7_Security Operation

[rainit2006]

[rainit2006]

SAS 70

Statement on Auditing Standards の略。AICPA(American Institute of Certified Public Accountants:米国公認会計士協会）の取り決めた監査基準で国際的にも認められている。 SAS70は、受託業務（アウトソーシングサービス等）にかかわる内部統制について評価する基準として、米国公認会計士協会（AICPA）が定めたものです。米国の企業改革法（SOX法）第404条の施行以前から広く利用されており、SOX法第404条の施行後、企業が外部に委託した業務にかかわる内部統制を評価する方法として、広く採用されています。業務の受託を行っている企業は、SAS70に基づき作成された報告書を提供することによって、受託業務の内部統制の有効性について委託者に報告することができます。

EU private data

The European Union has restrictions on “transborder data flows’ that would allow private data to flow to countries whose laws would not protect that data. The “Safe Harbor’ privacy framework was developed between the United States and the EU to provide a streamlined means for U.S. organizations to comply with the European privacy laws.

EUデータ保護条例 (Data Protection Directive)

adopted in 1995 which regulates the processing of personal data within the European Union (EU). It is an important component of EU privacy and human rights law.

EU一般データ保護規則 (General Data Protection Regulation)

The General Data Protection Regulation, adopted in April 2016, has superseded the Data Protection Directive and became enforceable on 25 May 2018

[rainit2006]

Types of evidence:

Real Evidence:

Tangible and Physical objects, in IT Security: Hard Disks, USB Drives – NOT the data on them.

Direct Evidence:

Testimony（証言） from a first hand witness, what they experienced with their 5 senses.

Circumstantial Evidence（状況証拠，間接証拠）:

Evidence to support circumstances for a point or other evidence.

Collaborative Evidence （補強証拠）:

Supports facts or elements of the case, not a fact on its own, but support other facts.

Hearsay （伝聞証拠）:

Not first and knowledge – normally inadmissible in a case. Computer generated records and with that Log Files were considered hearsay, but case law and updates to the Federal Rule of Evidence have changed that. Rule 803 provides for the admissibility of a record or report that was “made at or near the time by, or from information transmitted by, a person with knowledge, if kept in the course of a regularly conducted business activity, and if it was the regular practice of that business activity to make the memorandum, report, record or data compilation.”

Computer-generated or electronic information are categorized as hearsay.

Best Evidence Rule

The courts prefer the best evidence possible. Evidence should be accurate, complete, relevant, authentic, and convincing.

competent evidence

Legally admissible evidence. Competent evidence tends to prove the matter in dispute. In a murder trial, for example, competent evidence might include the murder weapon with the defendant's fingerprints on it. 如果某证据的取得是通过违反法律途径的，那么它违背了证据的competent要求，不能作为法庭证据。

Secondary Evidence

This is common in cases involving IT. Logs and documents from the systems are considered secondary evidence.

Evidence Integrity

It is vital that the evidence’s integrity cannot be questioned. We do this with hashes. Any forensics is done on copies and never the originals. We check hash on both original and copy before and after the forensics.

Chain of Custody （証拠保全）

This is done to prove the integrity of the data; that no tampering was done. Who handled it? When did they handle it? What did they do with it? Where did they handle it? 法廷などで事象を説明するため証拠が欠かせません。しかし、ずさんな管理をしていると証拠能力自体を失ってしまうのです。 証拠を手に入れた時点から、いつ・どこで・誰が・何をしたものなのかの順番に書き残しておき、証拠能力があることを一目で示すことも必要です。

Expert opinion evidence

Expert opinion evidence allows individuals to offer their opinion based upon the facts in evidence and their personal knowledge. Expert opinion evidence may be offered only if the court accepts the witness as an expert in a particular field.

The first step in a forensic（法廷の） investigation is to make a copy of the hard drive.

The first step in a forensic investigation is to make a copy of the hard drive. This method ensures that the original system is not altered in any way during the investigation process. Following this procedure ensures an accurate chain of custody.

