Domain 4 - Incident Response and Recovery

Question 1

IP Plan Elements

Answer 1

1. Statement of Purpose
2. Strategies and goals for incident response.
3. Approach to incident response.
4. Communication with other groups.
5. Senior leadership approval.

Question 2

NIST SP 800-61

Answer 2

Incident Response Plan

Question 3

Communication Plans

Answer 3

Ensure that all participants have timely, accurate information.

Question 4

What is crucial for effective incident identification?

Answer 4

Monitoring.

Question 5

SIEM

Answer 5

SECURITY INCIDENT AND EVENT MANAGEMENT

Security solution that collects information from diverse sources, analyzes it for signs of security incidents, and retains it for later use.

Question 6

First responder responsibilities

Answer 6

Isolate affected systems

Question 7

Highest priority of a first responder must do what?

Answer 7

Containing damage through isolation.

Question 8

Second Step for First Responder?

Answer 8

Escalate and Notify

Question 9

Containment Strategy Evalutation

Answer 9

1. Damage Potential
2. Evidence Preservation
3. Service availability
4. Resource requirements.
5. Expected effectiveness.
6. Solution Time frame

Question 10

Evidence types

Answer 10

Real - Tangible Objects
Documentary - Written/Digital Information
Testimonial - Witness Statements.

Question 11

Documentary Evidence Rules

Answer 11

1. Must be authenticated (testify)
2. Best Evidence Rule
3. Parol Evidence Rule

Question 12

Best Evidence Rule

Answer 12

Original documents are superior to copies.

Question 13

Parol Evidence Rule

Answer 13

Written contracts are assumed to be the entire agreement.

Question 14

Forms of Testimonial Evidence

Answer 14

1. Direct - Witness provides evidence

2. Expert Opinion - Expert draws conclusions.

Question 15

Goal of Digital Forensics

Answer 15

Investigate techniques that collect, preserve, analyze, and interpret digital evidence.

Question 16

Volatility

Answer 16

Relative permanence of a piece of evidence; evidence that may not last long is more volatile than more permanent sources of evidence.

Question 17

Order of Volatility

Answer 17

1. Network Traffic
2. Memory Contents
3. System and Process Data
4. Files
5. Logs
6. Archive records

Question 18

Risk to transferring data during evidence?

Answer 18

That data will be added to device.

Question 19

Device used to prevent accidental modification of disks during imaging?

Answer 19

Write Blockers or Forensic Disk Controllers.

Question 20

What is used to protect digital evidence from being tampered with?

Answer 20

Hashes

Question 21

Flaw with Full Packet Capturing?

Answer 21

Requires a lot of storage.

Question 22

What does Netflow Capture?

Answer 22

High level info - IP addresses and ports; timestamps; amount of data transferred.

Question 23

What devices capture Netflow data?

Answer 23

Routers and Firewalls

Question 24

2 Uses of Software Forensics

Answer 24

Intellectual Property & Malware Origin

Question 25

Embedded Devices

Answer 25

Special-purpose computers found inside smart devices found in homes, businesses, and industrial settings.

Question 26

What provides a paper trail for evidence?

Answer 26

Chain of Evidence OR Chain of Custody

Question 27

Evidence Log Events

Answer 27

• Initial Collection
• Transfer
• Storage
• Opening & Resealing the container

Question 28

Evidence Log Entry Details

Answer 28

• Investigator Name
• Date and Time
• Purpose
• Nature of Action

Question 29

3 Components to Incident Reporting

Answer 29

1. Notification
2. Real Time Updates
3. Documentation

Question 30

Who must the Federal Government notify of Cybersecurity incidents?

Answer 30

US-CERT

Question 31

What do Formal Incident Reports have?

Answer 31

Historical Documentation.

Question 32

3 Major Steps in the Electronic Discovery Process

Answer 32

1. Preservation - Litigation Hold & Suspending automatic deleting.
2. Collection - Documents on file servers, endpoint servers, email messages, enterprise systems.
3. Production - Documents provided to attorneys.

Question 33

Litigation Hold

Answer 33

Require the preservation of relevant electronic and paper records.

Question 34

Federal Law requires Businesses to report incidents to US-Cert?

Answer 34

No.

Question 35

During what phase of e-discovery does an organization share information with the other side?

Answer 35

Production

Question 36

Business Continuity Planning (BCP)

Answer 36

Set of controls designed to keep a business running in face of an adversity. Natural or man-made.

Question 37

Business Continuity Plan is part of what core security concept?

Answer 37

Availability.

Question 38

BCP Scope

Answer 38

Business activities
Systems
Controls

Question 39

Tool used for BCP to help make the scoping decisions?

Answer 39

BIA - Business Impact Assessment.

Question 40

BIA

Answer 40

Business Impact Assessment

Identifies and prioritizes risks.

Question 41

Business Continuity Controls

Answer 41

Goal is Redundancy

Question 42

Single Point of Failure Analysis

Answer 42

ID’s and removes SPOFs

Question 43

What addresses the SPOF at the web server?

Answer 43

Clustering

Question 44

What addresses the SPOF at the Firewall?

Answer 44

HA FW

Question 45

What addresses the SPOF at the Network Level?

Answer 45

Redundancy Controls.

Question 46

SPOF analysis continues until when?

Answer 46

Cost of addressing risk outweighs the benefit.

Question 47

Two Key Technical Concepts that improve the availability of Systems.

Answer 47

1. High Availability (HA)

2. Fault Tolerance (FT)

Question 48

HA

Answer 48

High Availability

Uses multiple systems to protect against service failure.

