DACS 2201 / 13-Incident Response & Security Policies

Learning Objectives

• List the specific steps required to prepare for a cybersecurity incident.
• Explain the concepts of incident preparation and incident response processes.
• Define the scope and meaning of business continuity.
• Explain the purpose and function of a security policy.
• List and describe different types of security policies used in organizations.

Origins and Nature of Cybersecurity Incidents

• Reasons for Incidents: Most cybersecurity incidents occur due to fundamental security gaps within an organization.
  • Weak Account Types: Threat actors target accounts with weak security but high privilege levels to access protected resources or steal sensitive data. All accounts must be rigorously reviewed, and unnecessary ones should be deleted or strengthened. Specific types of weak accounts include:
    • Temporary Guest Accounts: Accounts created for short-term use.
    • Shared Accounts: Accounts accessed by more than $1$ user.
    • Generic Accounts: Non-user specific accounts, such as "HelpDesk_$1$".
    • Service Accounts: Accounts assigned to specific processes or services running on servers.
  • Poor Access Control: Access control involves granting or denying approval to use specific resources.
    • Physical Access Control: Physical measures to limit device contact, including fencing, hardware door locks, and mantraps.
    • Technical Access Control: Technological restrictions that prevent unauthorized users from accessing data on computer systems.

Essential Access Control Terminology and Concepts

• Identification: The process of recognizing and distinguishing one user from every other user (e.g., a user presenting a username).
• Authentication: The process of verifying a user's identity by checking credentials, such as validating passwords or fingerprints.
• Authorization: The act of granting specific permissions to take action. This occurs after authentication is complete, resulting in the user being allowed or denied access to resources.
• Access Level: The rights assigned to a user to access specific services, devices, applications, or files required to perform their job duties.
• Accounting: The preservation of a record detailing who accessed the system, what resources were accessed, and the precise time of access, often stored in activity logs.
• Escalating Privileges: An event where a user authorized for certain tasks gains unauthorized access to protected resources beyond their original scope.
• Access Control Modeling Components:
  • Object: A specific resource, such as a file, database table, or hardware device (e.g., a computer or router).
  • Subject: A user or process that acts on an object (e.g., a human user or a web application).
  • Operation: The action taken by a subject over an object (e.g., deleting a file).
  • Access Control Matrix ($ACM$): A security model featuring a row for each subject and a column for each distinct object.
  • Access Control List ($ACL$): A vertical slice of an $ACM$; common in Operating Systems ($OS$) and relational databases.
  • Capability List: A horizontal row within an $ACM$, representing user-oriented permissions.

Access Control Schemes and Models

• Discretionary Access Control ($DAC$): The least restrictive model.
  • Common in major operating systems for file access.
  • Every object has an owner who possesses total control. Owners are typically the users who created the file.
  • Owners can grant permissions to other subjects.
  • Significant Weaknesses: Relies on end-user decisions for security levels, and programs executed by a subject inherit that subject's permissions.
• Mandatory Access Control ($MAC$): The most restrictive model.
  • Users cannot set access levels. Instead, a separate "data custodian" assigns controls.
  • Uses a hierarchy of levels for security classification (e.g., $\text{Top Secret} > \text{Secret} > \text{Confidential}$).
  • Objects are assigned labels representing their category.
  • Permissions are granted by matching object labels against subject clearance levels.
  • Example: An officer with "Secret" clearance for categories "Nuclear, China" can access "Secret" and "Confidential" documents in those categories, but cannot access "Top Secret" documents in those same projects.
  • Mandatory Integrity Control ($MIC$): The Microsoft Windows implementation of $MAC$, where low-level standard users must provide a higher-level administrative password to install software.
• Role-Based Access Control ($RBAC$): Commonly considered a more "real-world" scheme.
  • Permissions are assigned to organizational roles based on job duties, and users are then assigned to those roles.
  • Example: Roles like "SysAdmin" and "SalesRep" are created. If a new user named "Ahmed" joins as a system administrator, he is simply assigned the "SysAdmin" role.
• Rule-Based Access Control ($RBAC$): Uses specific rule sets to grant or deny access.
  • Example: A port-filtering firewall that denies access to Telnet port $23$ and $FTP$ ports $20$/$21$, while granting access to $SSH$ port $22$.
• Attribute-Based Access Control ($ABAC$): A flexible system where access policies are determined by combinations of object attributes, subject attributes, and environment attributes.

