Chapter 11 Implementing policies to mitigate risks

Question 1

What are the general policy categories?

Answer 1

Personnel management, data protection, training for personnel to raise security awareness, mitigate risk and reduce incidents.

Question 2

When it comes to computers and network what kind of policy is it?

Answer 2

Personnel policy, acceptable use policy, how to use them, responsibilities.

Question 3

What is the purpose of mandatory vacations? what type of policy is it? What other similar ideas achieve the same goal?

Answer 3

Personnel policy, it helps to detect when employees are involved in malicious activity such as fraud or embezzlement. Other: Separation of duties (>1 required for certain jobs) and job rotation

Question 4

Only having the rights that you need to perform tasks, nothing more.

Answer 4

Principle of least privilege. A personnel policy

Question 5

An attacker sees an important document on a workers desk as he walks past. He takes it and this isn’t found out til much later in the day. What would have prevented this?

Answer 5

Personnel policy of clean desk spaces. Protects sensitive data.

Question 6

During the interview process you know there is something important to inform the participant of, what does policy suggest you need to do before they are hired?

Answer 6

Background checks.

Question 7

What is on and offboarding?

Answer 7

Onboarding = getting individuals access to organization’s resources AFTER hiring.

Offboarding: removing the access when they leave the company, and collecting any equipment

Question 8

Using a personal facebook account has implications for work? true or false? why?

Answer 8

True, social media analysis, can affect work, work can monitor employee activity, which can also occur during background checks.

Question 9

What are the 3 different types of third party agreements?

Answer 9

SLA - service level agreement, stipulates performance expectations, minimum up and down time. etc. $$ penalties.

MOU - memorandum of understanding - indicates their intention to work together on a common goal. Less formal than SLA. Doesn’t include penalties ($$)

BPA - Business partners agreement (BPA) - written agreement, details relationship between business partners, identifies shares of profits or losses partners take, their responsibilities, etc.

Question 10

Security incident vs data breach

Answer 10

SI - any adverse event that affects confidentiality, integrity or availability of data/systems.

Data breach - unauthorized entities access data (attacker ).

Question 11

A formal, coordinated plan that personnel can use when responding to a security breach? and what are 3 things it might include? general description

Answer 11

Incident response plan. Incident plans depending on incident type (real vs suspected), a response team outline, roles and responsibilities of each member.

Question 12

What is the purpose of a communication plan within an incident response plan?

Answer 12

To communicate issues related to an incident. Created before an incident. Should inclide 1) First responders 2) Internal communication (Senior staff) 3) Reporting requirements (to external entities, if applicable) 4) external communication (Who can say what to media etc, or refer internally) 5) Law enforcement (help, security tools etc) 6) Customer communication (inform of breach etc)

Question 13

What are some common phases of an incident response process?

Answer 13

Preparation, identification, containment, eradication, recovery, lessons learned.

Question 14

What is involved within the preparation stage of an incident response process?

Answer 14

Preparation - guidance to personnel on how to respond (establishing and maintaining an incident response plan and procedures to prevent - such as security controls

Question 15

If an incident occurs, a response process tells us we first need to?

Answer 15

validate whether it is actually a security incident. This is identification, false positive? or real?

Question 16

What is and which step is isolating an incident?

Answer 16

containment step 3, protect critical systems while maintaining business operations. A device might be quarantined or removed from the network.

Question 17

After isolating, what step is necessary to take?

Answer 17

eradication, removing all componenets from the attack, such as malware etc. Or deleting/disabling all involved accounts.

Question 18

What are the last two steps of an incident response process?

Answer 18

Recovery and lessons learned. We return all affected systems back to normal operation, verify it. Patch any vulnerabilities etc.

Then perform a reflection/review, how does this modify things in the future or do we need additional training etc.

Question 19

What can SOAR tools do? why might they be used by organizations?

Answer 19

Secure orchestration, automation and response. They can respond automatically, freeing up time from other staff. It is a combination of tools to detect and respond to suspicious activity. This can be from phishing emails, network traffic etc. It’s like a centralized place for all many security tools that work together. Uses a playbook and runbook)

Question 20

Playbook vs runbook

Answer 20

playbook (depends what it is on) for example, a PB on phishing - Checklist of what to check. It is general guidelines for each thing it is associated with.

A runbook incluydes the technical details, implementing the guidelines using tools available. Might quarantine or delete a suspected phishing email, or forward it’s attachment to a sandbox and run it to check. Runbook automates or it might assign it to an administrator to investigate.

Question 21

In digital forensics, evidence is used to implicate people for crimes, but only if…

Answer 21

proper procedures are followed. Evidence must be controlled, and maintained in an untampered state.

Question 22

What is a chain of custody? how is it applied?

Answer 22

It is a process ensuring that evidence has been controlled and handled well. All control is documented. Where it was stored. When it was handled. Evidence needs to be controlled via a secure safe etc.

Question 23

Sources of forensic information?

Answer 23

Video, interviews, logs (event, device, network, DNS) are just a few.

Question 24

How might logs be used for forensic investigation?

Answer 24

Gives good information on WHEN/TIME, and WHAT/purpose etc.

