RCR 054 - Understanding and Supporting Investigations (Domain 7)

Dec 30, 2019

 

SubscribeiTunes | Goggle Play | Stitcher Radio | RSS

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 7 (Security Operations) of the CISSP Exam.

  • CISSP Articles – Supporting Investigations
  • CISSP Training –  Understanding and Supporting Investigations
  • CISSP Exam Questions

BTW - Get access to all my CISSP Training Courses here at:  https://shongerber.com/

Want to find Shon Gerber elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

CISSP Exam Question

Source:  TechTarget

QUESTION 1

A critical first step in disaster recovery and contingency planning is which of the following?

  • A. Complete a business impact analysis
  • B. Determine offsite backup facility alternatives
  • C. Organize and create relevant documentation
  • D. Plan testing and drills

CORRECT ANSWER - A. Complete a business impact analysis 

The first step in disaster recovery and contingency planning is implementing a business impact analysis (BIA). The step involves identifying all possible threats and measuring the effect each can have on the company. This also includes identifying critical company functions and resources and calculating outage times.

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-7-quiz-Business-Continuity?q0=1&q1=2&q4=0&q6=1&q7=0&q9=1&q13=3&x=95&y=8>

QUESTION 2

There are different types of offsite facilities, either subscription-based or company-owned. Which type of subscription-based backup facility is used most often?

  • A. Cold
  • B. Warm
  • C. Hot
  • D. Redundant

 

CORRECT ANSWER - B. Warm 

Warm sites offer an even mix of advantages and disadvantages. These backup locations have power and network available, but only a portion of the hardware and software installed. A positive attribute of a warm site is that they are less expensive than a hot site. A downside is that testing capabilities are not available as they are with hot sites. A redundant site is not subscription-based, but owned by the company.

From <https://searchsecurity.techtarget.com/quiz/CISSP-Domain-7-quiz-Business-Continuity?q0=1&q1=2&q4=0&q6=1&q7=0&q9=1&q13=3&x=95&y=8>

QUESTION 3

In disaster recovery, each level of employee should have clearly defined responsibilities. Which of the following is a responsibility of senior executives?

  • A. Develop testing plans
  • B. Establish project goals and develop plans
  • C. Identify critical business systems
  • D. Oversee budgets and the overall project

CORRECT ANSWER - D. Oversee budgets and the overall project 

Senior executives have several key responsibilities within disaster recovery, which include: support and approve plans; sponsor all aspects of plans; verify testing phases are being carried out; and oversee budgets. Having the dedicated and consistent support of senior management is critical in the success of disaster recovery and contingency planning.

From https://searchsecurity.techtarget.com/quiz/CISSP-Domain-7-quiz-Business-Continuity?q0=1&q1=2&q4=0&q6=1&q7=0&q9=1&q13=3&x=95&y=8

LINKS: 

TRANSCRIPT:

