D7: Security Operations

Question 1

Incident Scene

Answer 1

• ID the scene
• Protect the environment
• ID evidence and potential sources of evidence
• Collect evidence - hash +
• Minimize the degree of contamination

Locard’s Exchange Principle - perps leave something behind

Question 2

Evidence Types

Answer 2

1. Sufficient: persuasive enough to convince one of its validity
2. Reliable: consistent with fact, evidence has not been tampered with or modified
3. Permissible: lawful obtaining of evidence, avoid; unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
4. Preserved and Identifiable: collection; reconstruction

Identification: labeling, recording serial number, etc.

Evidence must be preserved and identifiable

*Collection, documentation, classification, comparison, reconstruction

Question 3

Evidence Lifecycle

Answer 3

1. Discovery
2. Protection
3. Recording
4. Collection and Identification
5. Analysis
6. Storage, preservation, transportation
7. Present in Court
8. Return to Owner

Witnesses that evidence are trustworthy - description of procedures, normal business method collections, error precaution and correction

Question 4

Best Evidence

Answer 4

1. Primary Evidence - is used at trial because it is the most reliable.
   - original documents are used to document things such as contracts
   - NO COPIES!!!!
   - Oral is not the best evidence though it may provide interpretation of documents

Question 5

Secondary Evidence

Answer 5

• Not as strong as Primary
• it is not permitted if the Best Evidence is available
• Oral evidence (like witness testimony)

Question 6

Direct Evidence

Answer 6

• Direct evidence can prove a fact by itself and does not need any type of backup evidence.
• Does NOT need other evidence to substantiate.
• Testimony from a witness - one of their 5 senses.
• Oral evidence is a type of secondary evidence so the case can’t simply stand on this alone.

Question 7

Conclusive Evidence

Answer 7

• irrefutable and cannot be contradicted

- requires no other corroboration

Question 8

Circumstantial Evidence

Answer 8

• used to help assume another fact

- cannot stand on it’s own to directly prove a fact

Question 9

Corroborative Evidence

Answer 9

• supports or substantiates other evidence presented in a case

Question 10

Hearsay Evidence

Answer 10

• something a witness hears another one say.
• business records are hearsay and all that is printed or displayed
• EXCEPTION: audit trails and business records when the documents are created in normal course of business

Question 11

Interviewing

Answer 11

Gather facts and determine the substance of the case

Question 12

Interrogation

Answer 12

Evidence retrieval method, ultimately obtain a confession

Question 13

The Process / Due Process

Answer 13

Involves:

• prep of questions and topics
• puts witness at ease
• summarize information or interview/interrogation plan

Other Notes:

• have one person as lead and 1-2 others involved as well
• never interrogate or interview alone

Question 14

Opinion Rule

Answer 14

Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case

*context - Federal Rules of Evidence (FRE), a court will permit a person who isn’t testifying as an expert to testify in the form of an opinion if it’s both rationally based on their perception and helps to explain the witness’s testimony

Question 15

Expert Witnesses

Answer 15

Used to educate the jury and can be used as evidence

Question 16

Six Principles for Digital Evidence Technicians

Answer 16

1. When dealing with digital evidence, all general forensic and procedural principles must be applied
2. Upon seizing digital evidence, actions taken should not change the evidence
3. When it is necessary for a person to access original digital evidence, that person should be trained for that purpose.
4. All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved and available for review.
5. An individual is responsible for all actions taken with respect to digital evidence while the evidence is in their possession
6. Any agency responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles.

Question 17

Media Analysis

Answer 17

Identification and extraction of information from storage media. May include:

• Magnetic Media - hard disks, tapes
• Optical Media - CDs, DVDs, Blu-ray discs
• Memory - RAM, solid state storage

Techniques used for media analysis may include:

• recovery of deleted files from unallocated sectors of the physical disk
• the live analysis of storage media connected to a computer system (esp. useful when examining encrypted media)
• the static analysis of forensic images of storage media.

Question 18

Software Analysis

Answer 18

Forensic review of applications or the activity that takes place within a running application.

May need to review and interpret log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

When malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs or other vulns.

