Upgrade to remove ads
Only $2.99/month

Domain Seven - Security Operations

Terms in this set (174)

Forensic Investigation Guidelines
"Minimize handling or corruption of original data
account for any changes and keep detailed logs of your actions
comply with the rules of evidence
do not exceed knowledge
follow local security policy and obtain written permission
capture an accurate image of the system as possible
be prepared to testify
ensure actions are repeatable
work fast and proceed from volatile to persistent evidence
do not run any programs on the affected system"
Normal
A normal event does not affect critical components or require change controls prior to the implementation of a resolution. Normal events do not require the participation of senior personnel or management notification of the event.
Escalation
An escalated event affects critical production systems or requires that implementation of a resolution that must follow a change control process. Escalated events require the participation of senior personnel and stakeholder notification of the event.
Emergency
It is an event which may impact the health or safety of human beings and breach primary controls of critical systems. It could materially affect component performance, or because of the impact to component systems, prevent activities, which protect or may affect the health or safety of the individuals. The event may be deemed an emergency as a matter of policy or by declaration by the available incident coordinator.
Computer security and information technology personnel
must handle emergency events according to well-defined computer security incident response plan.
Incident
is an adverse event or series of events that negatively affects the company or impacts its security posture, requiring a methodological approach to manage the incident, impacts the security or ability of an organization to conduct normal business.
Incident response
is the practice of detecting a problem, determining its cause, minimizing the damage, resolving the problem, and documenting each step of the response for future reference.
Incident Response Goals
"To reduce the potential impact to the organization by providing an effective and efficient means of dealing with the situation
To provide management with sufficient information to decide on an appropriate course of action
To maintain or restore business continuity
To defend against future attacks
To deter attacks through investigation and prosecution."
Incident Response team
"a list of outside agencies and resources to contact or report to
Roles and responsibilities outlined
A call tree
detailed steps on how to secure and preserve the evidence
a list of items that should be included on the report for management and the courts
a description of how the different systems should be treated in a particular situation"
Evidence
"exact requirements for the admissibility of evidence vary across legal systems and between different cases. At a more generic level, evidence should have some probative value, be relevant to the case at hand, and meet the following criteria, often called the five rules of evidence:

-Evidence should be authentic
-Evidence should be accurate
-Evidence should be complete
-Evidence should be convincing
-Evidence should be admissible in court of law"
Evidence lifecycle
"gathering, control, storage, and preservation of evidence are extremely critical are extremely critical in any legal investigations.
The major components:
-Discovery and recognition
-protection
-recording
-collection
-identification
-preservation
-transportation
-presentation in the court of law
-return the evidence to the owner"
Chain of Evidence
"-Location of evidence when obtained
-Time evidence obtained
-Identification of individual(s) who discovered evidence
-Identification of individual(s) who secured evidence
-Identification of individual(s) who controlled evidence and individual(s) who maintained possession of that evidence
Chain of custody shows how evidence was collected, analyzed, transported, and preserved, to be presented as evidence in court. It helps protect the integrity and reliability of the evidence. It is the effective process of documenting the complete journey of the evidence during the life of the case and shows control of the evidence, from the time it is collected, to the time it is presented in the court."
Best evidence
original or primary, provides, most reliability (example, signed contract)
Secondary evidence
copy of evidence or oral description, not reliable and strong when compared to the best evidence (ie. witness testimony or copies of the original documents)
Direct evidence
doesn't need a backup information as it can prove fact by itself (ie. testimony of eyewitness), case cannot rest on directive evidence alone
Conclusive evidence
irrefutable and cannot be contradicted. overrides all other evidence
opinion evidence
"opinion rule-testifying only the factors of the issue by witness and not their opinion
expert witness- used primarily for educated opinion
non-export - can testify only to facts "
hearsay evidence
third party, with hardly any proof of reliability or accuracy, secondhand in the form of oral or written evidence
Computer evidence by default is hearsay
Computer evidence by default is hearsay
Computer Forensics Procedure
"-Digital forensic assessments, such as media analysis, disk imaging, cross-drive analysis, content analysis, live analysis, steganography, etc.
