Ch. 12 Disaster Recovery & Incident Response Flashcards
Cold Site
A physical site that can be used if the main site is inaccessible but lacks the resources to enable an organization to use it immediately.
Differential Backup
Backs up new files or files that have changed since the last full backup. They don’t clear the archive bit upon their completion.
Failover
The process of reconstructing a system or switching over to other systems when a failure is detected.
False positive
A flagged event that isn’t really a notable incident and has been falsely triggered
Hot site
A location that can provide operations within hours of a failure. AKA Active Backup Model
Incremental Backup
Includes only new files or files that have changed since the last full backup and then clears the archive bit upon completion
Intrusion
The act of entering a system without authorization to do so
IDS
Intrusion Detection System - Any set of tools that can identify an attack using defined rules or logic. Can be network based or host based
IPS
Intrusion Prevention System - Any set of tools that identify and then actively respond to attacks based on defined rules. Like an IDS (which is passive) an IPS can be network-based or host-based.
Intrusive tests
Penetration-type testing that involves trying to break the network
Nonintrusive tests
Penetration/vulnerability testing that takes a passive approach rather than actually trying to break into the network
Snapshot
Image of a virtual machine at a moment in time
System image
A snapshot of what exists
Tabletop Exercise
Involves individuals sitting around a table with a facilitator discussion situations that could arise and how best to respond to them.
Vulnerability Scanning
Identifying specific vulnerabilities in your network
Warm Site
A site that provides some capabilities in the event of a disaster. The organization will still need to install, configure, and reestablish operations on systems that might already exist int he warm site. AKA reciprocal site or active/active model
Working Copy Backup
Copy of data currently in use on a network. Also known as shadow copies.
Passive Reconnaissance
Collecting data from public databases, talking to employees/partners, dumpster diving, social engineering
Active Reconnaissance
Directly focuses on the systems and its weaknesses. I.e., port scans, traceroute info, network mapping, etc.
Pivotting
AKA Island Hopping - a compromised system is used to attack another system on the same network.
Three types of testing
Black Box, White Box, and Gray Box
Black Box testing
No knowledge of the system, mimics and outside attacker
White Box
Significant knowledge of the system, simulates an inside attack, rogue employee
Gray Box
Limited knowledge of the system
Business Continuity
Concerned with the policies, processes, and methods that an organization follows to minimize the impact of a system failure, network failure, or failure of any key component needed for operation. “Show must go on”
Business Continuity Planning (BCP)
Process of implementing policies, controls, and procedures to counteract the effects of losses, outages, or failures of critical business processes.
Two Key Components of BCP
- Business Impact Analysis (evaluates processes)
2. Risk Assessment (Evaluates risk and likelihood of loss)
Critical Business Functions
Processes or systems that must be made operational immediately when an outage occurs.
Journaled File System (JFS)
includes a log file of all changes and transactions that have occurred within a set a period of time. A system can check these log files to see which transactions have been committed and which ones have not.
Journaling
Creates a JFS on the server
Archive Bit
A flag associated with every file that is turned on when the file is created or accessed. Used during backups to determine if a file has changed.
Incremental Backup
Only backups data that has been changed since the last full or incremental backup
Differential Backup
Backups up data that has changed since the full backup.
Hierarchical Storage Management (HSM)
Provides continuous online backup by using optical or tape jukeboxes. Data is continuously backed up and it shows as an infinite disk to the system.
Hardware Security Module (HSM)
A method of transient cryptographic key exchange
Grandfather, Father, Son Method
Full backups occur at regular intervals, the most recent backup after the full backup is the son. Annual backups are referred to as the grandfather, monthly are the father, and weekly the son. Weekly or daily incremental backups are done between full backups.
Full Archival Method
All full backups, incremental backups, and any other backups are stored forever.
Backup Server Method
A dedicated server is used for backups
Three types of backup methods
- Grandfather, Father, Son method
- Full Archival Method
- Dedicated Backup Server
Backout
A reversion from a change that had negative consequences.
Six Steps of any Incident Response Process
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Incident Response Plan (IRP)
Outlines what steps are needed and who is responsible for deciding how to handle the situation
Act in Order of Volatility
Address multiple issues in order of volatility (OOV), the most volatile should be handled first. The amount of time evidence is available can vary and the most volatile will be harder to collect later.
Some documentation that should be made during an incident.
- Capture a system image while it is in an exploited state for future reference
- Document network traffic and logs - this helps to identify trends during repeated attacks
- Capture video
- Record time offset
- Take Hashes (this is important evidence in identifying known, traceable software applications)
- Capture screenshots
- Talk to witnesses
- Track man hours and expenses
- Create an after-action report
Tabletop Exercise
Simulation of a disaster
Five levels of tabletop exercise testing
- Document review
- Walkthrough
- Simulation
- Parallel test
- Cutover test
Computer Security Incident Response Team (CSIRT)
Incident Response Team - formalized or ad hoc team to respond to an incident after it happens.