welcome to reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcasts join me each week is I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam article just two days ago and it was talking about what are the biggest threats and trends for 2020 as it relates to cybersecurity and one of the aspects so I should say that there was like seven different topics they had on that article specifically and they focus that day five of the seven focused on cloud and I I fully suspected that's going to be a huge issue, well it's going to be forever but especially the next few years as people are getting smarter on the cloud is how is it secured and what were some of the mechanisms in place and so I have learned with the our deployment or the Diplomat I've seen with the cloud in my company that there's a lot of knowledge needs to be learned including myself and how much that I don't know and it's really it's been an eye-opening experience of trying to work through everything cuz the thing when you get into the cloud there are different aspects little nuances that in the past you have one server could get compromised will now if you screw up some pretty big aspects that almost anybody getting can configure you could basically compromise a large swath of whatever you put out there so there's a lot of pretty cool what's Gibby prange County well so what's rolling today today is episode 54 understanding and supporting investigations and this is going to be doing 7 of the security operations piece of this so there's a couple different articles Runner come out here in this is one that people kind of struggle with a little bit as a relates to investigations cuz you don't really know and it's it's kind of that legal stuff and how do I handle all that and this has been an eye-opening experience for me myself in the fact that I've had to do a various other evidence or I should say investigations on activity that's occurred within various companies and things that I work with the military to my current company that I'm dealing with right now and and so it's it's been an interesting thing I never really expected or anticipated but if you're going to be at your cissp one of these are key aspects you need to understand and know the other piece of this is the information that I'm going to be going over today is also extremely important with your career in what you're going to do for other companies because the simple fact of it is that you as a cybersecurity person will be looked upon in most cases as a person who understands how to deal with cyber-security evidence and and how to have managed it and also you're probably the first person on the scene when the event occurred do you need to have a good grasp an understanding of what are some of the expectations and what are the pitfalls that go into not doing a good job around this so that I pulled up that I found out there online was from infosec Institute. Calm and they're talkin about the security and and how the investigation support the requirements that they're going to shut us will be in the website and you can go check those out at any time but before we get started got to put the plug-in can go to Sean gerber.com you'll be able to find this article specifically as well as long with any other cissp training materials you would like to be successful on the cissp exam so you can check that out at Shawn gerber.com alright so are there any chocolate breaking out as far as infants section in handling can a breakdown what does it actually mean includes fax items and information to be presented in a court of law to establish the validity or invalidity of a claim or statement so when you're looking to collect evidence around a cybersecurity event that occurred you are going to have to present this to like a court of law we have all these people around you most likely be to a judge and some lawyers that you'll deal with on this statement but you have to be able to prevent this sort of information to them that evidence in a factor in a matter that proves that you just day actually have a case vs just look like a blithering idiot and you have no idea what you're talking about so you're going to have to provide that information in the event that there is an investigation what is used to prove a person that empty guilt right you know about that but when you're dealing with cyber-security pieces of this you really need to have a proper chain of evidence and that is exactly what it sounds like right you have evidence that kind of lead you down the path and point you in a direction now this evidence will be deal with computer security pieces in this is something the cissp will probably chat around is the fact that the computer evidence is typically a circumstantial evidence is not proof that you must if you have it you are Rock Solid you're going to win no matter what no because the computer evidence opposite can be tampered with at some point and so therefore they don't consider it as the rock hard status of evidence that you have to have to put to make a case open and close basically it will happen right you if you present this evidence the game's over we win you lose done that that's not going to happen with cyber-security year which computer type of evidence just because like I said before it can be manipulated now you're going to have to put out there as far as when your deal with the chain of evidence was collected house identified and how it was protected to keypoint what did you do what you got it and how did you protect it how did you keep it from somebody actually getting ahold of it and messing with it breakout how was conducted the the overall investigation that how was data was copied clone but was at Dunmore the things to consider with the cissp is that you should not be manually copy this information over you would take an a copy of the device an image of the actual evidence itself so his operating system you would clone that entire box you wouldn't just pick out where is the evidence for the log files that allowed this to occur you don't want to do that that that will cause you all kinds of grief down the road and we'll end up happening is I'll probably throw out your evidence because you just cherry-picked what you wanted so that those are important things to do and you also got a present how is it presented in court and by whom so I say this in the fact that why do lawyers get paid a lot of money well, it's theater and they're putting on a case if you bring in the computer nerd that just can't even see straight and just can't put a couple cents together kind of like this podcast is there that's going to cause doubt on your overall case so you're not have to have someone who is articulate and knows what they're talking about is presenting your that is acting as a witness for your case so those are important talking to a guy that is a CSO with another company and he actually sits and he is paid to go in and present evidence in court for companies and the reason is he's at he's an expert on this stuff on this technology and therefore he's pulled in as an expert witness who can talk to these aspects and because he can talk at the third grade level two people then when is it happening as he gets called up a lot to go do it so there's opportunities there if you ever become a you potentially