注意：

When seizing and preserving electronic evidence, it is important to restrict all physical and remote access to the computer, photograph any images on the screen showing the state of the system, do not touch the keyboard, and conduct all forensic analysis operations of the evidence on imaged copies of the original disk in order to prevent inadvertent alteration of the original evidence.

terms

• contact law enforcement： 联系司法（警察，捜査，司法等）当局
• unconstitutional: 违宪，违反宪法的

Parol evidence rule

A rule that states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement and no verbal agreements may modify the written agreement.

[rainit2006]

Data mart VS Data warehouse

Data marts are closely tied to data warehouses, but there is a distinct difference. Data marts are collections of data from different databases or systems that fulfill a specific need. Data warehouses are collections of data from different databases or systems that could cover a wide variety of objectives. However, it is common for data marts to be subsets of data warehouses.

## Switched Fabric Switched Fabric or switching fabric is a network topology in which network nodes interconnect via one or more network switches (particularly crossbar switches). Storage area network (SANs) are made up of several storage systems connected together to form a single backup network. A SAN is a networked infrastructure that allows several systems to be connected to any storage device. This is usually provided by using switches to create a switching fabric. The switching fabric allows for several devices to communicate with back-end storage devices and provides redundancy and fault tolerance by not depending upon one specific line or connection. ## HSM （階層型データストレージ管理） Hierarchical storage management (HSM) is a data storage technique that automatically moves data between high-cost and low-cost storage media. HSM systems exist because high-speed storage devices, such as solid state drive arrays, are more expensive (per byte stored) than slower devices, such as hard disk drives, optical discs and magnetic tape drives.

[rainit2006]

Reciprocal agreements(双務条約; 互恵協定)

Reciprocal agreements are made between companies with the understanding that available facilities can be used by a company in the event of a disaster. These agreements come with a handful of problems, however. One problem is that they are not legally binding. Also, there are confidentiality issues. Most companies would not want to migrate their business operations into the house of another company, possibly revealing proprietary information.

Clipping level

Clipping levels are thresholds set by management of acceptable numbers of mistakes or errors made by employees. The reason clipping levels are set is to notify security or management when innocent mistakes become routine enough to suspect fraudulent behavior.

[rainit2006]

   ## RPO, RTO, WRT, MTD Recovery Point Objective (RPO) determines the maximum acceptable amount of data loss measured in time. For example, the maximum tolerable data loss is 15 minutes. The Recovery Time Objective (RTO) determines the maximum tolerable amount of time needed to bring all critical systems back online. This covers, for example, restore data from back-up or fix of a failure. In most cases this part is carried out by system administrator, network administrator, storage administrator etc. The Work Recovery Time (WRT) determines the maximum tolerable amount of time that is needed to verify the system and/or data integrity. This could be, for example, checking the databases and logs, making sure the applications or services are running and are available. In most cases those tasks are performed by application administrator, database administrator etc. When all systems affected by the disaster are verified and/or recovered, the environment is ready to resume the production again. The sum of RTO and WRT is defined as the Maximum Tolerable Downtime (MTD) which defines the total amount of time that a business process can be disrupted without causing any unacceptable consequences. This value should be defined by the business management team or someone like CTO, CIO or IT manager. ### COOP vs BCP Continuity of Operations Planning (COOP) is the term favored by public and government entities for mitigation and planning strategies that create resilience and allow services to continue to be provided in the face of a range of challenges. Business Continuity Planning (BCP) is a similar term more often used in the private sector that focuses on both maintaining service delivery and receiving payment for those services provided. BCP in the past often referred to computer systems but now applies to all vulnerable resources. ### concepts  ## disaster recovery test Here are the five types of disaster recovery tests: - Paper test: Individuals read and annotate recovery plans. - Walkthrough test: Groups walk through plans to identify issues and changes. - Simulation: Groups go through a simulated disaster to identify whether emergency response plans are adequate. - Parallel test: Recovery systems are built/set up and tested to see if they can perform actual business transactions to support key processes. Primary systems still carry the full production workload. - Cutover test: Recovery systems are built/set up to assume the full production workload. You disconnect primary systems. ## DISASTER RECOVERY PLAN 1. Create a disaster recovery team. 2. Identify and assess disaster risks. 3. Determine critical applications, documents, and resources. 4. Specify backup and off-site storage procedures. 5. Test and maintain the DRP. ## Database Backups Disk-shadowing - Mirroring Technology - Updating 1 or more copies of data at same time - Data saved to 2 media types for redundancy Electronic Vaulting - Copy of modified file sent to remote location where an original backup is stored - Transfers bulk backup info - BATCH process of moving data Remote Journaling - Moves the journal or transaction log to remote location not the actual files

[rainit2006]

Disaster， Catastrophes

• A disaster is defined as an event that affects a business for one day or longer.
• Catastrophes are events that require long-term solutions and affect a business for weeks, months, or years.

