Chapter 13 Dealing with Incidents

Question 1

What are the four major objectives for incident response in the Security+ SY0-601 exam?

Answer 1

Incident Response, Digital Forensics, Continuity of Operations, and Disaster Recovery.

Question 2

What does incident response involve?

Answer 2

Planning and setting up teams to respond to security incidents and involving the right stakeholders.

Question 3

What is digital forensics?

Answer 3

Collecting and securing evidence from compromised systems or incidents following legal procedures.

Question 4

What is continuity of operations?

Answer 4

Developing strategies and plans to ensure business operations can continue during disruptive events.

Question 5

What is disaster recovery?

Answer 5

Restoring systems and operations to normalcy after a disruptive event or incident.

Question 6

What is an Incident Response Plan (IRP)?

Answer 6

An IRP is a document that outlines the step-by-step procedures to respond to security incidents effectively.

Question 7

What triggers the activation of an incident response plan?

Answer 7

Indicators of compromise (IOCs) or suspicious activities such as excessive traffic, unknown devices on the network, or alerts from intrusion detection systems.

Question 8

What are the objectives of an incident response plan?

Answer 8

Detecting, containing, eradicating, and recovering from security incidents.

Question 9

How can an incident response plan be improved?

Answer 9

Through periodic reviews, assigning roles and responsibilities, regular training and drills, and incorporating lessons learned from previous incidents.

Question 10

Can incident response be automated?

Answer 10

Yes, incident response can involve automated responses based on predefined configurations in intrusion prevention systems or scripting.

Question 11

What is the Cyber Kill Chain?

Answer 11

The Cyber Kill Chain is a framework used to trace the steps taken by attackers in a successful compromise or data event. It consists of eight phases: reconnaissance, intrusion, exploitation, privilege escalation, lateral movement, obfuscation, denial of service, and exfiltration.

Question 12

What is the purpose of analyzing security incidents using the Cyber Kill Chain?

Answer 12

The analysis helps identify how the attack occurred and what steps were taken by the attacker. This knowledge can be used to prevent similar incidents from happening in the future.

Question 13

What is the MITRE ATT&CK framework?

Answer 13

The MITRE ATT&CK framework is a model used to detect and analyze threats by identifying the techniques and tactics employed by adversaries. It helps understand how attackers exploit vulnerabilities and provides insights for improving security measures.

Question 14

What is the Diamond Model?

Answer 14

The Diamond Model is a visualization of the relationships and interactions among the attacker, victim, infrastructure, and capabilities of the adversaries. It helps analyze security incidents by examining how adversaries exploited vulnerabilities.

Question 15

What is Security Orchestration, Automation, and Response (SOAR)?

Answer 15

SOAR is a solution that automates incident response by using scripts and workflows. It helps reduce incident response time and can automate tasks such as remediation and configuration changes during an attack.

Question 16

What is digital forensics?

Answer 16

Digital forensics is the application of computer science to collect, preserve, and analyze digital evidence for legal purposes. It involves following proper evidence gathering and retention policies to ensure the admissibility of the evidence in a court of law.

Question 17

What is e-discovery?

Answer 17

E-discovery, or electronic discovery, refers to the process of discovering and collecting electronic information for legal purposes. It involves identifying and preserving relevant data, whether stored on premises or in the cloud, during the legal discovery phase.

Question 18

How does digital forensics apply to mobile devices?

Answer 18

In mobile device forensics, techniques are used to preserve the state of a smartphone or mobile device during the collection of evidence. This can include enabling airplane mode, using Faraday bags to block wireless communications, and having mobile charging units to prevent the device from running out of power during the forensic analysis.

Question 19

What is steganography?

Answer 19

Steganography is a form of obfuscation where data or files are hidden within other seemingly innocent files, such as embedding a secret file within a JPEG image. Digital forensic analysts need to be aware of steganography techniques and tools to detect and analyze such hidden information.

Question 20

Why is proper evidence preservation important in digital forensics?

Answer 20

Proper evidence preservation ensures that the collected digital evidence is admissible in a court of law. Following legal procedures and maintaining the integrity of the evidence, such as through hashing, helps establish its authenticity and prevents it from being deemed inadmissible due to improper collection or tampering.

Question 21

What is digital forensics?

Answer 21

Digital forensics is the application of computer science to the collection, preservation, and analysis of evidence for legal use.

Question 22

Why is chain of custody important in digital forensics?

Answer 22

Chain of custody is important in digital forensics to document the acquisition, storage, and retention of evidence, ensuring its admissibility in a court of law.

Question 23

What is the purpose of forensic imaging in digital forensics?

Answer 23

Forensic imaging involves creating a bit-level copy of storage media to preserve the original state of evidence for analysis without modifying the original media.

Question 24

How can hashing be used in digital forensics?

Answer 24

Hashing is used to generate unique values (hashes) that can verify the integrity of the original evidence. Hashes can be compared before and after analysis to ensure no tampering has occurred.

Question 25

What is the order of volatility in evidence collection?

Answer 25

The order of volatility refers to the prioritization of evidence collection, starting with volatile data like CPU registers and RAM, before moving to less volatile data such as temporary files or backups.

Question 26

What are some common forensics tools used in digital forensics?

