Chapter 10 - Incident and Disaster Response

Question 1

What three things are successful attacks commonly called?

Answer 1

Successful attacks are commonly called:

• Security Incidents
• Breaches
• Compromises

Question 2

What are the four severity levels of incidents?

Answer 2

The four severity levels of incidents are:

1. False Alarm - AKA false positives.
2. Minor Incidents - Small virus outbreaks, etc.
3. Major Incidents - Beyond the ability of on-duty staff, requires a computer security response team to be assembled, and require action beyond the IT department.
4. Disaster - Fire, flood, terrorist attacks. Threatens business continuity.

Question 3

Why is speed of response important?

Answer 3

Speed of response is important because the majority of attackers will continue to do harm until they are stopped. In addition, attacks generally cause systems to fail, and each minute they are down is money lost.

Question 4

What is the purpose of a CSIRT?

Answer 4

A CISRT, or a computer security incident response team, is a team of IT and IT security professionals dedicated to resolving an incident, as well as members from legal, PR, and senior management.

Question 5

What is business continuity?

Answer 5

Business continuity is the day-to-day revenue-generating operations of the firm.

Question 6

Who should head the business continuity team?

Answer 6

A senior manager should head the business continuity team.

Question 7

Why is accuracy of response important?

Answer 7

Accuracy is important, as haste can lessen accuracy, allowing people to overlook the root cause in the rush to fix.

Question 8

Define incident response in terms of planning.

Answer 8

In terms of planning, incidence response is only as effective as the plans set, and in most situations, no plan will fit exactly. Improvisation is key.

Question 9

Why are rehearsals important?

Answer 9

Rehearsals are important because they allow a firm to practice plans and procedures that may only come up in a true crisis.

Question 10

What is a walkthrough or table-top exercise?

Answer 10

A walkthrough/table-top exercise is the simplest form of rehearsal, where key personnel gather together and discuss, step by step, what each will do during an incident.

Question 11

Why is a live test better than a tabletop?

Answer 11

A live test is preferential to a tabletop because actually going through the steps can actually reveal small flaws that might not be apparent in a tabletop.

Question 12

What is the problem with live tests?

Answer 12

The main problem with live tests is that they are expensive.

Question 13

Distinguish between detection and analysis.

Answer 13

Detection is the act of learning that an incident has occurred. Analysis is the act of understanding the incident, determining the damage potential, and to gather information needed for containment and recovery.

Question 14

Why is good analysis important for the later stages of handling an attack?

Answer 14

In the later stages, good analysis will help uncover the root cause of the issue, and allow for diagnosis and repair.

Question 15

What is escalation?

Answer 15

Escalation is the act of increasing the priority of an incident.

Question 16

What is containment?

Answer 16

Containment is the method by which the damage is stopped from progressing.

Question 17

Why is disconnection undesirable during containment?

Answer 17

Disconnection is undesirable during containment because, while it stops the attack, it prevents legitimate users from using services. This can have significant business impact.

Question 18

What is black holing? Why may this only be a temporary containment solution?

Answer 18

Black holing is a method of containment where the packets from a particular IP address are automatically dropped to prevent an attack? This may wind up being only a temporary solution because of the ease in which an attacker could spoof a new IP address.

Question 19

Why might a company allow an attacker to continue working in the system for a brief period of time? Why is this dangerous?

Answer 19

A company might allow an attacker to continue working in the system for a brief period of time in order to gather more information on the attacker, provided the damage isn’t too severe. This is dangerous, because the longer the attacker is in the system, the more likely they are to erase their presence from logs, or gain access to do more severe damage.

Question 20

What are the three major recovery options?

Answer 20

The three major recovery options are:

• Repair During Continuing Operation
• Restoration From Backup Tapes
• Total Software Reinstallation

Question 21

What are the two main reasons that repair during continuing operation good?

Answer 21

The two main reasons that repair during continuing operation is good is that:
A. It reduces downtime
B. No data is lost, as there is no need to use a restore tape

Question 22

Why may not repair during continuing operation work?

Answer 22

Repair during continuing operation may not work because it is not always possible to find all the Trojans, rootkits, and other tools of the break-in.

Question 23

Why is the restoration of data files from backup tapes undesirable?