-Network analysis includes analysis of network logs and network activity for use as potential evidence from email, etc.
-Software analysis, such as reverse engineering of code that was used to perform the attack, malicious code review, what's left over after the attack, and exploit review to check which files were damaged and what data was taken."
IDS
detection of any unauthorized intrusion in a network, server, or a system. Used to detect suspicious activity on the network and send an alarm to the network administrator
False +
?
False -
?
True +
?
True -
?
NIDS
Network based IS, can be either dedicated appliances or a system having its NIC in promiscuous mode and with necessary software installed
HIDS
Host IDS, monitors for malicious or anomalous activity on a workstation or a server
HIDS and NIDS Types
"-signature based
-statistical anomaly based - traffic anomaly, protocol, anomaly
-rule based- model based, stateful matching"
Honeypot
"-the system is not hardened or locked down and has services enabled and open ports
-this confuses the attacker into thinking that the server is a production server so to study the methods"
network sniffer
devices used to intercept and log traffic over a network
Enticement
honeypot
Entrapment
fool someone to commit a crime
Security Information and Event Management or SIEM
Security Information and Event Management or SIEM is a set of technologies involved in analysis and correlation of information collected and aggregated about access controls and some system activities.
characteristics of SIEM
"-Raw information is stored from various systems logs
-Information is aggregated in a single repository
-Information is normalized to make comparisons more meaningful
-It processes, maps, and extracts target information by analytical tools
-acts as an alerting tool
-acts as a reporting tool provides
-near real-time reporting
-used as a decision support system for security operation centers
-complex and expensive to implement
-can be vulnerable to attacks."
Continuous Monitoring System
must meet the organization's security requirements. The security architect must design and implement continuous monitoring program that protects the organization's critical information assets.
Continuous Monitoring as a Service (CMaaS)
?
Egress filtering
prevents any unauthorized or malicious traffic to leave the internal network. Information flowing from internal network to internet is monitored and controlled (PCI DSS)
DLP
?
Steganography and Digital Watermarking
Steganography involves concealing the existence of data by hiding it in some other media such as a picture, audio, and video file. It is used to insert digital watermarks on images to identify illegal copies. It is also, used to send secret messages through emails.
Operational Resilience
"-Maintain the expected SLAs
-Anticipate disruptions
-Maintain process and procedures to ensure timely detection and response
-Ensure IT environment is prepared for any threat"
Threat
in the security operations domain can be defined as the presence of any potential event that could cause harm by violating security. for example, an operator's abuse of privileges that violates confidentiality.
Vulnerability
is defined as a loophole or weakness in a system that enables security to be violated. for example, weak implementation of the separation of duties.
Asset
is any computing resource or ability such as hardware, software, data, and personnel.
Threats to Operations
Unauthorized disclosure, Corruption and Improper Modification, Interruption, Destruction and Theft
Operations and Vulnerabilities
"Traffic or trend analysis
Maintenance accounts
Initial Program Load
Data-scavenging attacks
social engineering
network address hijacking"
Operations and Controls
Preventative, detection, corrective, deterrent, application
Anti-Malware Systems
"viruses, worms, Trojan horses, and spyware, and respond to the risk by implementing antivirus and antispyware controls.

capacity to disrupt the operation of user workstations as well as servers, which could result in. Loss of business information, Disclosure or compromise of business information, Corruption of business information, Disruption of business information processing, Inability to access business information, Loss of productivity.

The two ways to protect against malwares are to apply defense in depth to protect assets and to install a central anti-malware management."
Violation tracking
processing, and analysis are commonly used to track anomalies in user activities.
clipping level
is a baseline of user activity registering a routine level of user errors. A clipping level enables a system to ignore normal user errors. When the clipping level is exceeded, a violation record is produced. Clipping levels are also used for variance detection.