could be a expert witness so anyway that's that's all that so the other thing is they talk about your nipple seconds to dude is one of the properties been returned to the owner after the investigation yet the Define was wasn't brought back to them was it given back to them or those are things you have to call up now we also some other aspects around chain of custody is who obtain the evidence who secured it where and when was it collected the base of the where where what why kind of thing you got to be able to call that out and be able to State what that was in a case of the evidence storage is typically stored in some locked environment Vault or some sort of safe that kind of in for that kind of place where you typically store this kind of information you wouldn't just leave it in a drawer in your desk probably not a good idea encrypted thumb drive even better images of thumb driver that's not encrypted. Does Abby bad things to do when you're dealing with evidence you should make sure correctly and then it's protected IE with in some sort of encryption mechanism to ensure that it is not tampered with and they also must be conducted with identical clones we talked about the fact that you should have an identical clone of the system you should not just copy the information off of this information that one thing else that you should consider is that when you are messing with the data it's important that there's monitoring occurring and recording what you're doing that the Court's going to want to know how you did that so you can just say it why I'm actually found these logs they just kind of showed up one day I don't know where they were they're going to look at that and they're going to frown on that pretty quickly and probably get you thrown out so you need to make sure that it's recorded and monitored and manage and those recordings are actually available to the court if they want to have them I'm so in and get it we must be presenting Court accompanied by testimony and opinion those are key pieces around that as well so those are all aspects around the chain of custody piece of this now the only thing that they brought out this bullet point is that the problem if the perpetrator is found guilty of a client crime that climb crime the perpetrator will forfeit his or her right to the property in such cases not guilty give it back if they're guilty they lose access to it and then they go break big rocks into little rocks so white collar crimes I'll probably just go sit at a resort somewhere drinking margaritas and relaxing what's a Patronus of the case but getting movie Sometimes alright reporting so the reports must be complete detailed and a sign of quality to be accepted in a court of law so you got to provide some level of reporting on this stuff and so does somebody else that considers that you if you have bad English okay that's probably just butchered the English language right there if you have bad grammar bad English you don't know what you're talkin about you don't know how to write a sentence together then you probably better have somebody else file the report for you just just saying might not be a bad idea to do that it should include some of the following things step and process them what you got to where you were at copies of your standard operating procedures again you must have things documented it can't just go and off-the-cuff and make things happen copy the checklist that are used for the investigative process what are you using to get there you know Step 1 I copy files Step 2 I encrypt file step 3 so once and again I don't mean that people are foolish enough like medicine before and some of my cissp training the ultimate goal is to bring this to the third grade level and why because the 5th grade level people can't get it because if you ever play the game you know how how smart are you are you smart enough of you are a 5th grader fifth-graders pretty pretty intelligent third grade you can probably talk at that level then you're probably going to be okay most people will understand what exactly to do that we also need to make sure that you have your getting your using the right tech technology and terminology and talk in a layman's terms laws make sure there are time-stamped on when they actually were taken again all of these things could be manipulated in the right situation but it helps build your case but when I say that is then you get smart on how does that third-party do it now if you have time and you haven't had an investigation maybe it would be wise to go find a friend and talk to somebody about how to do a proper investigation around the it space and in the cybersecurity space and if you even if it's a regular investigation for criminal investigation such as murder robbery whatever that same processes can be used it's just smart for you at working on your cissp to be able to understand these pieces of this all training must be provided to anyone that the lawyer that needs to access for whatever reason you have specific training in place to help them Holly access it out also recommend you put this data if somebody doesn't need to look at it you put it in an environment where they cannot manipulate it or do anything to it kind of like its own little Waldorf Garden that all they can see in but they can't touch any of it I think it would be very important just because and if you can prove that in the coral all that you did that situation that would be very valuable they must not be altered reflection phase the investigation must talk about why why you didn't alter it during that collection phase personal letter possession of evidence are responsible for it until it's back into storage you must be is a check-in check-out process once you have it you check it in you are responsible for it tell you or check it out then you responsible for it to check it back in and then all Personnel entities must be fully certified to work with evidence if the chain of evidence is to be preserved you got to have a process that got to be certified that got to be trained you can't just go do it willy-nilly so you know stuff run this we had no idea I mean it's 4 in the morning I'm a little tired sorry it's media analyst analysis this includes the analysis of composers Ram hard drives Optical media USB SD card all that stuff you must have some way of how you analyze all types of media if you don't have that capability outsourced it's just important to have it done right I will say for investigation that I've dealt with in the past I've been small I've taken care of those but if they've been of any significance that I think could potentially cost the company a lot of money even from not even Financial just reputation I will call in a third-party just because it is better to have that third party who has the most unbiased opinion about things that can potentially testify in court what would happen if I went in to testify for my company in a large situation because I'm the sole investigator it would probably looked upon as not as trustworthy of an investigation that I'm working in the best interest of my company so I would highly recommend you bring in a third party to help you network analysis is Carryout on equipment such as routers modems firewalls all those kind of things now the interesting part about this is