3.0 Cyber Incident Response Flashcards by paulo guiao

what does the acronym MTD denote?

maximum tolerable downtime

How well did you know this?

Not at all

Perfectly

what is MTBF?

the estimated amount of time a device will operate before a failure occurs

How well did you know this?

Not at all

Perfectly

what are the four types of personally identifiable information (PII)?

personal characteristics - such as full name, DoB, height, ethnicity, place of birth, mother’s maiden name, and biometric characteristicsa unique set of numbers assigned to an individual - such as government ID number, telephone number, driver’s license number, and PINdescriptions of events or points in time - such as arrest records, employment records, and medical recordsdescription of locations or places - such as GPS tracking information

How well did you know this?

Not at all

Perfectly

what does the acronym RTO denote?

recovery time objective

How well did you know this?

Not at all

Perfectly

what does the acronym MTBF denote?

mean time between failures

How well did you know this?

Not at all

Perfectly

what does the acronym RPO denote?

recovery point objective

How well did you know this?

Not at all

Perfectly

which two factors should contribute to incident severity and prioritization?

impact scope and the type of data affected

How well did you know this?

Not at all

Perfectly

which attack is one discovered in live environments for which no current fix or patch exists?

zero-day attack

How well did you know this?

Not at all

Perfectly

what is RTO?

the shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences

How well did you know this?

Not at all

Perfectly

which impact scope factor refers to the amount of data corrupted or altered during the incident?

data integrity

How well did you know this?

Not at all

Perfectly

what does the acronym PHI denote?

personal health information

How well did you know this?

Not at all

Perfectly

what is meant by economic factor of an incident?

the cost of the incident to the organization

How well did you know this?

Not at all

Perfectly

which impact scope factor refers to the amount of time taken to recover from the incident?

recovery time

How well did you know this?

Not at all

Perfectly

which attack type targets a specific entity and is carried out over a long period of time?

advanced persistent threat (APT)

How well did you know this?

Not at all

Perfectly

which impact scope factor refers to the amount of time access to resource were interrupted?

downtime

How well did you know this?

Not at all

Perfectly

what is MTD?

the maximum amount of time that an organization can tolerate a single resource or function being down

How well did you know this?

Not at all

Perfectly

what does the acronym PII denote?

personally identifiable information

How well did you know this?

Not at all

Perfectly

what is RPO?

the point in time to which the disrupted resource or function must be returned

How well did you know this?

Not at all

Perfectly

what is the best method to preserve evidence on a computer: bit stream backup or standard backup?

bit stream backup

How well did you know this?

Not at all

Perfectly

what is the order of volatility from most volatile to least volatile?

registers, cacheswap spacerouting table, ARP cache, process table, kernel statistics, and memorytemporary file systemsdiskremote logging and monitoring data that is relevant to the system in question

How well did you know this?

Not at all

Perfectly

what are the FOUR documents/forms that should be part of forensic kit?

chain of custody form, incident response plan, incident form, call list/escalation list

How well did you know this?

Not at all

Perfectly

what is a write blocker?

a tool that permits read-only access to data storage devices without compromising the integrity of the data

How well did you know this?

Not at all

Perfectly

what is the purpose of imaging utilities included in a forensic kit?

to create a bit-level copy of drives

How well did you know this?

Not at all

Perfectly

what are the NINE components that should be included in a forensic kit?

digital forensics workstation2. write blockers3. cables4. drive adaptors5. wiped removable media6. camera7. crime tape8. tamper-proof seals9. documentation/forms

How well did you know this?

Not at all

Perfectly

what is the purpose of the chain of custody form?

it will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence

which condition must be true of the hash values of a file to prove the file is unaltered?

the hash values must remain the same

what is a SCADA device?

a system operating with coded signals over communication channels that provides control of remote equipment

what is the purpose of tamper-proof seals?

to ensure that the chain of custody is maintained

what is the purpose of hashing utilities included in a forensic kit?

to create a hash value of files so that you can prove that certain evidence has not been altered during your possession of the evidence

what is the proper life cycle of evidence steps?

collection, analysis, storage, court presentation, and return to owner

what is a digital forensics workstation?

a dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive

what is the purpose of an incident form?

it is used to describe the incident in detail

why should the proper chain of custody be ensured?

so that evidence will be admissible in court

what is the purpose of the analysis utilities included in a forensic kit?

to analyze the bit-level copy that is created for that purpose

what are the three basic questions answered by the chain of custody?

who controlled the evidencewho secured the evidencewho obtained the evidence

when evidence is seized, which principle should be emphasized?

chain of custody

what is indicated when the hash values on a file are different?

the file has been altered

which stakeholder in the incident response process communicates the importance of the incident response plan to all parts of the organization, creates agreements detailing the authority of the IR team to take over business systems if necessary, and creates decision systems for determining when key systems must be removed from the network?

upper management

which stakeholder in the incident response process creates newsletters and other educational materials to be used in employee response training and coordinates with the legal team to prepare media responses and internal communications regarding incidents before they occur?

marketing

what are the FOUR main stakeholder groups for the incident response process?