Profile-based anomaly detection
uses profiles to look for abnormalities in user behavior. A profile is a pattern that characterizes the behavior of users. Patterns of usage are established based on the activities the users engage in, such as processing exceptions, resource utilization, and patterns in actions performed. The ways in which the various types of activity are recorded in the profile are referred to as profile metrics.
Clipping levels and profile-based anomaly detection
are used to check mistakes repeated more than the clipping level number, unrestricted access for many individuals, authority exceeded by individuals, and serious intrusion attempt patterns.
trusted recovery
ensures that security is not breached when a system failure or discontinuity occurs. It must ensure that the system is restarted without compromising its required protection scheme and that it can recover and roll back without being compromised after the failure.
The common criteria describe the three hierarchical trusted recovery types.
Manual recovery, automated recovery, automated recovery without undue loss
Manual recovery
the system administrator intervention is required to return the system to a secure state after a crash.
Automated recovery
the recovery to a secure state is automatic and no intervention when resolving a single failure. However, manual intervention is required while resolving additional failures.
Automated recovery without undue loss
it is similar to automated recovery. It is a higher level of recovery defining prevention against the undue loss of protected objects.
Full backup
all changes
Incremental backup
is since the last backup (could have been any type)
differential backup
is since the last FULL backup
RAID 0
or Striping creates one large disk by using several disks. This process is called striping. It stripes data across all disks, without providing redundancy,
RAID 1
is commonly called Mirroring. It mirrors the data from one disk or set of disks by duplicating the data onto another disk or set of disks. The main issue with this level of RAID is that the one-for-one ratio is very expensive, resulting in the high cost per megabyte of data capacity. This level effectively doubles the amount of hard drives needed. Therefore, it is the best option for smaller-capacity systems. 50% is lost, Read is fast
RAID 3
or byte-level parity, Striping is desirable due to the performance gains associated with spreading data across multiple disks. However, striping alone is not quite desirable due to the lack of redundancy. With RAID 3, data at the byte level is striped across multiple disks. An additional disk, leveraged for storage of parity information, is used for recovery in the event of a failure. 1/3 is lost, parity is stored in on disk and may lead to a bottleneck
RAID 4
striped set with dedicated parity or block level provides the exact same configuration and functionality as RAID Level 3, but stripes data at the block, rather than at the byte level.
RAID 5
or Interleave parity stripes the data and the parity information at the block level across all the drives in the set. N,s S*(n-1) protects against one HD failure
RAID 6
or second or double parity data extends the capabilities of RAID Level 5 by computing two sets of parity information. The dual parity distribution accommodates the failure of two drives. Protects against two HD failures
RAID 10
or Striping and Mirroring are examples of nested RAID levels, RAID Level 1+0 is considered superior to RAID Level 0+1 in terms of speed and redundancy.
database shadowing
database information is simultaneously written or duplicated to another server.
Electronic vaulting
copies the backup data in a batch process to an offsite location.
Remote journaling
allows full synchronization of sites by transferring live data to offsite locations.
For backups and offsite storage
, the frequency of backups as required by the business for optimum recovery needs to be ensured. As a security measure, the backup tapes are stored at an offsite location.
BCP Planning
"1-define scope
2-identify potential disasters
3-define the strategy
4-calculate funding"
NIST 800-34 for DR
implementation, testing, and training is the sixth phase to achieve a comprehensive Business Continuity Plan or BCP, or Disaster Recovery Plan or DRP.
structured walkthrough or tabletop
performed prior to in-depth testing, reviews the approach, helps practice in a structured manner, helps identify gaps, and errors
simulation test
known as a walkthrough drill, helps carry out recovery process by the team members, simulates a disaster and the teams need to respond as directed by the DRP
parallel processing
uses transactional data, usages of alternate computing system, does not interrupt prod
partial and complete business interruption
highest fidelity, exercised with extreme caution , need to stop normal business processes, requires fully redundant and load-balanced operations
Defense in depth
??
National Cyber Security Framework Manual
?