Question 25

What does a report usually entail? (Forensic report)

Answer 25

TTP (tactics, techniques and procedures)
List of findings
Forensic tools used in the investigation
List of evidence collected and analyzed
Findings derived from analyzing each piece of evidence
Recommendations

It is not meant to be a legal document

Question 26

What is a right to audit clause used for?

Answer 26

Used in contracts, particularly for cloud service providers. It allows the customer to audit records, and ensure the CSP is implementing adequate security

Question 27

What are some issues with cloud providers and forensics?

Answer 27

The data might be stored somewhere else, they are a third party, security, regulatory jurisdiction (complying with country laws about data).

Question 28

Contacting people after a data breach occurs may depend on the ________ of that _________

Answer 28

laws of that country, such as within 45 days etc.

Question 29

What is an order of volatility and an example of this order

Answer 29

The order in which you should collect evidence. What is the least to most volatile.
Most-> Cache memory, R.A.M, swap or pagefiles (an extension of ram), Disk, attached devices (USB), network files/folders.

Question 30

What is an artifact? some examples?

Answer 30

Pieces of data the regular user is unaware of. Recycling bin (deleted files), web history, windows error reporting, remote desktop protocol (RDP) cache.

Question 31

WinHex?

Answer 31

windows based hexadecimal editor used for gathering evidence, data analysis, editing, recovery of data and data removal.

Question 32

FTK imager?

Answer 32

can capture an image of a disk as a single file or multiple files, saving the image in various formats. Can view and analyze data within the image.

Question 33

Autopsy?

Answer 33

GUI digital forensics platform. Adds utilities from The Sleuth Kit (TSK) is a library and collection of Unix- and Windows-based utilities for extracting data from disk drives and other storage

Question 34

What does integrity mean in forensics?

Answer 34

It means the need to ensure data hasn’t been modified, usually after capturing an image or any data in investigation using a hash or checksum

Question 35

what is dd and memdump?

Answer 35

dd command is data duplicator and memory dumper, they don’t modify the data during the capture process

Question 36

What is a term used for the identification and collection of electronically stored information?

Answer 36

ediscovery

Question 37

What are some metadata types that are important to store?

Answer 37

File, email, web, mobile.

Question 38

A user deletes and reformats their drive incase they get caught.. what can a digital forensic specialist do?

Answer 38

they can unformat and undelete files using tools. This is why they need to be sanitized.

Question 39

What is digital strategic intelligence? and its use case?

Answer 39

collecting, processing, and analyzing digital forensic data to create long-term cyber security goals. obversing TTPs used by attackers.

Question 40

What’s the purpose of a data policy?

Answer 40

Assists in reducing data exfiltration, protection of data and preventing data leakage.

Question 41

Data policies may classify information what are some examples?

Answer 41

top secret, secret, confidential or public data, private, confiddential, financial

Question 42

What is PII?

Answer 42

personally identifiable information. It can include anything that idenifies an individual. Health info, drivers licence, personal characteristics etc. Requires 2 or more pieces of information to make it PII.

Question 43

What is NIST 800-122?

Answer 43

Guide to protecting confidentiality of personally identifiable information.

Question 44

What is data policy called that requires organizations to limit the information they collect and use?

Answer 44

Data minimization

Question 45

Hiding sensitive information can be done in several ways. What are they and why would you use each?

Answer 45

Data masking: Hide PII, retains usable data but may substitute it all into a fictional character for example, like an interview. PERMENANTLY replaces with inauthentic data. Use case: just a stat, don’t need to contact.

Anonymization: modifies data by removing all PII - just removing all PII but keeping the important information used for collecting. Minimal info required.

Pseudo-anonymization: Same as above but uses pseudonyms instead. This may be used when they still want to convert it back to the original data for contact.

Tokenization: Sensitive data elements replaced with a token. It is a substitute value used in place of sensitive data. Like CC information, converted to a token system, phone app sends token to credit processor, token used to retrieve data, processes.

Question 46

How long can you actually keep the data?

Answer 46

Depends on the data retention policy

Question 47

List methods used in data sanitization

Answer 47

File shredding, wiping (disk wiping tool), erasing and overwriting, burning, pulping, pulverizing/smashing, degaussing, and third-parties.

Question 48

What are some methods for training users in security?

Answer 48

Computer-based training (CBT) like courses. web-based training, videos, quizzes,

Phishing campaigns - education

Phishing simulations - trying to get users to click to see if they need training

Gamification - use of games to get courses/online training done,

Question 49

There are several roles involved in the data process what are they?

All the people’s roles that deal with data

Answer 49

Data owner - data classified, has adequate security controls to protect it. I OWN IT, IT IS SPECIAL, I PUT A LOCK ON IT.

Data controller - why and how data should be processed (in many cases data owner and controller are the same). I CONTROL HOW IT IS USED AND WHY.

Data processor - uses and manipulates data on behalf of the controller. I PROCESS/USE IT.

Data custodian/steward - backing up data, storage, and implementation of it. “a person who has responsibility for taking care of or protecting something.”

Data protection officer - ensuring the organization complies with all laws. IM THE POLICE. OBEY THE LAW.