HR, Legal, Marketing, Management

which stakeholder in the incident response process reviews the NDA to ensure legal support for incident response efforts, develops the wording of documents used to contact sites and organizations possibly affected by an incident that originated with your company's software, hardware, or services, and assesses site liability for illegal computer activity?

Legal

what is the role of law enforcement in the incident response process?

to assist the investigation and in some cases take over the investigation when a crime has been committed

which stakeholder in the incident response process develops job descriptions for those persons who will be hired for positions involved in incident response and creates policies and procedures that support the removal of employees found to be engaging in improper or illegal activity?

what is the role of the technical IT staff in the incident response process?

to recognize, identify, and react to incidents, and to provide support in analyzing those incidents when an incident has occurred

what are the FOUR main purposes of the incident response communication process?

limit communication to trusted partiesdisclosure based on regulatory/legislative requirementsprevent inadvertent release of informationuse secure method of communication

what is data exfiltration?

the unauthorized copying, transfer or retrieval of data from a computer or server

what should you do if you discover rogue devices on the network?

locate and remove them

what happens in vertical privilege escalation?

the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code

what are the SIX network-related symptoms of incidents?

bandwidth consumptionbeaconingirregular peer-to-peer communicationrogue devices on the networkscan sweepsunusual traffic spikes

what is meant by anomalous activity?

activity that is outside the norms

when does an escalation of privileges attack occur?

when an attacker has used a design flaw in an application to obtain unauthorized access to the application

what are scan sweeps?

an attempt by an unauthorized entity to map your network

what happens in horizontal privilege escalation?

the attacker obtains the same level of permissions as he already has but uses a different user account to do so

what are the eight host-related symptoms of an incident?

processor consumptionmemory consumptiondrive capacity consumptionunauthorized softwaremalicious processesunauthorized changes

what is beaconing?

when malware attempts to remotely connect to a command and control host or network

what are the SIX application-related symptoms of incidents?

anomalous activityintroduction of new accountsunexpected outputunexpected outbound communicationservice interruptionmemory overflows

what is the best way to determine the attack vector used by a hacker?

reverse engineering

why should a first responder be familiar with the incident response plan?

to ensure that the appropriate procedures are followed

which eradication technique reinstalling the operating system, applying all system updates, reinstalling the anti-malware software, and implementing any organizational security settings?

reconstruction or re-imaging

what are the FOUR validation techniques?

patching, verifying permissions, scanning, verifying logging/communication to security monitoring

what is the name of the security process that involves recognition, verification, classification, containment, and analysis?

incident response

what are the THREE eradication techniques?

sanitization, reconstruction or re-image, secure disposal

what are the FOUR containment techniques?

segmentation, isolation, removal, reverse engineering

which containment techniques involves limiting the scope of the incident by leveraging existing segments of the network as barriers to prevent the spread of the incident to other segments?

segmentation

which containment technique involves retracing the steps in the incident as seen from the logs in the affected devices or in logs of infrastructure devices that may have been involved?

reverse engineering

what is the name of the group of people appointed to respond to security incidents?

incident response team

which type of review should be completed last as part of incident response?

a post-mortem review

which containment technique involves either by blocking all traffic to and from the device or devices or shutting down the device or devices' interfaces?

isolation

what are the SEVEN steps in a FORENSIC INVESTIGATION?

1. identification2. preservation3. collection4. examination5. analysis6. presentation

which eradication technique removes all tracers of the threat by overwriting the drive multiple times to ensure all data is destroyed?

sanitization

in which location should all changes made to your organization's network and computers be listed?

in the change management system

what are the FIVE steps in the INCIDENT RESPONSE PROCESS?

contain, eradicate, validate, corrective action, reporting

what is incident management?

the activities of an organization to identify, analyze, and correct risks as they are identified