6. System Disruption/Resolution Flashcards
What kind of disasters are there?
- Natural: earthquakes, floods, tornados, fire
- Unintentional human: loss of power, telecommunications, delivery, gas leak
- Intentional human: terrorist attacks, hackers, viruses, vengeful employees
What are example of vendors for data back up and recovery?
- DEVSource
- Rackspace Hosting
- Kaufman/Rossin
Disaster recovery planing: what must be determined beforehand and how is it determined?
- If disruption - recovery point objective - acceptable data loss recovery time objective - acceptable does time.
- Determined by; criticality of application, cost, time to recover, security
- Contracting - complex and important
Disaster recovery: what are back up facility types?
- Cold site: no computers ($)
- Warm site: computer no data ($$)
- Hot site: everything ($$$)
- Mirrored site: fully redundant ($$$$)
- Reciprocal agreement ($?$)
Disaster recovery: what is cold site?
- Off-site location with electrical and other physical requirements for processing
- No equipment or files (added when needed)
- 1-3 days start-up
- Cheaper
Disaster recovery: what is warm site?
- Off-site location with similar computer hardware
- Does not include backed-up data (delivered when needed)
- More $
Disaster recovery: what is hot site?
- Completely equipped including data
- Near-immediate (within hours) operation
- Big $$$ (e.g. medical, credit card systems)
Disaster recovery: what is mirrored site?
- Fully redundant, fully staffed, fully equipped
- Real-time replication of mission critical system,s
- e.g. credit card processing
Disaster recovery: what is reciprocal agreement?
- Mutual aid pact
- Agreement between 2 or more organizations to aid each other with data processing if disaster strikes
- May be cold, warm, or hot
What are the purposes of organizational continuity planning (OCP)?
- Identify and plan for disruptions
- Integrate into business culture
- Recall risk management lesson/discussion (CGIC) - Interate OCP into risk management
What is BRM or ORM?
Business risk management / Organizational risk management
What is BCP or OCP?
Business continuity planning / Organizational continuity plan
*Process of risk assessment, contingency planning, and long-term continuity maintenance
What is BIA?
Business impact analysis: Risk analysis portion of BCP.
*Identifies maximum tolerable interruption periods of an organization by function and activity to assess risk importance and consequences.
What are 6 steps of OCP and BCP?
- Create a OCP policy and program
- Determine critical functions/business risks
- Determine continuity strategies
- Develop and implement BCM response
- Exercise, maintain, and update plan
- Embed BCP plan into the culture
What is incident management?
Map level of incidents to events to responses.
- E.g. 0=negligible event (e.g. power spike), 7=crisis (pandemic virus and World Trade Center attack)
- Responses mapped to level of incidents
What are 3 important functions of an organization?
- Mission critical: customer facing services, manufacturing, financials
- Business critical: ERP systems, payroll, order entry
- Task critical: print service, file service
Backup plans: What does an organization want to recover from?
From equipment failures, power failures and errors.
Backup plans: what should be done?
- Maintain at least one remote archive off-site
* Use redundant (multiple) backups (the “Whack-a-Mole” plan)
Backup plans: what are 8 control principles?
- At least one off-site archive
- Controls over storage libraries mirror those for data processing sites
- Many organizations outsource - choosing a vendor, consider availability, standardization, capacity, speed, and price
- Backup procedures may be full (all data), increment (data changed from a certain time) or differential (data changed since the last full backup)
- Maintain inventory of backups that identifies data set name, volume serial number, data created, accounting period, and storage location (e.g. bin)
- Consider privacy, security and confidentiality of the data (e.g. HIPPA)
- Restoration procedures integrated into organization’s continuity plan (OCP)
- Backup and restoration procedures regularly tested and reviewed
What is a backup procedure: archive procedures - old school?
“Grandfather, father, son” system:
- son - newest
- father - one generation
- grandfather - two generations
- Mostly related to batch processing
What is checkpoint and restart?
A backup procedure - Common in batch processing.
Checkpoint;
*Point where processing accuracy is verified
*Periodic backups
*If problem, return to most recent checkpoint and restart
What is rollback and recovery?
A backup procedure - Common to online, real-time processing
- Record processing transactions in log
- Periodically record master file contents
- If problem, return to good master file and reprocess subsequent transactions
What is fault tolerant systems?
A network-enabled backup procedure.
- Operate despite component failure (include redundancy and corrections for component failure)
- e.g. space flight, commerce, bank credit card processing
What is HACs?
High-availability clusters = a network-enabled backup procedure.
- Computer clusters designed to improve service availability.
- Common in e-commerce
What is remote (online) backup by managed provider?