Question 19

Hardware / Embedded Device Analysis

Answer 19

Forensic analysts often must review the contents of hardware and embedded devices.

This may include a review of personal computers & smartphones

Question 20

Admissible Evidence

Answer 20

• The evidence must be relevant to determining a fact, and the fact must be material/related to the case
• Evidence must have been obtained legally aka competent
• Evidence that results from an illegal search would be inadmissible because it is not competent.

Question 21

Five Rules of Evidence

Answer 21

1. Be authentic - evidence ties back to the scene
2. Be accurate - maintain authenticity and veracity
3. Be complete - all evidence collection, for and against view
4. Be convincing - clear & easy to understand for jury
5. be admissible - be able to be used in court

Question 22

Forensic Disk Controller

Answer 22

Write blocking - intercepts write commands sent to the device and prevents them from modifying data on the device

Return data requested by a read operation

Return access-significant information from device

Reporting errors from device to forensic device.

LOGS TAKEN IN NORMAL COURSE OF BIZ

Question 23

MOM

Answer 23

Means, opportunity and motive

Question 24

Victimology

Answer 24

Why certain people are victims of a crime, and how lifestyle affects the chances that a certain person will fall victim to a crime investigation

Question 25

Investigation Types

Answer 25

Operational
Criminal
Civil
eDiscovery

Question 26

Slack Space

Answer 26

Slack space on a disk should be inspected for hidden data and should be included in Disk Image

Question 27

3 Branches of Law

Answer 27

Legislative: writing laws (statutory laws)
Executive: enforces laws (administrative laws)
Judicial: Interpret laws (common laws from court decisions)

Question 28

Criminal Law

Answer 28

Individuals that violate government law

Punishment mostly imprisonment

Question 29

Civil Law

Answer 29

Wrongs against individual or organization that result in a damage or loss.

Punishment can include financial penalties

Tort Law (I’ll Sue You!) Jury will decide liability

Question 30

Administrative/Regulatory Law

Answer 30

How the industries, organizations and officers have to act.

Wrongs can be penalized with imprisonment or financial penalties

Question 31

Uniform Computer Information Transactions Act (UCITA)

Answer 31

Federal Law that provides a common framework for the conduct of computer-related business transactions.

UCITA contains provisions that address software licensing

The terms of UCITA give legal backing to the previously questionable practivies of shrink–wrap licensing by giving them status as legally binding contracts

Question 32

Uniform Computer Information Transactions Act (UCITA)

Answer 32

Federal Law that provides a common framework for the conduct of computer-related business transactions.

UCITA contains provisions that address software licensing

The terms of UCITA give legal backing to the previously questionable practices of shrink–wrap licensing by giving them status as legally binding contracts

Question 33

3 Types of Harm of Computer Crimes

Answer 33

• Unauthorized intrusion
• Unauthorized alteration or destruction
• Malicious Code

Question 34

Admissible evidence

Answer 34

relevant, sufficient, reliable, does not have to be tangible

Question 35

Enticement

Answer 35

the legal action of luring an intruder, like in a honeypot

Question 36

Entrapment

Answer 36

the illegal act of inducing a crime, the individual had no intent of committing the crime at first

Question 37

Federal Sentencing Guidelines

Answer 37

provides judges and courts procedures on the prevention, detection and reporting

Question 38

Security Incident and Event Management (SIEM)

Answer 38

Automating much of the routine work of log review

Provides real-time analysis of events occurring on systems throughout an organization but don’t necessarily scan outgoing traffic.

Question 39

Intrusion

Answer 39

Occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources.

Question 40

Intrusion Detection

Answer 40

A specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.

Question 41

Intrusion Detection System (IDS)

Answer 41

Automates the inspection of logs and real-time
system events to detect intrusion attempts and system failures.

An effective method of detecting many DoS and DDoS attacks

Can recognize external attacks e.g. from the internet or attacks that spread internally like a malicious worm.

Detections will trigger alarms and alerts, and sometimes will modify the environment to stop an attack

IDS is part of defense-in-depth security plan - it will work with, and complement other security mechs like firewalls, but it does not replace them.