Answer 26

Common forensics tools include FTK Imager, Autopsy, WinHex, and others, which are used to analyze forensic images, recover deleted files, and examine file systems.

Question 27

How does steganography relate to digital forensics?

Answer 27

Steganography is a form of obfuscation where information is hidden within other files. Digital forensics analysts need to be aware of steganography techniques when examining evidence.

Question 28

What is the role of right blockers in digital forensics?

Answer 28

Right blockers are tools used to prevent write access to storage media during evidence acquisition, ensuring that the original evidence is not accidentally modified or tampered with.

Question 29

What is e-discovery in the context of digital forensics?

Answer 29

E-discovery refers to the discovery and retrieval of electronic information, often related to legal investigations, including data stored on premises or in the cloud.

Question 30

Why is documentation and metadata important in digital forensics?

Answer 30

Documentation and metadata help establish the chain of custody, record acquisition details, and provide necessary information for legal purposes, ensuring the integrity and admissibility of evidence.

Question 31

What is the purpose of a business continuity plan?

Answer 31

The purpose of a business continuity plan is to ensure that business operations can continue in the event of a negative disruption, such as a malware outbreak, server failure, or network outage.

Question 32

How does a disaster recovery plan differ from a business continuity plan?

Answer 32

A disaster recovery plan (DRP) is more specific and focuses on recovering individual subsystems or components, such as servers or corrupted files, whereas a business continuity plan (BCP) is a broader plan that addresses the overall continuity of operations.

Question 33

What is the order of volatility in disaster recovery?

Answer 33

The order of volatility refers to the prioritization of recovering volatile data first, such as CPU registers and RAM, before moving on to less volatile data. This helps ensure critical data is recovered quickly.

Question 34

What are the three types of disaster recovery sites?

Answer 34

The three types of disaster recovery sites are hot sites, warm sites, and cold sites.

Question 35

What is a hot site in disaster recovery?

Answer 35

A hot site is an alternate location with pre-configured hardware, software, networking, and up-to-date data. It allows for a quick switch-over time but requires more planning and maintenance.

Question 36

What is a warm site in disaster recovery?

Answer 36

A warm site is an alternate location with hardware, software, and networking, but it does not have up-to-date data. It requires time to transfer data and has a longer switch-over time compared to a hot site.

Question 37

What is a cold site in disaster recovery?

Answer 37

A cold site is a basic IT infrastructure set up at an alternate location, but it does not have hardware, software, or up-to-date data. It requires the longest switch-over time but is less expensive than hot and warm sites.

Question 38

How does the public cloud serve as an alternate site for disaster recovery?

Answer 38

Many organizations use the public cloud as an alternate site for disaster recovery by moving their IT operations to cloud servers. This provides flexibility and scalability in case of a disaster at the primary site.

Question 39

What factors should be considered in a site risk assessment?

Answer 39

A site risk assessment should consider factors such as the likelihood of natural disasters, geographical location, proximity to potential threats, and the vulnerability of the site’s infrastructure and personnel.

Question 40

What are some key organizational policies related to disaster recovery?

Answer 40

Organizational policies related to disaster recovery may include change management policies, asset management policies, and security policies, which help ensure the effective implementation of disaster recovery plans.

Question 41

What is the purpose of data backups?

Answer 41

The purpose of data backups is to ensure the availability of company data in the event of a disaster or data loss. Backups allow for the restoration of data to minimize downtime and maintain business continuity.

Question 42

Where can backups be stored?

Answer 42

Backups can be stored on premises using backup devices, in offsite locations such as fireproof safes or remote facilities, or in the public cloud. Network storage devices, such as network-attached storage (NAS) or storage area networks (SAN), can also be used for backup storage.

Question 43

What are the different types of backups?

Answer 43

The different types of backups include full or recopy backups, incremental backups, and differential backups. Full backups copy all data, incremental backups copy only new or modified data since the last backup, and differential backups copy all data since the last full backup.

Question 44

What is the purpose of the archive bit in backup?

Answer 44

The archive bit is a file attribute that indicates whether a file has been modified and needs to be backed up. Backup systems often rely on the archive bit to determine which files require backup. When a file is backed up, the archive bit is turned off, and when the file is modified, the archive bit is turned on.

Question 45

How can virtual machines be backed up?

Answer 45

Virtual machines can be backed up by taking snapshots, which capture the state of the virtual machine at a specific point in time. While snapshots are useful for rollbacks, proper backups of virtual machine data should also be performed to ensure data integrity.

Question 46

What factors should be considered when configuring backups?

Answer 46

Factors to consider when configuring backups include the volume of data, compression options, encryption requirements, backup frequency (based on the recovery point objective), and the selection of specific folders or files to be backed up.

Question 47

What is the purpose of the recovery point objective (RPO)?

Answer 47

The recovery point objective (RPO) defines the maximum tolerable amount of data loss that an organization can sustain. It helps determine the frequency and timing of backups to ensure that data loss is within acceptable limits.

Question 48

How can backups be configured in Windows 10?

Answer 48

In Windows 10, backups can be configured through the Settings menu. By accessing the Backup settings, users can select specific drives or folders to be backed up, choose backup frequency (e.g., every hour, every three hours), and specify other options such as file restoration preferences.