when, where, and how something occurred. The onset of technology only increased the data sources that were available. The activity of performing digital forensics addresses this need by ensuring that evidence is collected in a format that is presentable in a legal courtroom setting. For all of this to happen, many different concerns need to be addressed. As with any concept, it is mandatory to understand what the topic context is defined as. So we will start this course module with a definition of digital forensics.

Once that has been established, you will quickly move on to learning why digital forensics are needed and what the outputs of this activity generally accomplish. Also, there are different types of digital forensics that you may come across throughout your career, so I will quickly highlight those as well, and then move on to showing you what an organization must do to establish a digital forensics capability. After that, I will review key terminology that you may need to be aware of before taking your CISSP examination. So let us get started with taking a look at what digital forensics is. 

Digital Forensics Foundations

In the grand scheme of things, digital forensics can be thought of as a process of extracting information from electronic devices, preserving that information, analyzing any associated findings, and then interpreting the results. This entire process is also sometimes referred to as computer forensics. Ultimately, digital forensics can be defined as a branch of forensics science that is focused on the identification, collection, and analysis of elements found in electronic devices. In the next section, we are going to dive a little bit deeper so