Question 42

Intrusion Prevention System IPS

Answer 42

Intrusion prevention system includes all capabilities of an IDS, but can also take additional steps to stop or prevent intrusions - admins can disable the features of an IPS, and it becomes an IDS

Question 43

Data Loss Prevention (DLP)

Answer 43

Data loss prevention systems attempt to detect and block data exfiltration attempts.

The systems have the capability of scanning data looking for keywords and data patterns.

Can look for sensitive information stored on hard drives

Question 44

Network-based DLP

Answer 44

Scans all outgoing data looking for spec ific data.

Admin would place it on the edge of the negative to scan all data leaving the organization

If a user sends out a file containing restricted data, the DLP system will detect and prevent it from leaving the organization

The DLP system will send an alert such as an email to an administrator

Question 45

Endpoint-based DLP

Answer 45

Can scan files stored on a system as well as files sent to external devices such as printers

An organization endpoint-based DLP can prevent users from copying sensitive data to USNB flash drives or sending sensitive data to a printer

Question 46

3 states of information

Answer 46

Data at rest (storage)

Data in transit (the network)

Data being processed (must be decrypted) / in use / end point

Question 47

Configuration Item (CI)

Answer 47

Component whose state is recorded

Version: recorded state of the CI

Question 48

Configuration

Answer 48

Collection of component CI’s that make another CI

Question 49

Building

Answer 49

Assembling a version of a CI using component CI’s

Question 50

Building list

Answer 50

Set of versions of component CI’s used to build a CI software library CI software library

Question 51

CI Software Library

Answer 51

Controlled area only accessible for approved users

Question 52

Recovery Procedures

Answer 52

System should restart in secure mode

Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals

Question 53

Fault-tolerant

Answer 53

Continues to function despite failure

Question 54

Fail Safe System

Answer 54

Program execution is terminated and system protected from compromise when hardware or software failure DOORS usually

Question 55

Fail Closed/Secure

Answer 55

The most conservative from a security perspective

Question 56

Fail Open

Answer 56

????

Question 57

Fail Hard - BSOD

Answer 57

Human to see why it failed??

Question 58

Fail Soft or Resilient System

Answer 58

Reboot, selected, non-critical processing is terminated when failure occurs

Question 59

Failover

Answer 59

Switches to hot backup

Question 60

Fail Safe vs. Fail Secure

Answer 60

FAIL SAFE: doors UNLOCK

FAIL SECURE: doors LOCK

Question 61

Trusted Path

Answer 61

Protects data between users and a security component

Channel established with strict standards to allow necessary communication to occur without exporing the TCB to security vulnerabilities

A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB intechange

ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY

Question 62

Security Events vs. Security Incidents vs. Security Intrusion

Answer 62

Events: anything that happens; can be documented verified and analyzed.

Incidents: event(s) that adversely impact the ability of an organization to do business. A suspected attack

Intrusion: evidence attacker attempted or gained access to

Question 63

Incident Response Lifecycle

Answer 63

Official:

Detection, Response, Mitigation, Reporting, Recovery, Remediation, Lessons Learned

Unofficial:

Response Capability: policy, procedures, a team
Incident Response and Handling: triage, investigation, containment and analysis tracking
Recovery: Recovery or repair
Debriefing / Feedback: External Communications
Mitigation: limit the effect or scope of an incident

Question 64

Root Cause Analysis (RCA)

Answer 64

COME BACK TO AFTER READING

Question 65

HIDS

Answer 65

Host Based IDS

Monitors activity on a single computer, including process calls and information recorded in firewall logs.

It can often examine events in more detail than NIDS can, and it can pinpoint specific files compromised in an attack.