Answer 23

The reason that restoration from tape is undesirable is that any data collected since the last update will be lost, or if the attack began before the restore, the restore could restore Trojans and such.

Question 24

What are the potential problems with total software reinstallation?

Answer 24

Total software reinstallation comes with data loss, but that is still dependent on the organization still having the original installation media.

Question 25

How does having a disk image reduce the problems of total software reinstallation?

Answer 25

Disk images remove the problem of having to retain the original installation media.

Question 26

What are the three rules for apology?

Answer 26

The three rules of apology are as follows:

1. Acknowledge responsibility and harm.
2. Explain what happened, without technical details.
3. Explain what actions will be taken to compensate the person.

Question 27

Why do companies often not prosecute attackers?

Answer 27

There are three main reasons companies often choose to not prosecute attackers:

• Cost and Effort - Finding and prosecution are pretty tricky.
• Probability of Success - Very rarely is the attacker someone for whom the punishment will really matter (foreign national, teenager, etc)
• Loss of Reputation - Public prosecution is an admission of a failure to protect information.

Question 28

What is forensics evidence?

Answer 28

Forensics evidence is evidence that is acceptable for court proceedings.

Question 29

Under what conditions will you need to hire a forensics expert?

Answer 29

For civil lawsuits (torts), only evidence collected by a forensics expert will be permissible in court.

Question 30

What is the chain of evidence, and why is documenting it important?

Answer 30

The chain of evidence is the hands that evidence has passed through to get to court and the protection it has been under. It must be documented completely, otherwise it could be tossed out on grounds that it could have been tampered with.

Question 31

Why should a senior manager head the CSIRT?

Answer 31

A senior manager must head the CSIRT because all the security decisions made during a major incident are also business decisions.

Question 32

Why should members of affected line departments be a on the CSIRT?

Answer 32

Members of the line departments affected by the major incident should be a part of the CSIRT because they will have knowledge of the impact of the incident.

Question 33

Who is the only person who should speak on behalf of the CSIRT?

Answer 33

The head of public relations is the only person who should speak on behalf of the firm.

Question 34

Why should both the Police and the FBI be called in the case of an attack?

Answer 34

Both the police and the FBI should be called in the case of an attack because it is not certain which of them will have jurisdiction over a particular crime.

Question 35

What different actions do criminal and civil law deal with?

Answer 35

Criminal law deals with violations of criminal statutes, which are laws that prohibit specific behaviors. Civil law deals with interpretations of the rights and duties that companies or individuals have relative to one another.

Question 36

How do punishments differ in civil and criminal law?

Answer 36

Punishment in criminal law generally deals with jail time and fines, whereas civil law generally deals with monetary penalties or orders to take or not take action.

Question 37

Who brings lawsuits in civil and criminal cases?

Answer 37

Lawsuits are brought by a prosecutor against a defendant in a criminal case, whereas a plaintiff brings the case against the defendant in a civil case.

Question 38

What is the normal standard for deciding a case in civil and criminal cases?

Answer 38

In a criminal case, the prosecutor must prove beyond a reasonable doubt that the defendant is guilty. In civil, the plaintiff must prove a preponderance of the evidence (> 51%) that the defendant is liable for damages.

Question 39

What is mens rea? In what type of trial is mens rea relevant?

Answer 39

Mens rea is being in the mental state to intentionally commit the act that is in question. It’s generally only used in criminal cases.

Question 40

Can a person be tried separately in a criminal trial and later in a civil trial?

Answer 40

A person can be tried in a criminal trial, and then be later sued in civil court for damages by the victim.

Question 41

What is case law?

Answer 41

Case law is where judicial decisions set precedent for how laws may be interpreted in future trials.

Question 42

What are jurisdictions?

Answer 42

Jurisdictions are areas of responsibility in which government bodies can make an enforce laws, and outside of which, are powerless.

Question 43

What is cyberlaw?

Answer 43

Cyberlaw is any law dealing with information technology.

Question 44

What are the three levels of the U.S. Federal Courts? Which levels can create precedent?

Answer 44

The three levels of the U.S. Federal Court system are the district courts, the circuit courts of appeal, and finally the supreme court. Both the circuit courts of appeal and the supreme court can create precedent.

