SECURITY

SEC 3301, Security Application Development 1

Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to:

1. Identify the relationship between application security and system development. 1.1 Identify the security development roles and resources needed for contingency planning and

implementation. 1.2 Define the processes related to the digital forensics’ investigation.

4. Outline potential application security vulnerabilities.

4.1 Summarize incident response, incident containment, disaster recovery and preventative measures used for business continuity.

Required Unit Resources Module 5: Incident Response and Contingency Planning Unit Lesson Interruptions within an organization are bound to happen. The question is, “When and what can be done to mitigate the damage it causes?” Within this unit, you will gain an understanding of the purpose and need for contingency planning (CP). Alternately, this is referred to as disaster recovery and business continuity planning. Incident responses are an additional major theme here, as the textbook authors comprehensively provide the components of incidents and processes used in digital forensics to determine why these events occurred. Toward the conclusion of this unit, a discussion is held on how the organization would prepare and execute a test of contingency plans. This is essential to ensure that they work in the event that something happens. It is important that plans are made for adverse events when the technologies an organization uses are disrupted and business comes to a halt. Often, the information technology (IT) and information security communities assess the entire technological infrastructure of the organization using the mission statement and current organizational objectives to drive their planning activities. They must be sanctioned and actively support the general business community of interest, per the National Institute of Standards and Technology’s (NIST, 2010) Contingency Planning Guide for Federal Information Systems (SP 800-34 Rev. 1). Organizations of every size and purpose should also prepare for the unexpected. Incidents or disasters happen in several ways and can happen over time or suddenly with no notice. The development of a plan for handling unexpected events must be a high priority for all managers. Sound risk management practices are essential for an organization to be ready for anything that may come its way operationally. CP helps to prepare, defend, detect, react, and recover from events that threaten the security of resources and assets against adverse events. The most likely individuals who are responsible for CP are the chief information officer (CIO), system administrators, the chief information security officer (CISO), and key IT and business managers. During CP efforts, each of the four components of CP are examined; see below.

1. Business impact analysis (BIA) 2. Incident response plan (IR plan) 3. Disaster recovery plan (DR plan) 4. Business continuity plan (BC plan)

UNIT III STUDY GUIDE Contingency Planning and Digital Forensics

SEC 3301, Security Application Development 2

UNIT x STUDY GUIDE Title

The figure below illustrates the distinct CP components. Each component is analyzed in its entirety to develop the plan during CP efforts.

Figure 1. CP Hierarchies (Whitman & Mattord, 2022)

The business impact analysis (BIA) document is the first major component of the CP process, and it serves as an investigation and assessment of the impact that various adverse events can have on the organization. The BIA document will include the elements listed below.

1. Scope 2. Plan 3. Balance 4. Objective 5. Follow-up

Incident response planning (IRP) attempts to provide quick, efficient, and timely containment of an issue that occurs as well as the resolution of the issue. In the NIST cybersecurity framework, a five-stage methodology is used to identify the risks, protect through security controls, detect adverse events, respond to the incident, and recover the business to operate as usual.

SEC 3301, Security Application Development 3

UNIT x STUDY GUIDE Title

Figure 2. NIST Cybersecurity Framework (Whitman & Mattord, 2022)

In an IRP, there are three characteristics that an information security incident must have in order to be considered a threat (credible or not). Incident response is a reactive measure and not a preventive one.

1. It targets information assets. 2. It has a high likelihood of success. 3. It manifests against the confidentiality, integrity, or availability (CIA) of information resources and

assets. The computer security incident response team (CSIRT) is responsible for executing the IRP across the detection, reaction, and recovery phases of incident responses. When detecting incidents, it is important to properly classify the incident, document this in the IRP, and list levels of security threats that might occur. The CSIRT will look for any possible indicators that an incident has occurred and list the probable indicators that show the incident as unexpected or out of the normal. The team will follow up with a knowledge check and review to see if any possible/probable indicators are definite indicators of existing red flags and documented incidents. Once it has been confirmed that an incident exists and it has been properly classified, the next steps are to notify the first tier of the alert roster, document it in the incident management system, troubleshoot containment strategies, and continue escalation of the incident to higher tiers if needed. Recovering from incidents requires the CSIRT to assess the immediate severity of the breach, analyze logs and other sources of information to determine the extent of the damage, and plan on steps to mitigate and recover from any damage. Organizations should have a recovery plan in place. NIST’s Contingency Planning Guide for Federal Information Systems (SP 800-34 Rev. 1) provides guidance across different functions after an incident has occurred. Once the recovery plan has been completed, the CSIRT will provide an after-action review (AAR) which provides a root cause analysis shared with those directly involved in the containment of the incident. Below are the recommendations that NIST’s Contingency Planning Guide for Federal Information Systems (SP 800-61 Rev. 2) makes with respect to handling incidents below (as cited in Whitman & Mattord, 2022, p.197).

1. Acquire tools and resources that may be of value during incident handling. 2. Prevent incidents from occurring by ensuring that networks, systems, and applications are sufficiently

secure. 3. Identify precursors and indicators through alerts generated by several types of security software. 4. Establish mechanisms for outside parties to report incidents. 5. Require a baseline level of logging and auditing on all systems and a higher baseline level on all

critical systems. 6. Profile networks and systems. 7. Understand the normal behaviors of networks, systems, and applications. 8. Create a log retention policy. 9. Perform event correlation.