It can also track processes employed by the attacker

A benefit of HIDS over NIDS is that HIDS can detect anomalies on the host system that NIDS cannot detect

Question 66

NIDS

Answer 66

Network-IDS

Monitors and evaluates network activity to detect attacks or event anomalies

It cannot monitor the content of encrypted traffic but can monitor other packet details

A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

Question 67

Full Backup

Answer 67

All files, archive bit and modify bit are cleared

Pro: only previous day needed for full restore
Con: Time consuming

Question 68

Incremental Backup

Answer 68

Only modifies files and archive bit is cleared

Pro: Least time and space
Con: must first restore full and then all incremental backups > makes it less reliable because it depends on more components

Question 69

Differential Backup

Answer 69

Only modifies files, and does not clear archive bit

Pro: Full and only last diff needed, intermediate time between full and diff

Question 70

Redundant Servers

Answer 70

Applies raid 1 mirroring concepts to servers

On error servers can do a failover > aka server fault tolerance

Question 71

Server Clustering

Answer 71

Group of independent servers which are managed as a single system

All servers are online and take part in processing service requests

Individual computing devices on a cluster vs. a grid system — cluster devices all share the same OS and application software but grid devices can have different OSs while working on same problem

Question 72

Tape Rotation Schemes

Answer 72

COME BACK TO AFTER READING

Question 73

RAIT

Answer 73

Robotic mechanisms to transfer tapes between storage and drive mechanisms

Question 74

Mutual Aid Agreements

Answer 74

AKA Reciprocal agreement

Arrangement with another similar corporation to take over the processes

Pro: cheap

Con: must be exactly the same, is there enough capability, only for short term and what if disaster affects both corporations? Not enforceable

Question 75

DR - Subscription Services

Answer 75

Third party, subscription servers provide alternate backups and processing facilities

Most common of implementations

Question 76

Redundant

Answer 76

Mirrored Site, potential zero down time

Question 77

Hot Site - Internal/External

Answer 77

Fully configured computer facility

All applications are installed, up-to-date and mirror of the production system

Extremely urgent critical transaction processing

Pro: 24/7 availability and exclusive use are assured - short and long term
Con: extra admin overhead, costly, security controls needs to be installed at the remote facility too

Exclusive to one company hours to be up??

Question 78

Warm Site

Answer 78

Cross between hot and cold site

The computer facility is available but the applications may not be installed or need to be configured.

External connections and other data elements that take long time to order are present

Workstations have to be delivered and data has be restored

Pro: Less costly, more choice of location, less admin resources required
Con: it will take some time start production processing Nonexclusive and 12 hours to be up

Question 79

Cold Site

Answer 79

Least ready but most commonly used

Has no hardware installed, only power and HVAC

Pro: Cost, ease of location choice, non-exclusive
Con: very lengthy time of restoration, false sense of security but better than nothing

Question 80

Service Bureau

Answer 80

Contract to fully backup processing services

Pro: quick response and availability, testing is possible
Con: expense and it is more of a short time option

Question 81

Multiple Centers/Dual Sites

Answer 81

Processing is spread over several computer centers

Can be managed by the same corporation (in house) or with another organization (reciprocal agreement)

Pro: costs, multiple sites will chare resources and support
Con: a major disaster could affect both sites, multiple configurations have to be administered

Question 82

Rolling/Mobile Sites

Answer 82

Mobile homes or HVAC trucks

Could be considered a cold site

Question 83

In-House or External

Answer 83

Supply of hardware replacements

Stock of hardware either onsite or with a vendor

May be acceptable for warm site but not for hot site

Question 84

Prefabricated building

Answer 84

A very cold site

Question 85

RAID Levels

Answer 85

RAID 0: Striped - one large disk out of several; improved performance but no fault tolerance
RAID 1: Mirrored - drives, fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed
RAID 2: not used commercially; Hammering Code Parity/error
RAID 3: Striped on byte level - extra parity drive; improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives
RAID 4: same as RAID3, but striped on block level; 3 or more drives
RAID 5: Striped on block level, parity distributed over all drives; requires all drives but one to be present to operate hot-swappable. Interleave parity, recovery control; 3 or more drives
RAID 6: Dual Parity, parity distributed over all drives - requires all drives but two to be present to operate hot-swappable
RAID 7: is the same as RAID 5 but all drives act as one single virtual disk

Question 86

Backup Storage Media

Answer 86

Tape: sequential, slow read, fast write 200GB an hour, historically cheaper than disk (now changing), robotic libraries