Question 45

Does federal jurisdiction typically extend to computer crimes that are committed entirely within a state and that do not have a bearing on interstate commerce?

Answer 45

Federal jurisdiction only applies to crimes that affect interstate commerce or litigants from different states, in the case of cybercrime/hacking.

Question 46

Who is likely to investigate a cybercrime that takes place within a city?

Answer 46

Local police will generally be the most likely people to investigate a cybercrime that akes place within one city.

Question 47

Are international laws regarding cybercrime fairly uniform?

Answer 47

International laws regarding cybercrime vary widely.

Question 48

Why should companies that do business only within a country be concerned about international cyberlaw?

Answer 48

Even if a company deals only within one nation, they should still be concerned about international cyberlaw because they might still be attacked by someone from another nation.

Question 49

Why will courts not admit unreliable evidence?

Answer 49

Courts will not admit unreliable evidence because jurors are not expected to be able to evaluate the reliability of evidence.

Question 50

What is a computer forensics expert?

Answer 50

A computer forensics expert is a professional who has been trained to collect and evaluate computer evidence in ways that are likely to be admissible in court.

Question 51

What type of witness is allowed to interpret facts for juries?

Answer 51

An expert witness is allowed to interpret facts for juries.

Question 52

Why should companies work with forensics professionals before they have a need for them?

Answer 52

Companies should work with forensics professionals before they have a need, so as to have a an understanding what might be required for a trial.

Question 53

What section title of the U.S. Code prohibits hacking? What other attacks does it prohibit?

Answer 53

Section 1030 of the U.S. Code prohibits the intentional access of protected computers without authorization or exceeding authorization. It also prohibits “the transmission of a program, information, code, or command that intentionally causes damage without authorization to a protected computer.
Basically, malware, and DoS attacks.

Question 54

Does Section 1030 of the U.S. Code protect all computers?

Answer 54

Section 1030 of the U.S. Code defines protected computers as “government computers, financial institution computers, and any computer that is used in interstate or foreign commerce or communications. This is NOT all U.S. computers.

Question 55

What are damage thresholds?

Answer 55

Damage thresholds are minimum amounts of damage that must be met before attackers are in violation of the law.

Question 56

What types of acts does 18 U.S.C. 2511 prohibit?

Answer 56

18 U.S.C. 2511 prohibits the interception of electronic messages, both en route and after being received.

Question 57

What is an IDS?

Answer 57

An IDS, or Intrusion Detection System, is a set of software and hardware that captures suspicious network and host data activity in event logs and provides automatic tools to generate alarms, as well as query and reporting tools to help analysis.

Question 58

Is an IDS a preventative, detective, or restorative control?

Answer 58

An IDS is a detective control.

Question 59

What are false positives?

Answer 59

A false positive occurs when an IDS or similar system flags an attack or breach when there is not one.

Question 60

Why are false positives problems for IDSes?

Answer 60

False positives are problems for IDSes because they reduce trust in the system, and reduce the sense of urgency in flagged events.

Question 61

What are the four functions of an IDS?

Answer 61

The four major functions of an IDS are logging, automated analysis, administrator actions (Alarms, summary reports, logs), and management.

Question 62

What are the two types of analysis that IDSes usually do?

Answer 62

IDSes generally provide analysis of attack signatures (known threats) and anomaly detection (detecting new threats that don’t have signatures).

Question 63

What information should alarms contain?

Answer 63

Alarms should contain a description of what the problem is, a way to test the alarm for accuracy, and advice on what the security administrator should do.

Question 64

What is the purpose of log summary reports?

Answer 64

Log summary reports contain listings of the various types of ongoing suspicious activity that didn’t merit an alarm.

Question 65

Describe interactive log file analysis.

Answer 65

Interactive log file analysis is the act of using tools to drill down into log files for a better level of understanding.

Question 66

What is the advantage of a distributed IDS?

Answer 66

A distributed IDS is able to collect data from many devices at once, allowing for a broader scope of analysis.

Question 67

Name the elements in a distributed IDS.