what we started off the podcast is AWS same concept can occur in AWS however it's not you don't physically have can't physically touch these things were as in the past you can physically touch a router you can physically touch some sort of me that you could you could go grab it and bring it put in storage so adding it to the cloud as a little bit of level of dynamics that the process would be the same but that anger some nuances that you would have to kind of think through and it's probably good to think through those before something bad actually happens software analysis you would potentially have some level of analysis on the software depending upon and that would come down to evidence of activity within a within the software log files timestamps metadata anything that would add some level of the investigation you should consider that when you are looking at the investigation now the other some other factors to consider as you're dealing with this and some things that you need to know when you're looking investigations for the cissp there's basically for investigation types that are covered in the cissp and they should be understood by individuals that are taking this test and that would be operational criminal civil Regulatory and ediscovery and those are the different types of Investigations that you will run into special take the cissp and you may end up dealing with one or more of those once you start working for a company you need to be successful or at least at a minimum understand how investigation can be completed and what you can do to better do a better job with it alright so now I'm going to roll into the CIA cissp and it objective 7.1 understanding and supporting investigations and so a lot of the things like we talked about the podcast is that you will get the information that will kind of go over to multiple times and the purpose behind that is the fact that I mean I don't know about y'all but I struggle with just remembering something once if I hear it if I hear it a little hard back into my back of my Cranium to figure out did I really remember that after I hear it three or four times I start to get it but the the rule of thumb that I've heard hear or see it seven times before you actually make a move on it since is buying stuff right now that we're the Christmas season so the question consider is as you're listening to this reduce ever is podcast some of the things I go over routinely they may seem like a dude you just went over this again at the end of the day the more we go over these things the better off you are and when it comes time to take the test okay so when I understand the supporting investigations there are some key aspects which we talked about with evidence collection and handling proper collection of evidence is challenging we talked about that and what what you have to deal with in it can surely should be only accomplished by professional technicians that could be you once you are done with what you could give me obviously when your deal with your cissp you don't have to have you can be doing this right now as a forensic person and you probably are people out there doing that who is studying for the cissp but if you might want to consider if you have an opportunity especially if you're working it within an organization is go find who could be doing this sort of collection for your organization you're a Niger the soul cybersecurity person or the soul it person for your organization start understanding how this would occur and it's cuz you just going to have to happen if it does occur you're going to have to visit with third parties and knowing the same language in the same lingo would be extremely useful in the event of a incident so just going to consider that rattling in a document improper handling can jeopardize legal cases and it's really really can if you don't have a good case because you did a shoddy job of collecting the evidence the only person that follow this election to the only one of the key contributors to the failure of your case would be potentially you it's always best to work on a copy of evidence best I say you must unless there's some reason you have to work on the original you should never really work on the original document there might be some original data there might be some reason behind that but at the end of the day I would stay away from that at all cost defecation and extraction of data is extremely important is khabib media from a device USB stick digital optical drives you name it anything that has potentially has access to this data analysis this depends much on prior knowledge of the event as could be various logs vs. IPS flow logs firewall logs you name it so you may have to put a sniffer on the network to get some of this information as it was going maybe you have a suspicion that there's something going on and maybe you decide to start collecting laws before an actual event you may want to that would be an option to do that as well car dealer software analysis understand backdoors logic bombs or other vulnerabilities that could be potentially in your software and you may need to review review the log files of the application for a better picture. Here's the guy chew with that not all of the applications that you work on will have log files I run into this numerous times where you think they have log files but no they don't so I can sit around and have a good understanding of the lay of your network error of the applications that are in your network way before you need to know that so hardware and embedded devices computers phones tablets you again you may want to have an expert look at that another's. Software out there that will help you with your phone but unless you're a forensics company unless you work for a forensics company most must have most of this software is pretty expensive and you wouldn't just typically Guap by it to buy it I know that the phone software for doing forensics was around 10 to $15,000 a few years ago and I was looking at it cuz I was thinking about opening up a business that's all I really want to get into reporting documentation all investigations need to have a report and the report type will be dependent on the organization's policies and procedures or something that if you don't have good policies and procedures in place that also is going to affect your case so that's something I kind of realized myself in areas that I need to work better at is have a good situation around policies and procedures the final report does lay the foundation for potential legal actions or again you got no English got mail speak it got to be able to write it and it's got to be discernible at the third grade level the legal counsel I would do that ahead of time do not wait until your investigations occurred I've been very blessed that I have some really good relationships with some legal counsel over the years from when I was a hacker and also to working through the various Enterprises I have a good understanding and respect but I have some really good relationship some awesome lawyers and that's that's extremely helpful building relationships with law enforcement something else to consider as you may want to do that I mean that's why I live in a very small town in the middle of rural Kansas but I know all the police officers not