Disk: fast read/write, less robust than tape

Optical Drive: CD/DVD. Inexpensive

Solid State: USB drive, security issues, protected by AES

MTTF - mean time to failure
MTTR - mean time to repair
MTBF - mean time between failures (useful life) = MTTF + MTTR
JBOD - most basic type of storage

Question 87

Electronic Vaulting

Answer 87

Transfer of backup data to an offsite storage location via communication lines

Question 88

Remote Journaling

Answer 88

Parallel processing of transactions to an alternative site via communication lines

Question 89

Database shadowing

Answer 89

Live processing of remote journaling and creating duplicates of the database sets to multiple servers

Question 90

Object reuse

Answer 90

Use again after initial use

Question 91

Data remanence

Answer 91

Remaining data after erasure; format magnetic media 7 times (orange book)

Question 92

Clearing

Answer 92

Overwriting media to be reused

Question 93

Purging

Answer 93

Degaussing or overwriting to be removed

Question 94

Destruction

Answer 94

Complete destruction, preferably by burning

Question 95

Disaster Recovery End Goal

Answer 95

Restore normal business operations

Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information

Goal: provide organized way for decision making, reduce confusion and deal with crisis

Planning and development must occur before the disaster

BIA has already been completed prior - now it is time to protect

Question 96

Disaster

Answer 96

Any event, natural or manmade, that can disrupt normal IT operations

The disaster is not over until all operations have been returned to their normal location and function

It will be officially over when the data has been verified at the primary site, as accurate

Question 97

Recovery Team

Answer 97

Mandated to implement recover after the declaration of the disaster

Question 98

Salvage Team

Answer 98

Goes back to the primary site to normal processing environmental conditions

Clean, repair, salvage

Can declare when primary site is available again

Question 99

Normal Operations Resume Plan

Answer 99

Has all procedures on how the company will return processing from the alternate site

Question 100

Other Recovery Issues

Answer 100

Interfacing with other groups: everyone outside the corporation

Employee Relations - responsibility towards employees and families

Fraud and Crime: like vandalism, looting and people grabbing the opportunity

Financial reimbursement?? / Media Relations
- find someone to run it

Question 101

Documenting the Disaster Recovery Plan

Answer 101

• activation and recover procedures
• plan management
• HR involvement
• costs
• required documentation
• internal / external communications
• detailed plans by teams

**get communications up first, then most critical business functions

Question 102

Desk Check

Answer 102

review plan contents

Question 103

Table-Top Exercise

Answer 103

Members of the disaster recovery team gather in a large conference room and role-play a disaster scenario

Question 104

Simulation tests

Answer 104

More comprehensive and may impact one or more non-critical business units of the organization, all support personnel meet in a practice room

Question 105

Parallel tests

Answer 105

Involve relocating personnel to the alternate site and commencing operations there.

Critical systems are run at an alternate site, main site open also

Question 106

Full-interruption tests

Answer 106

Involve relocating personnel to the alternate site and shutting down operations at the primary site

Question 107

Business Continuity Plan (BCP)

Answer 107

Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation

Question 108

BCP (proactive goals)

Answer 108

Business Continuity - enduring the business can continue in an emergency, 1st business organization analysis

Focus on Business Processes

1. Scope and Plan Initiation - consider amount of work required, resources required, management practice
2. BIA - helps understand impact of disruptive processes
3. Business Continuity Plan development
   - Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and continuity planning phases of BCP development)
4. Plan approval and implementation
   - management approval
   - create awareness

**Update plan as needed, at least once a year testing

Question 109

Disaster Recovery (reactive goals)

Answer 109

Recover as quickly as possible

• Heavy IT focus
• Allows the execution of the BCP
• Needs planning
• Needs testing

CRITICAL, URGENT, IMPORTANT

Question 110

Business Continuity Plans development

Answer 110

• Defining the continuity strategy
• Computing: strategy to preserve the elements of hardware/software/communication lines/applications/data
• Facilities: use of main buildings or any remote facilities
• People: operators, management, technical support persons
• Supplies and equipment: paper, forms, HVAC
• Documenting the continuity strategy