An network-enabled backup procedure.
*Automated, outsourced to experts, off-site, can be continuous
What is SANs?
Storage Area Networks = a network-enabled backup procedure.
- Replicate data from multiple sites
- Data immediately available
- Efficient storage for servers
What is mirroring?
A network-enabled backup procedure.
- Maintain exact copy of data set
- Files are stored in same format as system (e.g. not zipped)
- Advantage: very fast
- Disadvantage: storage hog, very expensive
Who commits cyber-crime?
- Nation-states and spies: some foreign nations
- Industrial spies: seek intellectual property and trade secrets for competitive advantage
- Organized crime: e.g. blackmails
- Hacktivists: social or political statements - anonymous
- Hackers and crackers: for fun and challenge
What are 4 categories of computer crime?
- Computer or system as target: e.g. denial of service (DoS) attacks and hacking
- Computer as subject: unlawful access to attack others. e.g. DoS infections
- Computer as tool: access data or resources. e.g. unauthorized access breaches, phishing, key loggers
- Computer as symbol/user as target: variation on computer as tool. Deceive user to obtain access. e.g. social engineering
What are 4 ways for preventing and detecting computer crimes?
- Make crime harder: i.e. less likely
- Increase the costs (difficulty) of crime
- Improve detection methods
- Reduce losses
List computer attack methods.
- Back door
- Botnets
- Denial of Service (DoS)
- Eavesdropping
- Email bombing
- Logic bomb
- Malware: e.g. viruses, worms, trojan horse
- Packet sniffing: e.g. Man-in-the Middle
- Password crackers
- Session hijacking and masquerading
- Slami fraud
- Social engineering/spoofing: e.g. phishing
- Spam
- War chalking, driving, walking
What is Back door?
- Software allowing unauthorized entry to system by omitting logon procedure
- Once common among programmers to facilitate development
What is Denial of Service attacks?
- Prevent legitimate users accessing systems
- By flooding server with incomplete access requests
- Often use botnets (zombi computers)
What is Eavesdropping?
Unauthorized interception of private communication.
What is email bombing or spamming?
Sending thousands or millions of emails to an address.
What is Logic bomb?
Program planted in system dormant until event or time (e.g. date, employee deleted from active status)
What is Malware?
Malicious Software: exploit system and user vulnerabilities to gain access or damage computer.
E.g. Virus: unauthorized program that copies itself, may damage data.
Worm: virus that replicates across systems; e.g. by sending email floods
What can organizations do to prevent and detect unauthorized access?
Virus and spyware detection software.
- To detect and remove malware
- Essential to networked computing
- Should always be active and up-to-date
What is Trojan horse?
Program hidden inside benign file; can insert back door into system.
What is packet sniffing?
*Identity and authenticity risk
Packet analyzers, network analyzers, and sniffers = have network control (legitimate) and data capture (nefarious) uses.
Packet = formatted block of data carried by a computer network.
Packet sniffing = capture packets of data as they move across a network
What is Man-in-the-Middle attack?
Example of packet sniffing.
- Hacker impersonates sender and receiver
- Relies on attacking mutual authentication
What is password crackers?
- Privacy and security risk
- Software that generates potential passwords and test to gain access
- Finds weak password easily
What is session hijacking and masquerading?
- Identity and authenticity risk
- Hackers can identify IP address (Internet Protocol - unique identifying number for each device on a networked system) (e.g. via sniffing) and use to access network by masquerading (mimicking) legitimate user
What is salami fraud (slicing)?
practice of stealing money repeatedly in extremely small quantities
What is social engineering?
Seek access by tricking employees.
Can be physical or logical.
What is phishing?
A form of social engineering.
- Fishing for personal information by “spoofed” emails and fraudulent websites
- Fool recipients into divulging personal financial data such as CC numbers, account usernames/passwords, SSN etc.
What is Spam?
Irrelevant or inappropriate email (or text or whatever messaging system comes next) messages sent to either;
- A large number of recipients
- The same recipients many times (email bombing)
What is war chalking, driving and walking?
- War chalking: draw symbols in public places to indicate available Wi-Fi network access
- War driving: seeking access to Wi-Fi while driving
- War walking: seeking access to Wi-Fi while walking, may lead to war chalking
- War dialing: dialing random phone #s to find network access - old days
What should cyber-incident response be based on?
Based on organizational protocol.
What are 10 steps of cyber incident response process?
- Planning for and testing protocol
- Event detection procedures
- Event logging procedures
- Triage and incident analysis
- Containment and removal of threats
- Decision and action regarding event announcement or secrecy
- Incident recovery
- Closure
- Event reporting
- Monitoring and system revisions