Perimeter Intrusion Detection
"Open terrain sensors are best suitable for flat, cleared areas. Heavily or irregular contoured areas are not conducive for open terrain sensing systems.
Open terrain sensors include:
-Infrared
-Microwave systems
-Combination or dual technology
-Vibration sensors
-New emerging video content analysis systems
-Motion path analysis or CCTV systems."
types of Open terrain sensors
"Infrared sensors
Microwave systems
Time Domain Reflectometry (TDR) Systems
Video Content Analysis and Motion Path Analysis"
two kinds of infrared sensors
"Passive infrared sensors,
Active infrared sensors."
Passive infrared sensors
"are designed for human body detection.

They detect the heat emitted by animate forms.
A passive infrared sensors works in the following manner
At first, a system records measurable changes in a specific area as a means of detecting unauthorized intrusions.
When the unit registers changes in temperature in its area of detection, it relays the information to a processor. The processor measures the change according to detection parameters.
If the change falls outside the parameters, the processor sends a signal to the unit's alarm"
Active infrared sensors
transmit an infrared signal via a transmitter. The location for reception is at a receiver. Interruption of the normal infrared or IR (read as I-R) signal indicates that an intruder or object has blocked the path. The beam can be narrow in focus, but should be projected over a cleared path.
microwave signals
can pass through concrete and steel and must be applied with care. Otherwise, false alarms may occur due to faulty microwave patterns.
Microwave sensors
"come in two configurations: bistatic and monostatic.

-A bistatic microwave sensor sends an invisible volumetric detection field that fills the space between a transmitter and receiver.
-Monostatic microwave sensors use a single sensing unit that incorporates both the transmitting and the receiving functions."
Time Domain Reflectometry Systems or TDR
send induced radio frequency or RF signals down a cable that is attached to the fence fabric. When the conductor cable is bent or flexed, it creates a signal path flaw that can be converted to an alarm signal.
Video Content Analysis and Motion Path Analysis
"-It is the latest technology for intrusion detection. It uses sophisticated software analysis of the camera images such as video content analysis and motion path analysis
-An example is a Closed-circuit television or CCTV
-CCTV camera systems are increasingly used as intrusion detection systems. Application of complex algorithms to digital CCTV camera images allows CCTV systems to detect intruders.
-The software programming can detect pixel changes to differentiate and filter out normal video events such as leaves moving or snow fall from true alarm events."
Data in Use (End Point)
Data in use is perhaps the most challenging aspect of DLP. Data in use primarily refers to monitoring data movement stemming from actions taken by end-users on their workstations, whether that would entail copying data to a thumb drive, sending information to a printer, or even cutting and pasting between applications.
Common DLP Capabilities
"1-Policy Creation and Management - Policies (rule sets) dictate the actions taken by the various DLP components. Most DLP solutions come with preconfigured policies (rules) that map to common regulations. It is just as important to be able to customize these policies or build completely custom policies.
2-Directory Services Integration - Integration with directory services allows the DLP console to map a network address to a named end-user. Workflow Management - Most full DLP solutions provide the capacity to configure incident handling, allowing the central management system to route specific incidents to the appropriate parties based on violation type, severity, user, and other such criteria.
3-Backup and Restore - Backup and restore features allow for preservation of policies and other configuration settings.
4-Reporting - A reporting function may be internal or may leverage external reporting tools."
Least Privilege
- The system administrator often does not require access to every system and function in an organization. Determine what access is needed and apply accordingly.
Monitoring
- If possible, the system administrator's actions should be logged and sent to a separate system that the system administrator does not control. The logs should be reviewed with change or configuration management requests to determine if only authorized actions are taking place.
Separation of Duties
- An administrator should not have the ability to engage in malicious activities without collusion.
Background Investigation
- A background investigation should be conducted to determine if the system administrator has abused the role in the past or may be vulnerable to blackmail or extortion attempts. Job Rotation - System administrators should be subject to job rotation.