Question 111

BCP Committee

Answer 111

Senior Staff: ultimate responsibility, responsible for die care, due diligence

Various business units: identify and prioritize time critical systems

Information Systems

Security Administrator

There should be representatives from all departments who will execute the plan

Question 112

CCTV

Answer 112

Multiplexer allows multiple camera screens shown over one cable on a monitor

• via coax cables (hence closed)
• attacks: replayed (video images)
• fixed mounting vs. PTZ Pan Tilt Zoom accunicator system (detects movements on screen and alerts guards)
• Recording (for later review) = detective control
• CCTV enables you to compare the audit trails and access logs with visual recording

Question 113

Lightening

Answer 113

Glare Protection: against blinding by lights

Continuous Lightning: evenly distributed lightning

Controlled Lightning: no bleeding over no blinding

Standby lightning - timers

Responsive Areas Illumination: IDS detects activities and turns on lightening

NIST: for critical areas the area should be illuminated 8 feet in height with 2 foot candle power

Question 114

Alarms

Answer 114

Local Alarm: audible alarm for at least 4000 feet

Central Stations: less than 10mins travel time for e.g. a private security firm

Proprietary systems: owned and operated by the customer. System provides many of the features in-house

Auxiliary Station Systems: on alarm ring out to local fire or police

Line supervision check: if no tampering is done with the alarm wires

Power Supplies: alarm systems need separate circuitry and backup power

Question 115

Intrusion Detection (Physical and Motion)

Answer 115

Physical Parameter Detection

• Electromechanical - detect a break or change in circuit magnets pulled loose, wire doors, pressure pads
• Photoelectric - light beams interrupted (as in a store entrance)
• Passive infrared - detects changes in temperature
• Acoustical detection - microphones, vibrations sensors

Motion Detection

• Wave Pattern Motion Detectors - detects motions
• Proximity/Capacitance detector - magnetic fields detects presence around an object

Question 116

Locks

Answer 116

Warded Lock - hanging lock with a key

Tumbler lock - cylinder slot

Combination lock - 3 digits with wheels

Cipher lock - electrical

Device lock - bolt down hardware

Preset - ordinary door lock

Programmable - combination or electrical lock

Raking - circumvent a pin tumbler lock

Question 117

Audit Trails

Answer 117

Should Include:

• Date and time stamps
• successful or unsuccessful attempt
• where the access was granted
• who attempted the access
• who modified access privileges at supervisor level

Question 118

Security Access Cards

Answer 118

Photo ID Card: Dumb cards. digitally coded cards

• swipe cards
• smart cards

Wireless proximity cards

• user activated
• system sensing
• passive device, no battery, uses power of the field
• field powered device: active electronics, transmitter but gets power from the surrounding field from the reader
• transponders: both card and receiver holds power, transmitter and electronics

Question 119

Trusted Recovery

Answer 119

Ensures that the security is not breached when a system crash or failure occurs

Only required for B3 or A1 level systems

Question 120

Failure Preparation

Answer 120

Backup critical information thus enabling data recovery

Question 121

System Recovery after a System Crash

Answer 121

1. Reboot system in single user mode or recovery console so no user access is enabled
2. Recover all file systems that were active during failure
3. Restoring missing or damaged files
4. Recovering the required security characteristic, such as file security labels
5. Checking security-critical files such as system password file

Question 122

Common Criteria Hierarchal recovery types

Answer 122

Manual: system administrator intervention is required to return the system to a secure state

Automatic: recovery to a secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures)

Automatic without Undue Loss: higher level of recovery defining prevention against the undue loss of protected objects

Function: system can restore functional processes automatically

Question 123

Types of System Failure

Answer 123

System Reboot: system shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources

Emergency restart: When a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments

System Cold Start: when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state

Question 124

Hackers and Crackers

Answer 124

Want to verify their skills as intruders

Question 125

Entitlement

Answer 125

Refers to the amount of privileges granted to users, typically when first provisioning an account. User entitlement audit can detect when employees have excessive privileges

