Chapter 13 Dealing with Incidents Flashcards

1
Q

What are the four major objectives for incident response in the Security+ SY0-601 exam?

A

Incident Response, Digital Forensics, Continuity of Operations, and Disaster Recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does incident response involve?

A

Planning and setting up teams to respond to security incidents and involving the right stakeholders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is digital forensics?

A

Collecting and securing evidence from compromised systems or incidents following legal procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is continuity of operations?

A

Developing strategies and plans to ensure business operations can continue during disruptive events.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is disaster recovery?

A

Restoring systems and operations to normalcy after a disruptive event or incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an Incident Response Plan (IRP)?

A

An IRP is a document that outlines the step-by-step procedures to respond to security incidents effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What triggers the activation of an incident response plan?

A

Indicators of compromise (IOCs) or suspicious activities such as excessive traffic, unknown devices on the network, or alerts from intrusion detection systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the objectives of an incident response plan?

A

Detecting, containing, eradicating, and recovering from security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can an incident response plan be improved?

A

Through periodic reviews, assigning roles and responsibilities, regular training and drills, and incorporating lessons learned from previous incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Can incident response be automated?

A

Yes, incident response can involve automated responses based on predefined configurations in intrusion prevention systems or scripting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Cyber Kill Chain?

A

The Cyber Kill Chain is a framework used to trace the steps taken by attackers in a successful compromise or data event. It consists of eight phases: reconnaissance, intrusion, exploitation, privilege escalation, lateral movement, obfuscation, denial of service, and exfiltration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the purpose of analyzing security incidents using the Cyber Kill Chain?

A

The analysis helps identify how the attack occurred and what steps were taken by the attacker. This knowledge can be used to prevent similar incidents from happening in the future.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the MITRE ATT&CK framework?

A

The MITRE ATT&CK framework is a model used to detect and analyze threats by identifying the techniques and tactics employed by adversaries. It helps understand how attackers exploit vulnerabilities and provides insights for improving security measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the Diamond Model?

A

The Diamond Model is a visualization of the relationships and interactions among the attacker, victim, infrastructure, and capabilities of the adversaries. It helps analyze security incidents by examining how adversaries exploited vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is Security Orchestration, Automation, and Response (SOAR)?

A

SOAR is a solution that automates incident response by using scripts and workflows. It helps reduce incident response time and can automate tasks such as remediation and configuration changes during an attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is digital forensics?

A

Digital forensics is the application of computer science to collect, preserve, and analyze digital evidence for legal purposes. It involves following proper evidence gathering and retention policies to ensure the admissibility of the evidence in a court of law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is e-discovery?

A

E-discovery, or electronic discovery, refers to the process of discovering and collecting electronic information for legal purposes. It involves identifying and preserving relevant data, whether stored on premises or in the cloud, during the legal discovery phase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How does digital forensics apply to mobile devices?

A

In mobile device forensics, techniques are used to preserve the state of a smartphone or mobile device during the collection of evidence. This can include enabling airplane mode, using Faraday bags to block wireless communications, and having mobile charging units to prevent the device from running out of power during the forensic analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is steganography?

A

Steganography is a form of obfuscation where data or files are hidden within other seemingly innocent files, such as embedding a secret file within a JPEG image. Digital forensic analysts need to be aware of steganography techniques and tools to detect and analyze such hidden information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Why is proper evidence preservation important in digital forensics?

A

Proper evidence preservation ensures that the collected digital evidence is admissible in a court of law. Following legal procedures and maintaining the integrity of the evidence, such as through hashing, helps establish its authenticity and prevents it from being deemed inadmissible due to improper collection or tampering.

21
Q

What is digital forensics?

A

Digital forensics is the application of computer science to the collection, preservation, and analysis of evidence for legal use.

22
Q

Why is chain of custody important in digital forensics?

A

Chain of custody is important in digital forensics to document the acquisition, storage, and retention of evidence, ensuring its admissibility in a court of law.

23
Q

What is the purpose of forensic imaging in digital forensics?

A

Forensic imaging involves creating a bit-level copy of storage media to preserve the original state of evidence for analysis without modifying the original media.

24
Q

How can hashing be used in digital forensics?

A

Hashing is used to generate unique values (hashes) that can verify the integrity of the original evidence. Hashes can be compared before and after analysis to ensure no tampering has occurred.

25
Q

What is the order of volatility in evidence collection?

A

The order of volatility refers to the prioritization of evidence collection, starting with volatile data like CPU registers and RAM, before moving to less volatile data such as temporary files or backups.

26
Q

What are some common forensics tools used in digital forensics?

A

Common forensics tools include FTK Imager, Autopsy, WinHex, and others, which are used to analyze forensic images, recover deleted files, and examine file systems.

27
Q

How does steganography relate to digital forensics?