because I get picked up but because it's small town and they're good friends so in the event that they would be something bad that would happen locally I actually would have to start open investigation with them first depending upon if it was my company in my small town so that was something that you may want to build those relationships with them and not get picked up on speeding tickets but at least build a relationship with him ahead of time in the event that you have investigation at some point and also to keep in mind is Mew deal with the FBI the FBI with their law enforcement but they're not the ones that you open up investigation with locally you would do that with your local law enforcement FBI also is not going to help you mitigate any issues they're going to help find the bad guys that did this to you but they won't help you resolve the challenges you're dealing with so don't let the FBI to help you they won't deal with it enforcement you don't just have somebody arbitrarily called the police officers give me what public affairs involved to do that I'd highly recommend that do not just go you call them you need to stay out of the Limelight as much as possible with this you want other people to do it for the president CFO CEO someone who's wanted the c-level suite people are public affairs they need to take care of this not you you are the boots on the ground and getting them the information they need but you should not be the face of this you want to avoid at all cost we are gathering evidence that are three options you have voluntary surrender subpoena or search warrant those are the three options that are available and against sponsors for energy provided on request subpoenas a court order by law enforcement and they give you enough notice saying yeah yo dude you need to bring this data to us please if you don't then your bed trouble or the search warrant is then we'll just knock on your door with guns blazing and they say give some stuff okay going to have to have credible evidence that a judge needs to a United States that you don't need any sort of approval they can just go warrant not not good United States right now that are digital forensics tools tactics and procedures this is relevant to determining a fact it must be my Martin material related to the case basically what you got to be able to view provide any admissible evidence it's got to be material are evident to the case are related to the case must be competent or obtained types of evidence or real evidence documentary evidence and testimonial evidence real evidence to be DNA or weapons something like that that's like physical get somebody over the head with USB stick then yes that would be real evidence you are saying your verbal information what about chain of custody how important that is special in the cyberspace in this deals with labeling evidence of logs how you handle it how you say it in how you say it out all of these have to be an unbroken sequence of events if it's broken then you just put your case in jeopardy all of those things have to be in place so that is from the cissp training that I shoved gerber.com that you can get out there and it's just one of the aspects is domain 7.1 that but I've got all kinds of videos that will tie back to that that will show you this in a little bit slower environment but the other day that is just for 7.1 a lot of good stuff in there especially for dealing with investigations need to do it right so screwed up turn to Tech Target dirt into the main questions asked in from techtarget this is domain 7 we've got three exam questions for you based on the investigations so question one a critical step in disaster recovery and contingency planning is which of the following a complete business impact analysis B Sherman offsite backup facility alternatives organize and create relevant documentation eplan testing and drills okay slip critical first step and Dr and contingency planning is which of these complete a business impact analysis determine off-site Backup backup facility Alternatives organizing create relevant documentation plan testing and drills business impact analysis is usually the first step when you're dealing with a Dr plan can understand how's it going to affect your business question 2 there are different types of off-site facilities either subscription-based or company-owned which type of subscription-based backup facility is most often use a cold beer warm C Hot D redundant one of those right away for taking a test be redundant K that's not a typical type of all sight I've never heard of that word so see is hot face if we know anything about these we know that cold is not really being does nothing running and they stand up in a certain amount of time warm is it actually up and operational and to some point and you'd still have to do some more work to get it up and fully going and D is hot which means it's running standby so if you're looking at this which one of these if you're paying from a subscription-based company owns situation which one would it be a cold be warm sea hot Dino challenges is when you're dealing with you want to have that you're paying for the ability to stand up quickly because you know that there's some of it up and ready to go you know there might have to be some work to it but at the end of the day you want is you doing it to buy sometime if it's cold why pay for something that you're going to have to stand up you just wouldn't do it alright question 3 in a disaster recovery each level of an employee should have clearly defined responsibilities which of the following is a responsibility of senior executives developing testing plans be established project goals and development plants identify critical Business Systems D oversee budgets and the overall project when our talking Disaster Recovery each level of employee should have clearly defined responsibilities possibility of the senior executive don't plant now has a leak project goals and develop plans probably not see identified critical Business Systems maybe they oversee budgets and the overall project usually gives money they're involved answer is D oversee budgets and the overall project okay that's all we got for today as far as for the cissp that you know you're talkin about domain 7 and this is on forensics and investigations please check me out at Sean Gerber as s h o n Gerber like the baby food you can go there there is a bunch of free content that's available to you I got the means one through four others some videos that are about nine different videos you can look at as far as for training and help you with that also got cissp exam questions that are out there on Shawn Guerra. Com and of course you can buy my entire cissp video training package at Shawn gerber.com as well alright I hope you all have a wonderful day we'll catch you on the flip side thanks so much I would greatly appreciate the feedback also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time Leslie head over to Sean gerber.com and look at the Cornucopia all my email subscribers thanks again for listening

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.

Close

Don't you want to pass the CISSP....the FIRST time?

Get my FREE CISSP training videos (Domains 1 - 4) so I can show you how to pass the CISSP Exam...the FIRST time! .