Question 126

Aggregation

Answer 126

Privilege creep, accumulate privileges

Question 127

Hypervisor

Answer 127

Software component that manages the virtual components. The hypervisor adds an additional attack surface, so it’s important to ensure it is deployed in a secure state and kept up-to-date with patches, controls access to physical resources

Question 128

Notebook

Answer 128

most preferred in a legal investigation is a bound notebook, pages attached to a binding

Question 129

Exigent circumstances

Answer 129

Allows officials to seize evidence before its destroyed (police team fall in)

Question 130

Data Haven

Answer 130

A country or location that has no laws or poorly enforced laws

Question 131

Chain of Custody

Answer 131

Collection, analysis and preservation of data

Forensics uses bit-level copy of the disk

Question 132

Darknet

Answer 132

Unused network space that may detect unauthorized activity

Question 133

Pseudo flaw

Answer 133

false vulnerability in a system that may attract an attacker

Question 134

Fair Information Practices

Answer 134

• openness
• collection limitation
• purpose specification
• use limitation
• data quality
• individual participation
• security safeguards
• accountability

Question 135

Noise and Perturbation

Answer 135

Inserting bogus information to hope to mislead an attacker

Question 136

First Step of Change Process

Answer 136

Management approval

When a question is asked about processes, there must always be management’s approval as First Step

Question 137

Prototyping

Answer 137

Customer view taken into account

Question 138

SQL-SUDIGR

Answer 138

6 basic SQL commands

Select, Update, Delete, Insert, Grant, Revoke

Question 139

Bind Variables

Answer 139

Placeholders for literal values in SQL query being sent to database on a server

Question 140

GANTT and PERT charts

Answer 140

????

Question 141

Piggybacking

Answer 141

looking over someone’s shoulder to see how someone gets access

Question 142

Data Center Requirements

Answer 142

• Walls from floor to ceiling
• Floor: concrete slab, 150lbs square feet
• No windows
• Air-Conditioning should have own Emergency Power Off (EPO)

Electronic Access Control (EAC): proximity readers, programmable logs or biometric systems

Question 143

Crime Prevention Through Environmental Design (TCPTED)

Answer 143

Natural Access Control: guidance of people by doors, fences, bollards, lightening. Security zones are defined.

Natural Surveillance: cameras and guards

Territorial Reinforcements: walls, fences, flags

Target Hardening: focus on logs, cameras, guards

Facility Site: core of the building (e.g. with 6 stores, it’s on the 3rd floor)

Question 144

Hacktivists

Answer 144

Combination of hacker and activist, often combining political motivations with the thrill of hacking.

Question 145

Thrill Attack

Answer 145

Attacks launched only for the fun of it. Pride, bragging rights, etc.

Question 146

Script Kiddies

Answer 146

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them.

The main motivation behind these attacks is the “high” of successfully breaking into a system.

Service Interruption may be the goal.

An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Common to do website defacements.

Question 147

Business Attacks

Answer 147

Focus on illegally obtaining an organization’s confidential information. The use of the information gathered during the attack usually causes more damage than the attack itself

Question 148

Financial Attacks

Answer 148

Carried out to unlawfully obtain money or services

Question 149

Terrorist Attacks

Answer 149

Purpose is to disrupt normal life and instill fear

Question 150

Military or intelligence attack

Answer 150

Designed to extract secret information

Question 151

Grudge Attacks

Answer 151

Attacks that are carried out to damage an organization or person. The damage could be in the loss of information or information processing capabilities or harm to the organization or person’s reputation.

Question 152

Sabotage

Answer 152

A criminal act of destruction or disruption committed against an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.

Question 153

Espionage

Answer 153

The malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization

Attackers often commit espionage with the intent of disclosing or selling information to a competitor or other interested organization (i.e. foreign).

Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside of the organization.

Countermeasures against espionage are to strictly control access, to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

Question 154

Integrity Breaches

Answer 154

Unauthorized modification of information, violations are not limited to intentional attacks.

Human error, oversight, or ineptitude accounts for many instances.

Question 155

Confidentiality Breaches

Answer 155

Theft of sensitive information