A

Steganography is a form of obfuscation where information is hidden within other files. Digital forensics analysts need to be aware of steganography techniques when examining evidence.

28
Q

What is the role of right blockers in digital forensics?

A

Right blockers are tools used to prevent write access to storage media during evidence acquisition, ensuring that the original evidence is not accidentally modified or tampered with.

29
Q

What is e-discovery in the context of digital forensics?

A

E-discovery refers to the discovery and retrieval of electronic information, often related to legal investigations, including data stored on premises or in the cloud.

30
Q

Why is documentation and metadata important in digital forensics?

A

Documentation and metadata help establish the chain of custody, record acquisition details, and provide necessary information for legal purposes, ensuring the integrity and admissibility of evidence.

31
Q

What is the purpose of a business continuity plan?

A

The purpose of a business continuity plan is to ensure that business operations can continue in the event of a negative disruption, such as a malware outbreak, server failure, or network outage.

32
Q

How does a disaster recovery plan differ from a business continuity plan?

A

A disaster recovery plan (DRP) is more specific and focuses on recovering individual subsystems or components, such as servers or corrupted files, whereas a business continuity plan (BCP) is a broader plan that addresses the overall continuity of operations.

33
Q

What is the order of volatility in disaster recovery?

A

The order of volatility refers to the prioritization of recovering volatile data first, such as CPU registers and RAM, before moving on to less volatile data. This helps ensure critical data is recovered quickly.

34
Q

What are the three types of disaster recovery sites?

A

The three types of disaster recovery sites are hot sites, warm sites, and cold sites.

35
Q

What is a hot site in disaster recovery?

A

A hot site is an alternate location with pre-configured hardware, software, networking, and up-to-date data. It allows for a quick switch-over time but requires more planning and maintenance.

36
Q

What is a warm site in disaster recovery?

A

A warm site is an alternate location with hardware, software, and networking, but it does not have up-to-date data. It requires time to transfer data and has a longer switch-over time compared to a hot site.

37
Q

What is a cold site in disaster recovery?

A

A cold site is a basic IT infrastructure set up at an alternate location, but it does not have hardware, software, or up-to-date data. It requires the longest switch-over time but is less expensive than hot and warm sites.

38
Q

How does the public cloud serve as an alternate site for disaster recovery?

A

Many organizations use the public cloud as an alternate site for disaster recovery by moving their IT operations to cloud servers. This provides flexibility and scalability in case of a disaster at the primary site.

39
Q

What factors should be considered in a site risk assessment?

A

A site risk assessment should consider factors such as the likelihood of natural disasters, geographical location, proximity to potential threats, and the vulnerability of the site’s infrastructure and personnel.

40
Q

What are some key organizational policies related to disaster recovery?

A

Organizational policies related to disaster recovery may include change management policies, asset management policies, and security policies, which help ensure the effective implementation of disaster recovery plans.

41
Q

What is the purpose of data backups?

A

The purpose of data backups is to ensure the availability of company data in the event of a disaster or data loss. Backups allow for the restoration of data to minimize downtime and maintain business continuity.

42
Q

Where can backups be stored?

A

Backups can be stored on premises using backup devices, in offsite locations such as fireproof safes or remote facilities, or in the public cloud. Network storage devices, such as network-attached storage (NAS) or storage area networks (SAN), can also be used for backup storage.

43
Q

What are the different types of backups?

A

The different types of backups include full or recopy backups, incremental backups, and differential backups. Full backups copy all data, incremental backups copy only new or modified data since the last backup, and differential backups copy all data since the last full backup.

44
Q

What is the purpose of the archive bit in backup?

A

The archive bit is a file attribute that indicates whether a file has been modified and needs to be backed up. Backup systems often rely on the archive bit to determine which files require backup. When a file is backed up, the archive bit is turned off, and when the file is modified, the archive bit is turned on.

45
Q

How can virtual machines be backed up?

A

Virtual machines can be backed up by taking snapshots, which capture the state of the virtual machine at a specific point in time. While snapshots are useful for rollbacks, proper backups of virtual machine data should also be performed to ensure data integrity.

46
Q

What factors should be considered when configuring backups?

A

Factors to consider when configuring backups include the volume of data, compression options, encryption requirements, backup frequency (based on the recovery point objective), and the selection of specific folders or files to be backed up.

47
Q

What is the purpose of the recovery point objective (RPO)?

A

The recovery point objective (RPO) defines the maximum tolerable amount of data loss that an organization can sustain. It helps determine the frequency and timing of backups to ensure that data loss is within acceptable limits.

48
Q

How can backups be configured in Windows 10?

A

In Windows 10, backups can be configured through the Settings menu. By accessing the Backup settings, users can select specific drives or folders to be backed up, choose backup frequency (e.g., every hour, every three hours), and specify other options such as file restoration preferences.