Answer 67

The elements of a distributed IDS are agents, which are software that collect event data and stores it in log files on their monitoring devices. There are managers, which are programs that are responsible for integrating the data coming in from multiple agents running on multiple monitoring devices. It then analyzes the log file, generating alarms as needed and allowing for data queries.

Question 68

Distinguish between batch and real-time transfers for event data. What is the advantage of each?

Answer 68

Batch transfers of event data are scheduled transfers between an agent and its manager, whereas real-time transfers occur immediately as data is collected.
The advantage of batch transfers is that it is inexpensive and efficient, and does not disrupt the manager often.
The advantage of real-time transfer is that if and when the agent is breached, the manager has a log of all events right up to that point, which would not occur with a batch.

Question 69

What two types of communication must be secure in an IDS?

Answer 69

In an IDS, communications between agents and their manager must be secure, with authentication, integrity checking, confidentiality, and anti-replay protection.
Communication between the IDS vendor and the manager must also be secure.

Question 70

What information do NIDSs look at?

Answer 70

NIDSs, or Network IDSs, are agents of an IDS that look at the packets as they travel through the network.

Question 71

Distinguish between stand-alone NIDSs and switch- and router- based NIDSs.

Answer 71

Stand-alone NIDSs are boxes situated at specific points in the network, and read and analyze the network frames that pass by them. Switch- and router-based NIDSs are simply switches and routers that have IDS software tracking all ports.

Question 72

What are the strengths of NIDSs? What are the two weaknesses?

Answer 72

The key strength of NIDSs is that they can see all packets passing through specific locations on the network. These undergo heavy diagnostics. The two weaknesses of NIDSs are that no firm can afford to place a NIDS on every link in the router, and the fact that a NIDS cannot scan encrypted data (like a firewall).

Question 73

What is the major attraction of a HIDS?

Answer 73

The major attraction of a HIDS, or Host IDSs, is that they work specifically on one host, and provide specific information on what happens on that host. This gives good insight.

Question 74

What are the two major weaknesses of host IDSs?

Answer 74

The first major weakness of host IDSs is that they are limited in scope to their host. The second major weakness is that, like their hosts, they may be compromised.

Question 75

List some things at which host operating system monitors look.

Answer 75

Host operating system monitors look at OS events, like:

Adding new executables, modifying them, changing the registry, the logs, system audit policies, and so on.

Question 76

Why are integrated log files good?

Answer 76

Integrated log files, that is, log files that contain data from many other locations on the network at any given moment, which gives a broad view of ongoing events and allows to see large trends.

Question 77

Why are integrated log files difficult to create?

Answer 77

Integrated log files are difficult to create because it is very rare to be able to have all IDSs on a firm’s network be from the same vendor, leading to integration trouble.

Question 78

Explain the time synchronization issue for integrated log files.

Answer 78

The time synchronization issue for integrated log files refers to the fact that unless all the logs that go into building an integrated log file are in sync, it is almost impossible to focus in on a specific moment in the logs.

Question 79

How do companies overcome the time synchronization issue?

Answer 79

To overcome the time synchronization issue with integrated log files, companies use the Network Time Protocol, which uses a central server to synchronize hosts.

Question 80

What is event correlation.

Answer 80

Event correlation is a term for the analysis of multiple events in the search for signs of an attack.

Question 81

Distinguish between aggregation and event correlation.

Answer 81

Aggregation is the process of integrating log files from multiple devices, where event correlation is actually looking for signs in multiple events.

Question 82

Why is analyzing log file data difficult?

Answer 82

Analyzing log file data is difficult mostly because of the sheer, overwhelming amount of data to shift.

Question 83

What is precision in an IDS?

Answer 83

Precision in an IDS refers to the principle that an IDS should report all attacks and as few false alarms as possible.

Question 84

What are false positives, and why are they bad?

Answer 84

False positives are basically false alarms generated by an IDS. They generally outnumber true alarms by a factor of 10-1.

Question 85

What are false negatives, and why are they bad?

Answer 85

False negatives are failures to report true attacks. These are obviously far more dangerous than false positives.

Question 86

How can tuning reduce the number of false positives?

Answer 86

Tuning can reduce the number of false positives by turning off unnecessary rules and reducing the severity level in the alarms generated by other rules.