Question 49

FT

Answer 49

Fault Tolerance

Makes a single system resilient against technical failures.

Question 50

Difference between HA and FT

Answer 50

HA uses multiple systems to provide availability, whereas FT makes a single system more resilient.

Question 51

Load Balancing

Answer 51

Spreads demands across systems.

Question 52

Most common points of failure in a computer system

Answer 52

1. Power Supply

2. Storage Media

Question 53

RAID

Answer 53

Redundant Array of Inexpensive Disks

Fault Tolerance Technique!

Question 54

2 Technologies used in RAID?

Answer 54

Mirroring - RAID 1 - Stores the Data on two different disks

Stripping - RAID 5 - Uses 3 or more disks to store data and parity information

Question 55

RAID 1

Answer 55

Store the same Data on two different disks.

Disk Mirroring

Question 56

RAID 5

Answer 56

Uses 3 or more disks to store data and parity information.

Disk Striping

Question 57

Disk Mirroring Requires how many disks?

Answer 57

2 - RAID 1

Question 58

Dis Striping with Parity requires how many disks?

Answer 58

3 or more - RAID 5

Question 59

RAID - Backup or Fault Tolerance?

Answer 59

FT

Question 60

QoS

Answer 60

Quality of Service

Provides critical services with protected network capacity.

Question 61

Disaster Recovery?

Answer 61

Restore a business to normal operations as quickly as possible.

It’s a subset of Business Continuity.

Question 62

Initial Responses in a DR?

Answer 62

Contain the damage caused

Recover whatever capabilities may be immediately restored.

Include a variety of activities depending upon the nature of the disaster.

Question 63

Components of Disaster Communications

Answer 63

Initial activation of the DR Team

Regular status updates

Tactical Communications

Question 64

After the danger passes, the team does what?

Answer 64

Shifts to assessment mode.

Question 65

Goal of assessment mode?

Answer 65

Triage the damage and develop plan to recover.

Question 66

Two metrics used to plan DR efforts.

Answer 66

RTO & RPO

Question 67

RTO

Answer 67

RECOVERY TIME OBJECTIVE

Maximum amount of time that is should take to recover a service after a disaster.

Question 68

RPO

Answer 68

RECOVERY POINT OBJECTIVE

Maximum time period from which data may be lost in the wake of a disaster.

Question 69

Responders do what after developing a plan?

Answer 69

Restore services in an orderly fashion

Question 70

When are DR efforts completed?

Answer 70

When the business is operation normally in its primary facility.

Question 71

Backups

Answer 71

Provide a data ‘safety net’.

Question 72

Backup Media Types

Answer 72

Tape Backups
Disk-to-disk backups
Cloud backups

Question 73

3 Type of Primary Backup Types

Answer 73

Full Backups - Include complete copy

Differential - Include all data since full backup

Incremental - Include all data data since full or Differential backup

Question 74

Difference between Incremental and Differential Backup?

Answer 74

Incremental Backup includes all data since last full or Differential backup.

Differential is all data since last full backup.

Question 75

Joe performs a full backup every Sunday evening and differential backups every weekday evening. This system fails on Wednesday, What backups does he need?

Answer 75

1. Sunday’s Full Back (Base)

2. Wednesday’s Differential Backup

Question 76

Joe performs a full back every Sunday evening and incremental backups every weekday evening. His system fails on Friday morning. What backups does he need?

Answer 76

1. Sunday’s Full Back Up (Base)
2. Monday Incremental BU
3. Tuesday IBU
4. Wed IBU
5. THR IBU

Question 77

Pros and Cons of Incremental Backups

Answer 77

Use less space

Require greater recovery time

Question 78

Media Rotation Strategies definition

Answer 78

Allow reuse of backup media

Question 79

Common Media Rotation Strategy?

Answer 79

GFS (Grandfather-Father-Son) Rotation

Son = Think of days
Fathers = Think of Weeks
Grandfather = think of months

Question 80

How to validate/test backups?

Answer 80

Built-in Back Up Verification (Validates backup completion)

Regularly Test Backups

Question 81

Ways to regularly test backups?

Answer 81

Request a file restoration from a random, yet specific point of time.

Request the restoration of a server or an entire service.

Question 82

DR Facility Types

Answer 82

Hot Site, Warm Site, Cold Site.

Question 83

Difference between DR Facility Types.

Answer 83

Hot - Full operational with equipment and data

Warm - Stocked with equipment and data, but not maintained in a parallel fashion.

Cold - Empty Data Centers

Question 84

Term for transferring data backup offsite digitally

Answer 84

Electronic Vaulting

Question 85

Goals of DR Testing Goals

Answer 85

1. Validates that the plan functions correctly.

2. Identify necessary plan updates.

Question 86

Types of DR Testing

Answer 86

Read-through
Walk-through
Simulation
Parallel Test
Full Interruption Tests

Question 87

Read-Through

Answer 87

Type of DR Testing

Asks each member to review their role in the DR process and provide feedback.

Question 88

Walk - Through

Answer 88

Gathers the team together for a formal review of the DR plan.

Also known as a Table Top Exercise.

Question 89

Simulation

Answer 89

Uses practice scenario to test the DR Plan

Question 90

Parallel Test

Answer 90

Activates the DR Facility but do not switch operations there.

Question 91

Full Interruption

Answer 91

Activates the DR Facility and switches operations there.

Question 92

What disaster recovery metric provides the targets amount of time to restore a service after a failure?

Answer 92

RTO

Question 93

What type of backup includes only those files that have changed since the most recent full or incremental backup?

Answer 93

Incremental