Incident Response Planning ($IRP$)

• Incident Response Plan ($IRP$): A set of written instructions for reacting to security incidents, such as malware infections or server crashes resulting from a Denial of Service ($DoS$).
• The Incident Response Process ($6$ Action Steps):
  1. Preparation: Equipping users, management, and $IT$ staff with the necessary tools and knowledge to handle potential incidents.
  2. Identification: Confirming if an event is a legitimate security incident.
  3. Containment: Limiting damage by isolating systems. Network segmentation is often used to restrict attackers.
  4. Eradication: Identifying the root cause and removing systems or components causing damage.
  5. Recovery: Returning affected systems to normal operation once the threat is removed.
  6. Lessons Learned: Documenting the incident and analyzing logs to improve future response strategies.

Business Continuity and Disaster Recovery

• Business Continuity Plan ($BCP$): A document outlining alternative modes of operation to maintain activities during interruptions.
• Business Impact Analysis ($BIA$): Conducted during $BCP$ preparation to identify critical business functions and the impact of interruptions on finances, safety, and reputation.
• $BCP$ Goals:
  • Identify mission-essential, critical functions.
  • List steps to restore functions (e.g., using Zoom for online teaching during $COVID$).
  • Identify and minimize "single points of failure" that could disable the entire system.
• Disaster Recovery Plan ($DRP$): Focuses specifically on restoring and protecting $IT$ functions. It contains detailed procedures for system restoration after disruptive events like fires or earthquakes.

Fault Tolerance and Redundancy Planning

• Fault Tolerance: A system's capacity to continue functioning despite malfunctions, achieved through redundancy (duplication of equipment).
• Mean Time to Recovery ($MTTR$): The average time required for a device to recover from a failure.
• Redundancy Categories:
  • Endpoint Redundancy: OS features that restore computers to earlier points after software issues or malware infections. Generally, endpoint downtime is less critical than server downtime.
  • Server Redundancy: Uses clustering (combining multiple servers to appear as one).
    • Asymmetric Server Clustering: A standby server remains idle until needed.
    • Symmetric Server Clustering: All servers work simultaneously; if one fails, others absorb the workload.
  • Disks Redundancy: Addresses failure of Hard Disk Drives ($HDDs$) using Redundant Array of Independent Drives ($RAID$) or Storage Area Networks ($SAN$) via data mirroring/backups.
  • Networks Redundancy: Replica network components (routers, switches, firewalls) that launch automatically during disasters. Network Interface Card ($NIC$) teaming can also provide redundancy and performance gains.
  • Power Redundancy: Dual power supplies for critical devices, uninterruptible power supply ($UPS$) units, and backup generators.
  • Data Redundancy: Routine data backups to different media.
  • Site Redundancy (Recovery Sites):
    • Hot Site: A production site duplicate with all equipment and data backups ready for immediate operation.
    • Warm Site: Contains all necessary equipment but lacks active telecommunications and internet, requires time to sync data.
    • Cold Site: Provides only office space; requires equipment installation and setup, resulting in long recovery times.

Organizational Security Policies

• Security Policy: A document defining rules, appropriate behaviors, and the tools/procedures required for enforcement.
• Account Management Policies: Rules for account restrictions, often using an $RBAC$ scheme to create permissions.
• Mobile Device Location-Based Policies: Uses geolocation or geofencing to restrict device functionality based on physical location.
• Personnel Policies:
  • Separation of Duties: Requiring more than one person to complete a task (e.g., launching nuclear missiles or signing high-value payments) to prevent fraud.
  • Principle of Least Privilege / Need-to-Know: Giving users the minimum permissions necessary for their tasks (e.g., Linux users using sudo rather than logging in as root).
  • Job Rotation: Rotating staff to prevent any single individual from having excessive control over security configurations.
  • Mandatory Vacation: Allows the organization to audit employee activities in their absence to detect cover-ups.
  • Clean Desk Policy: Ensures sensitive or confidential materials are cleared from workspaces.
• Acceptable Use Policy ($AUP$): Defines permissible and prohibited actions for users (employees, visitors, contractors, vendors). For example, students using university computers for work but being prohibited from downloading malware.
• Data Policies:
  • Data Classification Policy: Addressing the assignment of labels based on importance.
  • Data Retention Policy: Defining how long data is kept after its primary purpose is served.
• Organizational Policies: Management-focused policies, such as asset management policy.