Chapter 13 - Incident Preparation and Investigation Flashcards
What is preserving evidence?
Making sure that important proof is not corrupted or even destroyed
What is securing the scene?
This is the first job, involves documenting the physical surroundings, identifying and tagging all calves connected to the device, and taking custody of the device along with any peripherals
What is the incident response plan?
Document that lists steps to be taken when an incident occurs
What is order of viotility?
Must be followed to preserve the most fragile data first:
(1) registers and CPU cache
(2) routing tables, ARP cache, process table, kernel statistics, RAM
(3) temporary file systems
(4) hard drive
(5) remote logging and monitoring data
(6) physical configuration and network topology
(7) archival media.
What is RPO?
Recovery Point Objective - The maximum length of time that an organization can tolerate between backups.
RPO = “How much time’s worth of data can I lose?”
What is RTO?
Recovery Time Objective - The length of time it will take to recover data that has been backed up.
What is a Hot site?
A duplicate of the production site that has all the equipment needed for an organization to continue running, including office space and furniture, telephone jacks, computer equipment, and a live telecommunications link.
What is a Cold site?
A remote site that provides office space; the customer must provide and install all the equipment needed to continue operations.
What is a Warm site?
A remote site that contains computer equipment but does not have active Internet or telecommunication facilities and does not have backups of data.
What is SIEM?
Security Information and Event Management - consolidate real-time security monitoring and management of security information with analysis and reporting of security events; this information includes alerts, trends, sensitivity, and correlation data.
What is Eradication?
An incident response process step of finding the cause of the incident and temporarily removing any systems that may be causing damage.
What is Containment?
An incident response process step of limiting the damage of the incident and isolating those systems that are impacted to prevent further damage.
What is the Cyber Kill Chain?
Outlines the steps of an attack
(1) Reconnaissance
(2) Weaponization
(3) Delivery
(4) Exploitation
(5) Installation
(6) Command & Control
(7) Actions on objectives
What is BIA?
Business Impact Analysis - A process that identifies the business functions and quantifies the impact a loss of these functions may have on business operations.
What is BCP?
Business Continuity Plan - If important buisness activities that could result in a significant loss are interupted this document provides alternative modes of operation for business activities
What is DRP?
Disaster Recover Plan - written document that details the process for restoring IT resources
What is Parallel Processing?
An incident response testing exercise that conducts the same tests simultaneously in multiple environments.
What is a Failover Simulation?
An incident response testing exercise that is testing the process of temporarily switching to backup procedures after an attack.