RTO, RPO

backup site should be at least 25 miles away from the primary site

The backup site should be at least 25 miles away from the primary site to give the company maximum protection in cases of regional disasters.

[rainit2006]

SOA

A distributed computing technology provides commonly needed application functionality and procedures across various environments. A service-oriented architecture (SOA) provides standardized access to the most needed services to many different applications at one time. Application functionality is separated into distinct units (services) and offered up through well-defined interfaces and data-sharing standardization. This means that individual applications do not need to possess the same redundant code and functionality. The functionality can be offered by an individual entity, and then all other applications can just call upon and use the one instance. This is really the crux of all distributed computing technologies and approaches; SOA is just a more web-based approach.

change management procedure

Although each company will implement its own change management policy, the general procedures will remain the same. The correct order is:

1. Request a change
2. Approve a change
3. Document a change
4. Test a change
5. Implement a change
6. Report a change to management

Configuration management

Configuration management is the process of establishing and maintaining consistent baselines on all organizational systems. It could be considered a sub-area of change management.

[rainit2006]

NetBus

NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a trojan horse.

Superzapping

Using software that bypasses normal security constraints to allow unauthorized access to data. For example, such a program may issue commands directly to the disk drivers without going through normal file I/O routines, bypassing not only security restrictions but also leaving no audit trail.

EICAR

欧洲反病毒发展研究所（EICAR）。 EICARテストファイル (EICAR Standard Anti-Virus Test File) とは EICAR が開発したアンチウイルス (AV) ソフトウェアの応答をテストするためのファイルである。 テスト用ウイルス

MOM

MOM – Motivations, Opportunities and Means

Locard's principle

Locard's exchange principle，罗卡定律，洛卡尔物质交换原理 犯罪学和侦查学常用的一条痕迹学定律其实还有个简单点的名字:触物留痕定律……顾名思义，即两样东西相互接触后必然会相互交换并留下一些物质，也就是微量物证。或者说，犯罪肯定会留下痕迹。

DLP（Data Loss Prevention）

情報漏洩対策を行うセキュリティシステムのことです。 IT資産管理ツールなどのようにIDやパスワードを管理してユーザー監視を行う情報漏洩対策とは異なり、DLPはデータそのものを監視して守ります。

Public domain

If software is released into the public domain, anyone may use it for any purpose, without restriction.

[rainit2006]

fail-secure vs fail-open

A fail-secure system will default to a secure state in the event of a failure, blocking all access. A fail-open system will fail in an open state, granting all access.

Recovery approach

In a manual recovery approach, the system does not fail into a secure state but requires an administrator to manually restore operations. In an automated recovery, the system can recover itself against one or more failure types. In an automated recovery without undue loss, the system can recover itself against one or more failure types and also preserve data against loss. In function recovery, the system can restore functional processes automatically.

Generator

Generators are capable of providing backup power for a sustained period of time in the event of a power loss, but they take time to activate. UPS provides immediate, battery-driven power for a short period of time to cover momentary losses of power, which would not cover a sustained period of power loss.

[rainit2006]

• A pseudoflaw is a false vulnerability in a system that may attract an attacker.
• A honeynet is a network of multiple honeypots that creates a more sophisticated environment for intruders to explore.
• A darknet is a segment of unused network address space that should have no network activity and, therefore, may be easily used to monitor for illicit activity.
• A warning banner is a legal tool used to notify intruders that they are not authorized to access a system.
• Social media is commonly used as a command-and-control system for botnet activity.
• A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device.
• sabotage: An attack committed against an organization by an insider, such as an employee, is known as sabotage.
• scavenging: Online scavenging searches for useful information in the remnants of data left over after processes or tasks are completed. This could include audit trails, log files, memory dumps, variable settings, port mappings, cached data, and so on.