Job rotation
ensures another individual must perform the original system administrator's
Need to-Know/ Least Privilege
The principle of least privilege is one of the most fundamental characteristics of access control for meeting security objectives. Least privilege requires that a user or process be given no more access privilege than necessary to perform a job, task, or function. The objective is to limit users and processes to access only resources and tools necessary to perform assigned functions.
Background Investigation
- A background investigation should be conducted to determine if the operator has abused the role in the past or may be vulnerable to blackmail or extortion attempts.
Information Lifecycle
consists of creation, use, and finally destruction.
Tangible assets
are physical and fall under the category of traditional property.
Intangible assets
are not physical and fall under the categories of intellectual property.
two primary types of virtualization
block and file virtualization
Block virtualization
refers to the abstraction (separation) of logical storage (partition) from physical storage so that it may be accessed without regard to physical storage or heterogeneous structure. This separation allows the administrators of the storage system greater flexibility in how they manage storage for end-users.
File virtualization
eliminates the dependencies between the data accessed at the file level and the location where the files are physically stored. This provides opportunities to optimize storage
Host-based Host-based virtualization
requires additional software running on the host,(in Linux, it is called the Logical Volume Manager or LVM in Solaris and FreeBSD, ZFS's zpool layer in Windows, the Logical Disk Manager or LDM) that performs virtualization tasks.
Storage Device-based
A primary storage controller provides the virtualization services and allows the direct attachment of other storage controllers.
Network-based
storage is storage virtualization operating on a network-based device (typically a standard server or smart switch) and using iSCSI or Fibre Channel (FC) networks to connect as a SAN.
Signature- or Pattern-Matching systems
- Examine the available information (logs or network traffic) to determine if it matches a known attack.
Protocol Anomaly-Based systems
- Examine network traffic to determine if what it sees conforms to the defined standard for that protocol, for example, as it is defined in a Request for Comment or RFC.
Statistical-Anomaly-Based systems
- Establish a baseline of normal traffic patterns over time and detect any deviations from that baseline. Some also use heuristics to evaluate the intended behavior of network traffic to determine if it intended to be malicious or not. Most modern systems combine two or more of these techniques together to provide a more accurate analysis before it decides whether it sees an attack or not.
IDS Engine Methods
"There are two basic IDS analysis methods:
-pattern matching (also called signature analysis)
-anomaly detection."
Stateful Matching Intrusion Detection
takes pattern matching to the next level. It scans for attack signatures in the context of a stream of traffic or overall system behavior rather than the individual packets or discrete system activities.
Statistical Anomaly
Statistical Anomaly-Based Intrusion Detection The statistical anomaly-based IDS analyzes event data by comparing it to typical, known, or predicted traffic profiles in an effort to find potential security breaches.
Protocol Anomaly
Based Intrusion Detection A protocol anomaly-based IDS identifies any unacceptable deviation from expected behavior based on known network protocols. For example, if the IDS is monitoring an HTTP session and the traffic contains attributes that deviate from established HTTP session protocol standards, the IDS may view that as a malicious attempt to manipulate the protocol, penetrate a firewall, or exploit a vulnerability.
Traffic Anomaly
Based Intrusion Detection A traffic anomaly-based IDS identifies any unacceptable deviation from expected behavior based on actual traffic structure.
Surviving Site
- A surviving site strategy is implemented so that while service levels may drop, a function never ceases to be performed because it operates in at least two geographically dispersed buildings that are fully equipped and staffed.
Self-Service
- An organization can transfer work to another of its own locations, which has available facilities and/ or staff to manage the time sensitive workload until the interruption is over.
Internal Arrangement
- Training rooms, cafeterias, conference rooms, etc. may be equipped to support organization functions while staff from the impacted site travels to another site and resumes organization.
Reciprocal Agreements/ Mutual Aid Agreements
- Other similar organizations may be able to accommodate those affected. For example, one law firm may be able to provide office space to another in the event of an outage. This could involve the temporary suspension of non-time sensitive functions at the organization operations not affected by the outage.
Dedicated Alternate Sites
- Built by the company to accommodate organization function or technology recovery. Work from Home - Many organizations today have the capability to have employees work from locations that are remote from a physical office environment.