SEC 3301, Security Application Development 4

UNIT x STUDY GUIDE Title

10. Keep all host clocks synchronized. 11. Maintain and use a knowledge base of information. 12. Start recording all information as soon as the team suspects that an incident has occurred. 13. Safeguard incident data. 14. Prioritize handling of incidents based on relevant factors. 15. Include provisions for incident reporting in the organization’s incident response policy. 16. Establish strategies and procedures for containing incidents. 17. Follow established procedures for evidence gathering and handling. 18. Capture volatile data from systems as evidence. 19. Obtain system snapshots through full forensic disk images, not file system backups. 20. Hold lessons-learned meetings after major incidents.

There are two different approaches that an organization can choose from in their incident response and disaster recovery in terms of digital forensics and involvement with law enforcement agencies. One is a protect and forget approach where the analysis and remedy prevents any future occurrences, and the incident is simply forgotten. The other takes a digital forensics approach with apprehend and prosecute. This approach is meant to punish those individuals guilty of an incident and requires a broad capture and protection of evidence for prosecution. Digital forensics is important because digital media can be found in every organization from the simple mom- and- pop establishments to huge corporations. This digital media represents all digitized documentation that is stored in digital format from huge information systems to the common home computer. When this digital information has been compromised from intentional or unintentional causes, the CISO or designated representative must investigate the incident. This investigative work is known as digital forensics. Digital forensics involves the preservation of all digital media as evidence and uses two methods, which are listed below (Whitman & Mattord, 2022).

1. Digital malfeasance: Law enforcement investigates incidents of misuse, damage, or wrongdoing of information within computer information systems.

2. Root cause analysis: An incident investigation using digital forensics allows the investigator to utilize any methodology to examine the unauthorized access and attacks on digital media.

Many organizations do not have digital forensics experts at their fingertips; such experts are few and are spread thin among a few organizations that do have a digital forensics team. However, selecting a few members of the security team to attend conferences or workshops or to obtain certificates should help those organizations that do not have these experts available. In either case, the digital forensics team follows the generally accepted digital forensics process. Whitman and Mattord (2022) outline these steps, which are shown in the graphic below.

SEC 3301, Security Application Development 5

UNIT x STUDY GUIDE Title

Figure 3. The Digital Forensics Process (Whitman & Mattord, 2022)

The digital forensics methodology model can be used for large, medium, small, or even a single team member to use after a search and seizure warrant has been obtained. As mentioned by Whitman and Mattord (2022), the phases listed below must be followed.

1. Identify the appropriate evidentiary material. 2. Obtain the evidence without manipulating or harming the evidence. 3. Ensure the evidence is certifiably authentic at each step and has not been changed since its seizure. 4. Scrutinize the data by not altering the evidence or performing unauthorized access. 5. Report all results to the proper authority.

The preservation along with established uniformed steps of seizing evidentiary material(s) are of utmost importance to ensure the evidence that has been taken has not been changed, altered, unlawfully accessed, or removed. If the evidence has not been preserved, then the evidence of the material is no longer valid in court. Once the incident has reached the severity where the impact cannot be contained or controlled, it will be classified as a disaster. It will be escalated to the disaster recovery response team (DRRT) that will utilize the disaster recovery plan (DRP) to assess the damage and work with other functional teams and vendors to reestablish business continuity. The purpose of the business continuity plan is the continued operations of an organization after a disaster has occurred. This may or may not be at the original location where it took place. There are similarities of IR, DR, and BC planning, but they all have specific components that differentiate them from one another and are critical to CP. Comparisons of IR, DR, and BC planning are shown in Figure 5-14 in the textbook.

SEC 3301, Security Application Development 6

UNIT x STUDY GUIDE Title

References National Institute of Standards and Technology. (2010, November 11). Contingency planning guide for federal

information systems. Computer Security Resource Center. https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final

Whitman, M. E., & Mattord, H. J. (2022). Principles of information security (7th ed.). Cengage Learning. Suggested Unit Resources In order to access the following resources, click the links below. The following presentation will summarize and reinforce the information from Module 5 in your textbook. Module 5 PowerPoint presentation (PDF version of the Module 5 PowerPoint presentation) Your CSU Online Library has a wealth of videos within the Films on Demand database that concern the topics in this unit. For example, the following video provides additional information about protecting computer systems from risks. National Geographic (Producer). (2010, February 12). Privacy vs. security (Segment 34 of 35) [Video]. In

Science of surveillance. Films on Demand. https://libraryresources.columbiasouthern.edu/login?auth=CAS&url=http://fod.infobase.com/PortalPla ylists.aspx?wID=273866&xtid=40755&loid=76831

To view a transcript of this video, click on the “Transcript” tab near the top right corner of the page. Learning Activities (Nongraded) Nongraded Learning Activities are provided to aid students in their course of study. You do not have to submit them. If you have questions, contact your instructor for further guidance and information. Research Online Conducting your own research to further your learning and understanding can help you become a stronger student and can help you to see what areas interest you. Additionally, you may find resources that can help you complete your assignments. Consider searching the Academic OneFile database of the CSU Online Library using a combination of the following keywords: “contingency planning,” “business impact analysis,” “incident response,” “digital forensics,” and “disaster recovery.” Please note: When searching, remove the commas and capitalization, and use the top search box with "Subject" selected from the dropdown. Once the results generate, use these search options to refine the results: “Peer Reviewed Journals” and "Custom Date Range" between 2018 and the present to ensure that articles are scholarly and less than 5 years old. Then, select and read two articles. Access the Academic OneFile database. Check Your Knowledge Answer the review questions and exercises for the Module 5 Review Questions and Exercises. These questions will help you assess whether or not you have mastered the unit content. Can you answer them without looking back in the textbook? After you have answered the questions, you can find out how well you did by checking the answers. Answers for Module 5 Review Questions and Exercises