[rainit2006]

Netflow records vs IDS logs

Netflow records contain an entry for every network communication session that took place on a network and can be compared to a list of known malicious hosts. IDS logs may contain a relevant record, but it is less likely because they would only create log entries if the traffic triggers the IDS, as opposed to netflow records, which encompass all communications. NetFlowとは、米シスコシステムズ（Cisco Systems,INC.）が開発した、ネットワークのトラフィックの情報を監視・分析するための技術です。主にシスコ製のルーターやスイッチに実装されていますが、現在では、フロー計測における業界の標準となりつつあり、多くのベンダーのネットワーク機器でサポートされるようになっています。

### SCCM System Center Configuration Manager (SCCM) provides this capability and is designed to allow administrators to evaluate the configuration status of Windows workstations and servers, as well as providing asset management data.

[rainit2006]

forensic disk controller

A forensic disk controller performs four functions. One of those, write blocking, intercepts write commands sent to the device and prevents them from modifying data on the device. The other three functions include returning data requested by a read operation, returning access-significant information from the device, and reporting errors from the device back to the forensic host.

Duress

Duress, or being under threat of violence or other constraints, is a concern for organizations such as banks, jewelry stores, or other organizations where an attacker may attempt to force an employee to perform actions. Organizations that expect that a scenario like this may occur will often use duress code words that let others know that they are performing actions under threat.

Force majeure

不可抗力条項

Stockholm syndrome

ストックホルム症候群. 誘拐事件や監禁事件などの犯罪被害者についての臨床において、被害者が生存戦略として犯人との間に心理的なつながりを築くことをいう.

[rainit2006]

multiple processing site

Distributing load to multiple regions. E.g. Someone deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider.

[rainit2006]

CSIRT（Computer Security Incident Response Team）

コンピュータセキュリティにかかるインシデントに対処するための組織の総称。インシデント関連情報、脆弱性情報、攻撃予兆情報を常に収集、分析し、対応方針や手順の策定などの活動をしています。 CSIRT representation normally includes at least representatives of senior management, information security professionals, legal representatives, public affairs staff, and engineering/technical staff.

[rainit2006]

Security event， Security incident

Security event：

• The completion of a backup schedule, logging of system access, and update of antivirus signatures are all routine actions that do not violate policy or jeopardize security, so they are all events rather than incidents.
• 系统，网络上的改变都可以称为 secuirty event。当没有证据表明suspicious activity，violation等行为took place的时候，都先称为security event。

Security incident：

• Any attempt to undermine the security of an organization or violation of a security policy is a security incident
• Security incidents negatively affect the confidentiality, integrity, or availability of information or assets and/or violate a security policy.

[rainit2006]

IDS vs IPS

An IDS cannot mitigate single-packet attacks. An IDS is a network monitoring device that passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has a management interface and at least one monitoring interface for each monitored network. Each monitoring interface operates in promiscuous mode and cannot be assigned an Internet Protocol (IP) address; however, it does have a MAC address assigned to its monitoring port. Because an IDS does not reside in the path of network traffic, traffic does not flow through the IDS; therefore, the IDS cannot directly block malicious traffic before it passes into the network. However, an IDS can send alerts to a management station when it detects malicious traffic and may be able to modify the configuration of other network security devices, such as firewalls, to block traffic. For example, an IDS that detected an Internet Control Message Protocol (ICMP) attack could configure a firewall at the edge of the wide area network (WAN) to block specific ICMP messages until the attack was mitigated.

By contrast, an intrusion prevention system (IPS) is a network monitoring device that can mitigate single-packet attacks. An IPS requires at least two interfaces for each monitored network: one interface monitors traffic entering the IPS, and the other monitors traffic leaving the IPS. Because all monitored traffic must flow through an IPS, an IPS can directly block malicious traffic before it passes into the network. Like an IDS, an IPS does not have an IP address assigned to its monitoring port; however, an IPS also does not have a MAC address assigned to its monitoring port.