External Suppliers
- A number of external organizations offer facilities covering a wide range of organization recovery needs from full data centers with a wide range of platforms, alternate site space in physical facilities, mobile units that can be transported to the company site, and temporary staff to provide services when the employees cannot.
No Arrangement
- For low-priority business functions or applications, it may not be cost justified to plan at a detailed level. The minimum requirement would be to record a description of the functions, the maximum allowable lapse time for recovery, and a list of the resources required.
Dual Data Center
"- This strategy is employed for applications that cannot accept any downtime without negatively impacting the organization. The applications are split between two geographically dispersed data centers and either load balanced between the two centers or hot swapped between the two centers. The surviving data center must have enough headroom to carry the full production load in either case.
-Advantages of a dual data center: Little or no downtime Ease of maintenance No recovery required
-Disadvantages of a dual data center: Most expensive option Requires redundant hardware, networks, staffing Distance limitations"
internal Hot Site
- This site is standby ready with all the technology and equipment necessary to run the applications positioned there. The administrator will be able to effectively restart an application in a hot site recovery without having to perform any bare metal recovery of servers. If this is an internal solution, then often the organization will run non-time sensitive processes there, such as development or test environments, which will be pushed aside for recovery of production when needed. When employing this strategy, one must keep the two environments as close to identical as possible to avoid problems with O/ S levels, hardware differences, capacity differences, etc. from preventing or delaying recovery.
External Hot Site
"- This strategy has equipment on the floor waiting, but the environment must be rebuilt for the recovery. These are services contracted through a recovery service provider. Again, it is important that the two environments be kept as close to identical as possible to avoid problems with O/ S levels, hardware differences, capacity differences, etc. from preventing or delaying recovery. Hot site vendors tend to have the most commonly used hardware and software products to attract the largest number of customers to utilize the site. Unique equipment or software would generally need to be provided by the organization either at time of disaster or stored there ahead of time.
-Advantages of internal or external hot site: Allows recovery to be tested Highly available Site can be operational within hours
-Disadvantages of internal or external hot site: Expensive - Internal solution more expensive than external Hardware and software compatibility issues in external sites"
Warm Site
"- A leased or rented facility that is usually partially configured with some equipment but not the actual computers. It will generally have all the cooling, cabling, and networks in place to accommodate the recovery, but the actual servers, mainframe, etc. equipment are delivered to the site at the time of disaster. Cold Site - A cold site is a shell or empty data center space with no technology on the floor. All technology must be purchased or acquired at the time of disaster.
-Advantages of warm and cold site: Less expensive Available for longer recoveries
-Disadvantages of warm and cold site: Not immediately available Not fully testable without extensive work"
Mobile Sites
"Another option available is the mobile site, meaning the data center of an organization is housed in a mobile trailer or possibly a standard sea cargo shipping container.
-advantages to this approach include: Highly mobile and relatively easy to transport Modular approach to building data centers Buildings are not required to house equipment
-disadvantages include: "Cold site" capability must be built at determined locations The density and design of the container make upgrading and customizing challenging Maintaining a shipping contract or equipment to move the container in times of disaster can be expensive"
Processing Agreement
Organizations may also choose to create different processing agreements with other organizations. This can take many forms, but typically they can be viewed as reciprocal agreements or outsourced agreements.
Reciprocal Agreements
are between organizations who choose to share the risk of an outage with each other. Each organization commits to host the data and processing of each other in the event of a disaster. Hardest to implement
Outsourcing
To avoid the problems with reciprocal agreements and the cost of building alternative sites, some organizations may choose to outsource their contingency operations and disaster recovery.
The benefits of outsourcing include:
Service as needed All requirements and execution responsibilities are on a third party Little to no capital costs Greater geographical options for continuity and recovery
The disadvantages of outsourcing
More proactive testing and assessment to ensure capability is ready Contract disputes should the vendor be unable to perform Vendor lock-in if proprietary systems are deployed Can cost more than building the capability if frequent outages occur
Fail-Safe
Mechanisms focus on failing with a minimum of harm to personnel or systems.