Question 87

What does an IDS do if it cannot process all of the packets it receives?

Answer 87

When an IDS cannot process all of the packets it receives, it begins to skip packets.

Question 88

What may happen to an IDS if a system runs out of storage space?

Answer 88

When a system runs out of storage space, IDS will transfer its current log file to backup and begin a new log file. Unfortunately, events that span log files become difficult to analyze.

Question 89

What is a honeypot?

Answer 89

A honeypot is a faux network used to lure in attackers for study, or as a trap of some sort, I suppose.

Question 90

What do business continuity plans specify?

Answer 90

A business continuity plan specifies how a company plans to maintain or restore core business operations when disasters occur.

Question 91

Distinguish between business continuity plan and IT disaster recovery plans.

Answer 91

IT disaster recovery plans focus on restoring IT functionality after a disaster; business continuity plans focus on restoring core business functionality.

Question 92

What four protections can firms provide for people during an emergency?

Answer 92

The four protections firms can provide for people during an emergency are:

• An evacuation plan
• A safe environment
• A way to identify missing persons
• Counseling

Question 93

Why does human cognition in crises call for extensive pre-planning and rehearsal?

Answer 93

In emergencies, people’s ability to make good, sound decisions is hampered by urgency.

Question 94

Why is it necessary not to make plans and processes for crisis recovery too rigid?

Answer 94

In an emergency, if plans are too rigid, they likely won’t work, as no emergency is going to fit exactly to the plans laid out.

Question 95

List the four steps in business process analysis. Explain why each is important.

Answer 95

The four steps in business process analysis are:

1. Identification of Business Processes and How They Link - If you don’t know the processes and how they work together, you’ll have no way of bringing them back online.
2. Prioritization of Business Processes - Restore the most important processes first.
3. Specify Resource Needs - Plan which resources need to go where for the correct prioritization of resources.
4. Specify Actions and Sequences - Have a precise plan in place for bringing business processes back online.

Question 96

Why are business continuity plans more difficult to test than incident response plans?

Answer 96

Business continuity plans are more difficult to test than incident response plans because the scope is far wider.

Question 97

Why is frequent plan updating important with business continuity plans?

Answer 97

It is important to update the business continuity plan often because the business itself shifts and changes constantly.

Question 98

Why must companies update contact information even more frequently?

Answer 98

Companies must update contact information frequently because telephone numbers and other contact information changes even more rapidly than other factors in a business.

Question 99

For what two reasons is a business continuity staff necessary?

Answer 99

Business continuity staff are in charge of managing the ever-changing business continuity plan, as well as for being operational managers during a disaster.

Question 100

What is IT disaster recovery?

Answer 100

IT disaster recovery is an examination of the technical aspects of how a company can get IT back into operation using backup facilities.

Question 101

Why is IT disaster recovery a business concern?

Answer 101

IT disaster recovery is a business concern because IT itself has a major impact on the business itself.

Question 102

What are the main alternatives for backup sites?

Answer 102

The main alternatives for backup facilities are as follows:

• Hot Sites - A hot site is a site with power, HVAC, hardware, installed software, and up-to-date data. This site can begin operation with even a skeleton crew.
• Cold Sites - A cold site is a physical facility with power and HVAC, and connections to the outside world, but no hardware, software, or data.
• Site Sharing with Continuous Data Protection - Multiple facilities with hardware, software, and data, that can pick up the slack of a downed facility.

Question 103

Why is Continuous Data Protection necessary?

Answer 103

Continuous data protection is necessary because it allows for instantaneous recovery of a site, as all changes in data are shared via a high-capacity line.

Question 104

What three things should a firm do about disaster recovery planning for office PCs?

Answer 104

The three things that are necessary for recovery planning for office PCs are:

1. Have data backups, with centralized storage.
2. Have new computers for people to work with.
3. Have a place for people to work until the office is restored.

Question 105

What must be done to restore data at a backup site via tapes? How does this change if a firm uses continuous data protection?

Answer 105

For backup to be restored from tape, the site getting the restore needs to have the necessary hardware to read from the tapes, and the tapes will need to be shipped there quickly and securely.
If the firm is using CDP, then no restore is necessary, as the backup is already ready to take over.