Chapter 15-17 Forensics, Policies/Standards/Compliance, Risk Management

Question 1

Order of Volatility

Answer 1

1. CPU cache and registers
2. Routing Table, ARP cache, process table, kernal stats
3. System Memory - RAM
4. Temporary files and swap space
5. Data on the hard disk/remote logs
6. Backups
7. Cache file
8. RAM
9. Page file
10. Hard drive
11. Network drive
12. remote storage/backups

Question 2

What is dd?

Answer 2

dd is a Linux command line tool that allows you to create images for forensic purposes

Question 3

What is FTK Imager?

Answer 3

FTK imager is a free tool for creating forensic images

Question 4

What is memdump?

Answer 4

Memdump is a linux command line tool used for capturing memory

Question 5

What is WinHex?

Answer 5

WinHex is a disk editing tool that can acquire disks in a raw format

Question 6

What is Autopsy?

Answer 6

Autopsy is the only “forensic suite” on the exam, it is open source and has broad capabilities

Question 7

How can you validate a forensic copy?

Answer 7

create hashes of both the original and the copy, then compare the hash.

Question 8

Policies
Standards
Procedures
Guidelines

Answer 8

Policies are high level statements of management intent, usually BROAD statements
Standards provide mandatory requirements describing how an organization will carry out policies
Procedures are detailed step by step processes that individuals and organizations must follow
Guidelines provide best practices and recommendations related to a concept, technology, or task

Guidelines are the only one that is not mandatory

Question 9

What are the PCI DSS compensating control criteria?

Answer 9

1. intent and rigor
2. similar level of defense
3. above and beyond the original control

Question 10

What is least privilege and privilege creep

Answer 10

The concept of least privilege is that no employee should have more privileges than absolutely necessary to do their job

Privilege creep is when an employee changes positions in the company and accumulates privileges without them being revoked from the last position

Question 11

What is separation of duties

Answer 11

for extremely sensitive job functions where two different tasks combined have significant sensitivity such as accounting. Two person control should be used

Question 12

What is job rotation

Answer 12

takes employees with sensitive roles and moves them periodically to other positions within the company, making fraud difficult. Mandatory vacations serve the same purpose.

Clean desk policies are designed to protect confidentiality

Question 13

What is an MSA

Answer 13

Master service agreements provide umbrella contract for work that the vendor does with an organization over an extended period of time often with detailed security and privacy requirements

Question 14

What is a SLA

Answer 14

service level agreement specifies the conditions of service that will be provided

Question 15

What is an MOU

Answer 15

memorandum of understanding documents aspects of the relationship

Question 16

What is a BPA

Answer 16

Business Partnership Agreement exists when two organizations do business together in a partnership

Question 17

What is EOL/EOSL

Answer 17

end of life/ end of service life

Question 18

What is HIPAA and PCI DSS

Answer 18

industry data protection standards for healthcare and payment card

Question 19

what is GDPR

Answer 19

General Data Protection Regulation implements security and privacy requirements for personal info of EU residents worldwide.

Question 20

what is AUP

Answer 20

acceptable use policy

Question 21

what is the NIST CSF and its 5 elements

what is NIST RMF

Answer 21

cyber security framework, 
Identify
Protect
Detect
Respond
Recover

Risk management framework

Question 22

What is the ISO

Answer 22

international organization for standardization for best practices for cyber security and privacy

Question 23

what is ISO 27001

Answer 23

information security standards

Question 24

what is ISO 27002

Answer 24

information security standards like 27001, but goes beyond control objectives and describes actual controls

Question 25

what is ISO 27701

Answer 25

standard guidance for managing PRIVACY controls

Question 26

What is ISO 31000

Answer 26

Risk management guidelines

Question 27

What is the difference between an audit and assessment

Answer 27

Audits are formal, assessments usually aren’t. Audits are often performed by 3rd party companies, assessments are usually requested by the company itself.

Question 28

What is SOC 2

Answer 28

SOC 2 assesses the organizations security and privacy controls

Question 29

What is SOC type 1 vs 2

Answer 29

SOC type 1 assesses the design of security processes at a specific point in time
SOC type 2 assesses how effective these controls are over time

Question 30

What is “risk” the combination of?

Answer 30

Threat and Vulnerability

Question 31

what is Quantitative vs Qualitative risk?

Answer 31

quantitative risk is numerically calculable

qualitative is subjective judgements for risks difficult to quantify

Question 32

What is AV in quantitative risk assessment

Answer 32

asset value is the dollar amount of an asset.

Question 33

What is ARO in quantitative risk assessment

Answer 33

annualized rate of occurrence is the frequency at which the risk is likely to occur

Question 34

What is EF in quantitative risk assessment

Answer 34

exposure factor determines the amount of damage that will occur

Question 35

What is SLE in quantitative risk assessment

Answer 35

Single loss expectancy is the financial damage each time the risk materializes

Question 36

What is ALE in quantitative risk assessment?

Answer 36

annual loss expectancy is the amount of damage expected from a risk each year

Question 37

Risk management strategies

Answer 37

Risk Mitigation - reducing probability and magnitude of a risk
Risk Avoidance - changing business practices to eliminate the potential that a risk will materialize (typically has impact on productivity)
Risk Transference - shifts the impact from the organization to another entity like an insurance company
Risk Acceptance - taking no other RM strategy, just facing the risk.

Question 38

Presenting risk management to senior leadership

Answer 38

A risk matrix or risk heat map is far more effective in communicating risk to senior leadership than the risk register, which is a lengthy, detailed document.

Question 39

What is RTO

Answer 39

recovery time objective is the amount of time an organization can tolerate a system being down

Question 40

What is RPO

Answer 40

recovery point objective is the amount of data the organization can tolerate losing

Question 41

what is MTTR

Answer 41

mean time to repair is the average system restoration time after a failure

Question 42

What is MTBF

Answer 42

Mean time between failures is a measure of system reliability

Question 43

Government Data Types

Answer 43

Top Secret
Secret
Confidential
Unclassified

Question 44

Business Data Types

Answer 44

Highly Sensitive
Sensitive
Internal
Public

Question 45

COMPTIA data classification levels

Answer 45

Public
Private
Sensitive
Confidential
Critical
Proprietary

Question 46

Data Roles

Answer 46

Data Controller - determine the reasons for processing personal information
Data Steward - individuals who carry out the intent of the data controller
Data Custodians - does not have controller or steward responsibility, but is responsible for secure safe keeping of information
Data Processor - service providers that process personal information on behalf of the data controller

GDPR formalizes the chief privacy officer, calls it DPO data protection officer.