Fail-Secure
Focuses on failing in a controlled manner to block access while the systems is in an inconsistent state.
Cold Spare
- A cold spare is s a spare component that is not powered up but is a duplicate of the primary that can be inserted into the system if needed. Typically, cold spares will be stored near the system in question and will require someone to manually unpack it and insert it into the affected system.
Warm spares
- Are normally already inserted in the system but do not receive power unless they are required.
Hot spares
- Are not only inserted into the system but are powered on and waiting to be called upon as needed. In many cases, the system will be able to work with warm or hot spares automatically and without much human intervention required.
Non-Incident
- These events are typically caused by system malfunctions or human errors, which result in limited to minor disruptions of service. There is a short period of downtime and alternate processing or storage facilities are not required.
Incident
- Events that cause an entire facility or service to be inoperative for a significant amount of time. These events require the enactment of the disaster recovery plan and reporting of information and status to senior management and may involve crisis management.
Severe Incident
- Significant destruction or interruption to an organization's mission, facility, and personnel. These events require the enactment of the DR plan and may involve the building of a new primary facility. These events require senior management reporting and crisis management.
Tabletop Exercise/ Structured Walk-Through
Test A tabletop exercise/ structured walk-through test is considered a preliminary step in the overall testing process and may be used as an effective training tool. however, it is not a preferred testing method. Its primary objective is to ensure that critical personnel from all areas are familiar with the BCP and that the plan accurately reflects the organization's ability to recover from a disaster.
Walk-Through Drill/ Simulation Test
A walk-through drill/ simulation test is somewhat more involved than a tabletop exercise/ structured walk-through test because the participants choose a specific event scenario and apply the BCP to it.
Functional Drill/ Parallel Test
Functional drill/ parallel testing is the first type of test that involves the actual mobilization of personnel to other sites in an attempt to establish communications and perform actual recovery processing as set forth in the BCP. The goal is to determine whether critical systems can be recovered at the alternate processing site and if employees can actually deploy the procedures defined in the BCP.
Full-Interruption/ Full-Scale Test (VALIDATION)
Full-interruption/ full-scale test is the most comprehensive type of test. In a full-scale test, a real life emergency is simulated as closely as possible. Therefore, comprehensive planning should be a prerequisite to this type of test to ensure that business operations are not negatively affected. The organization implements all or portions of its BCP by processing data and transactions using backup media at the recovery site.
Coaxial Strain-Sensitive Cable
As the cable moves due to strain on the fence fabric caused by climbing or cutting, changes in the electric field are detected within the cable, and an alarm condition occurs. Coaxial strain-sensing systems are readily available and are highly tunable to adjust for field conditions due to weather and climate characteristics.
Time Domain Reflectometry (TDR) Systems
Time Domain Reflectometry (TDR) systems send induced radio frequency (RF) signals down a cable that is attached to the fence fabric. Intruders climbing or flexing a fence create a signal path flaw that can be converted to an alarm signal.
Lighting
Lighting should enable security personnel and employees to notice individuals at night at a distance of 75 feet or more and to identify a human face at about 33 feet.
Continuous lighting
is the most common security lighting system. It consists of a series of fixed lights arranged to flood a given area continuously during darkness with overlapping cones of light.
Standby lighting
has a layout similar to continuous lighting. however, the lights are not continuously lit but are either automatically or manually turned on when suspicious activity is detected or suspected by the security personnel or alarm systems.
Movable lighting
consists of manually operated, movable searchlights that may be lit during hours of darkness or only as needed. The system normally is used to supplement continuous or standby lighting.
Emergency lighting
is a backup power system of lighting that may duplicate any or all of the above systems. Its use is limited to times of power failure or other emergencies that render the normal system inoperative. It depends on an alternative power source such as installed or portable generators or batteries.
