Ch. 12 Disaster Recovery & Incident Response

Question 1

Cold Site

Answer 1

A physical site that can be used if the main site is inaccessible but lacks the resources to enable an organization to use it immediately.

Question 2

Differential Backup

Answer 2

Backs up new files or files that have changed since the last full backup. They don’t clear the archive bit upon their completion.

Question 3

Failover

Answer 3

The process of reconstructing a system or switching over to other systems when a failure is detected.

Question 4

False positive

Answer 4

A flagged event that isn’t really a notable incident and has been falsely triggered

Question 5

Hot site

Answer 5

A location that can provide operations within hours of a failure. AKA Active Backup Model

Question 6

Incremental Backup

Answer 6

Includes only new files or files that have changed since the last full backup and then clears the archive bit upon completion

Question 7

Intrusion

Answer 7

The act of entering a system without authorization to do so

Question 8

IDS

Answer 8

Intrusion Detection System - Any set of tools that can identify an attack using defined rules or logic. Can be network based or host based

Question 9

IPS

Answer 9

Intrusion Prevention System - Any set of tools that identify and then actively respond to attacks based on defined rules. Like an IDS (which is passive) an IPS can be network-based or host-based.

Question 10

Intrusive tests

Answer 10

Penetration-type testing that involves trying to break the network

Question 11

Nonintrusive tests

Answer 11

Penetration/vulnerability testing that takes a passive approach rather than actually trying to break into the network

Question 12

Snapshot

Answer 12

Image of a virtual machine at a moment in time

Question 13

System image

Answer 13

A snapshot of what exists

Question 14

Tabletop Exercise

Answer 14

Involves individuals sitting around a table with a facilitator discussion situations that could arise and how best to respond to them.

Question 15

Vulnerability Scanning

Answer 15

Identifying specific vulnerabilities in your network

Question 16

Warm Site

Answer 16

A site that provides some capabilities in the event of a disaster. The organization will still need to install, configure, and reestablish operations on systems that might already exist int he warm site. AKA reciprocal site or active/active model

Question 17

Working Copy Backup

Answer 17

Copy of data currently in use on a network. Also known as shadow copies.

Question 18

Passive Reconnaissance

Answer 18

Collecting data from public databases, talking to employees/partners, dumpster diving, social engineering

Question 19

Active Reconnaissance

Answer 19

Directly focuses on the systems and its weaknesses. I.e., port scans, traceroute info, network mapping, etc.

Question 20

Pivotting

Answer 20

AKA Island Hopping - a compromised system is used to attack another system on the same network.

Question 21

Three types of testing

Answer 21

Black Box, White Box, and Gray Box

Question 22

Black Box testing

Answer 22

No knowledge of the system, mimics and outside attacker

Question 23

White Box

Answer 23

Significant knowledge of the system, simulates an inside attack, rogue employee

Question 24

Gray Box

Answer 24

Limited knowledge of the system

Question 25

Business Continuity

Answer 25

Concerned with the policies, processes, and methods that an organization follows to minimize the impact of a system failure, network failure, or failure of any key component needed for operation. “Show must go on”

Question 26

Business Continuity Planning (BCP)

Answer 26

Process of implementing policies, controls, and procedures to counteract the effects of losses, outages, or failures of critical business processes.

Question 27

Two Key Components of BCP

Answer 27

1. Business Impact Analysis (evaluates processes)

2. Risk Assessment (Evaluates risk and likelihood of loss)

Question 28

Critical Business Functions

Answer 28

Processes or systems that must be made operational immediately when an outage occurs.

Question 29

Journaled File System (JFS)

Answer 29

includes a log file of all changes and transactions that have occurred within a set a period of time. A system can check these log files to see which transactions have been committed and which ones have not.

Question 30

Journaling

Answer 30

Creates a JFS on the server

Question 31

Archive Bit

Answer 31

A flag associated with every file that is turned on when the file is created or accessed. Used during backups to determine if a file has changed.

Question 32

Incremental Backup

Answer 32

Only backups data that has been changed since the last full or incremental backup

Question 33

Differential Backup

Answer 33

Backups up data that has changed since the full backup.

Question 34

Hierarchical Storage Management (HSM)

Answer 34

Provides continuous online backup by using optical or tape jukeboxes. Data is continuously backed up and it shows as an infinite disk to the system.

Question 35

Hardware Security Module (HSM)

Answer 35

A method of transient cryptographic key exchange

Question 36

Grandfather, Father, Son Method

Answer 36

Full backups occur at regular intervals, the most recent backup after the full backup is the son. Annual backups are referred to as the grandfather, monthly are the father, and weekly the son. Weekly or daily incremental backups are done between full backups.

Question 37

Full Archival Method

Answer 37

All full backups, incremental backups, and any other backups are stored forever.

Question 38

Backup Server Method

Answer 38

A dedicated server is used for backups

Question 39

Three types of backup methods

Answer 39

1. Grandfather, Father, Son method
2. Full Archival Method
3. Dedicated Backup Server

Question 40

Backout

Answer 40

A reversion from a change that had negative consequences.

Question 41

Six Steps of any Incident Response Process

Answer 41

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Question 42

Incident Response Plan (IRP)

Answer 42

Outlines what steps are needed and who is responsible for deciding how to handle the situation

Question 43

Act in Order of Volatility

Answer 43

Address multiple issues in order of volatility (OOV), the most volatile should be handled first. The amount of time evidence is available can vary and the most volatile will be harder to collect later.

Question 44

Some documentation that should be made during an incident.

Answer 44

1. Capture a system image while it is in an exploited state for future reference
2. Document network traffic and logs - this helps to identify trends during repeated attacks
3. Capture video
4. Record time offset
5. Take Hashes (this is important evidence in identifying known, traceable software applications)
6. Capture screenshots
7. Talk to witnesses
8. Track man hours and expenses
9. Create an after-action report

Question 45

Tabletop Exercise

Answer 45

Simulation of a disaster

Question 46

Five levels of tabletop exercise testing

Answer 46

1. Document review
2. Walkthrough
3. Simulation
4. Parallel test
5. Cutover test

Question 47

Computer Security Incident Response Team (CSIRT)

Answer 47

Incident Response Team - formalized or ad hoc team to respond to an incident after it happens.