Fluorescent lights
are highly efficient and cost effective. However, they are temperature sensitive and while improving are not considered an effective outdoor lighting system. This light is better suited inside buildings and facilities.
Mercury vapor lights
are the preferred security light that disperses a strong white-bluish cast. They have an extended lamp life. however the downside is they take an amount of time to full light when activated - typical to the lights at a stadium.
Sodium vapor lights
provide a soft yellow light and is more efficient than mercury vapor. This light is used in areas where fog can be a problem.
Quartz lamps
emit a very bright white light and comes on immediately. They typically provide high wattage from 1500 to 2000 and can be used on perimeters and troublesome areas where high visibility and a daylight scene is required.
IR Light
Infrared Illuminators The human eye cannot see infrared (IR) light. Most monochrome CCTV (black/ white) cameras can.
Balanced Magnetic Switch (BMS)
- This device uses a magnetic field or mechanical contact to determine if an alarm signal is initiated.
Motion Activated Cameras
- A fixed camera with a video motion feature can be used as an interior intrusion point sensor. In this application, the camera can be directed at an entry door and will send an alarm signal when an intruder enters the field of view.
Acoustic Sensors
- This device uses passive listening devices to monitor building spaces. An application is an administrative building that is normally only occupied in daylight working hours.
Infrared Linear Beam Sensors
- Many think of this device from spy movies, where the enduring image of secret agents and bank robbers donning their special goggles to avoid triggering an active infrared beam is recalled.
Passive Infrared (PIR) Sensors
"- A PIR sensor (Figure 7.23) is one of the most common interior volumetric intrusion detection sensors. It is called passive because there is no beam. A PIR picks up heat signatures (infrared emissions) from intruders.
-While not only a security application, PIRs are often used as an automatic request to exit (REX) device for magnetically locked doors."
Dual-Technology Sensors
- These provide a common sense approach for the reduction of false alarm rates. For example, this technology uses a combination of microwave and PIR sensor circuitry within one housing. An alarm condition is only generated if both the microwave and the PIR sensor detect an intruder.
Electric Locks
The electric lock is a secure method to control a door. An electric lock actuates the door bolt. For secure applications, dual locks can be used.
Electric Strikes
The difference between an electric strike and an electric lock is in the mechanism that is activated at the door. In an electric-lock door, the bolt is moved. In an electric-strike, door the bolt remains stationary and the strike is retracted.
Magnetic Locks
The magnetic lock is popular because it can be easily retrofitted to existing doors
Anti-passback
is a strategy where a person must present a credential to enter an area or facility and then again use the credential to "badge out."
Rim Lock
A rim lock, is a lock or latch typically mounted on the surface of a door. It is typically associated with a deadbolt type of lock.
Mortise Lock
A mortise lock,is a lock or latch that is recessed into the edge of a door rather than being mounted to its surface. This configuration has a handle and locking device all in one package.
Locking Cylinders
The pin tumbler cylinder is a locking cylinder that is composed of circular pin tumblers that fit into matching circular holes on two internal parts of the lock
Cipher Lock
A cipher lock is controlled by a mechanical key pad, typically 5 to 10 digits. When it is pushed in the right combination, the lock will release and allow entry.
Intelligent keys
are keys with a built-in microprocessor, which is unique to the individual key holder and identifies the key holder specifically
"Instant keys"
provide a quick way to disable a key by permitting one turn of the master key to change a lock.
Safes
Tool-Resistant Safe Class TL-15
...
The UL classifications mean that a Tool-Resistant Safe Class TL-30 will take 30 minutes to break into the safe using tools. A TRTL-30 safe means it will take 30 minutes for a combination of tools and torches to break into the safe. The categories go up to a safe that can resist tools, torches, and explosives.
Vaults (time to entry)
"Class M - One quarter hour
Class 1 - One half hour
Class 2 - One hour
Class 3 - Two hours"
Containers
Class 6 The container must meet the protection requirements for 30 man-minutes against covert entry and 20 hours against surreptitious entry with no forced entry.
THIS SET IS OFTEN IN FOLDERS WITH...