Domain 7 Flashcards

1
Q

Intelligence in Threat Modeling
User and Entity Behavior Analytics

A

Entity behavior is collected and input into a threat model

  • Model establishes a baseline of normal behavior
  • Enables analysis to uncover more details around anomalous events
  • automated investigation also exists in some pklatforms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Intelligence in Threat Modeling
Threat Intelligence

A

Threat feeds

Org learns about changes in threat landscape

Often a feed containing malicious entities ingested by cybersecurity tools
- A single feed may be composed of many sources including open source
- Entity = IP website, threat actor, file hash, more

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Service Level Agreement

A

Stipulate performance expectations such as maximum downtimes and often include penalties if the vendor doesn’t meet expectations

  • generally used with vendors
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Secure provisioning

A

Ensure eresources are deployed in a secure maner and maintained securely through their lifecycles

Ex) deploy a PC from a secure image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Virtual Assets

A
  • VMs
  • Virtual Desktop Infrastructure (VDI) compute
  • Software Defined Networks (SDN) network
  • Virtual Storage Area Networks (SAN) storage

Hypervisors are the primary component that manages virtual assets, but also provide hackers with additional target
- Both hypervisors and VM need to be patched

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Configuration & Change Management
Configuration Management

A

Ensures that systems are configured similarly, config is known and documented

Baselining ensures systems are deployed with common starting point (ex imaging)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Managing Incident Response (7 Steps)

A
  1. Detection - Monitoring tools, IPS, firewalls
  2. Response - Triage, decision to declare (is it really an incident?) Limiting damage
  3. Mitigation - First containment effort contain an incident
  4. Reporting - to relevant stakeholders mngmt decsions
  5. Recovery - Return to normal mngmt decisions
  6. Remediation - Root cause addressed Include root cause analysis
  7. Lessons Learned - helps prevent recurrence

DRMRRRL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Espionage

A

External
When a competitor tries to steal info, and they may use an internal employee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Sabotage

A

Internal

Malicious insiders can perform sabotage against an org if they become disgruntled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Zero-Day Exploit

A

Brand new vulns

An attack that uses a vulnerability that is either unknown to anyone but the attacker or known only to a limited group of people

  • Basic security practices can often still prevent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Sampling

A

Extracting elements from a large body of data to make a meaningful summary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Statistical Sampling

A

Using precise mathematical functions to extract meaningful info from a large amount of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Clipping

A

A form of non-statistical sampling that record only events that exceed a threshold

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Audits and Reviews

A

Helps ensure management programs are effective and being followed

  • prevents violations
  • can also oversee programs and processes

Includes:
- Patch management
- Vuln managment
- Change management
- Config Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Auditing
(You know what this is but some important notes)

A

Serves as a primary type of detective control

  • Frequency is based on Risk
  • Key element for displaying Due Care
  • Only people with sufficient privilege should have access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Access Review

A

Ensures object access and account mngmt practices support the security policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

User Entitlement Audit

A

Ensures principle of least privilege is followed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Categories of Computer Crimes (6 types)

A
  • Military and Intelligence
  • Business
  • Financial
  • Terrorist
  • Grudge
  • Thrill
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Electronic Discovery (eDiscovery)

A

Organizations expecting lawsuit have a duty to preserve digital evidence

Process includes:
- Info ID and Governance
- Preservation and collection
- Processing, review, analysis
- Production / Presentation

  • Often uses tagging classification, target specific custodian
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Gathering Info in Investigations
Possesion

A

You must have posession of equiptment, software, or data to analyze it and use it as evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Gathering Info in Investigations
Modification

A

You must acquire the evidence without modifying it.

  • Law enforcement establishes a chain of evidence to document all who handled it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Alternatives to Confiscating Evidence (3 types)

A
  1. Vulntary surrender
  2. Subpoena - Used to compel the subject to surrender evidence
  3. Search Warrant - Most useful when need to confiscate evidence without giving the subject the chance to alter it
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Retaining Investigation Data

A

You will lose valuable evidence unless you ensure critical log files are retained for a reasonable period of time

  • You can retain log file and system status info either in-place or in archives
  • data retention should be defined in security policies
24
Q

Evidence Types
Best

A

Original

NOTE:
Evidence must be relevant, complete, sufficient and reliable

25
Q

Evidence Types
Secondary Evidence

A

Copy

26
Q

Evidence Types
Direct

A

Proves or disproves an act based on the five senses

27
Q

Evidence Types
Conclusive

A

Incontrovertible, overrides all other types

28
Q

Evidence Types
Circumstantial

A

Inference from other info

29
Q

Evidence Types
Corroborative

A

Supporting evidence but cannot stand on its own

30
Q

Evidence Types
Opinions

A

Expert and non expert

31
Q

Evidence Types
Hearsay

A

Not based on first hand knowledge

32
Q

3 Types of evidence that may be used in a criminal or civil trial

A
  1. Real evidence - actual objects brought into the courtroom
  2. Documentary evidence - Written documents
  3. Testimonial Evidence - verbal / written statements made by witnesses
33
Q

3 Requirements for evidence to be admissible in a court of law

A
  1. Must be relevant to a fact at issue in the case
  2. The fact must be material to the case
  3. Evidence must be competent or legally collected
  • Evidence is competent if it complies with certain traditional notions or reliability
34
Q

Recovery Site Types
COLD

A

Just a data center space, power, and network connectivity thats ready and waiting for when you need it

  • If disaster happens, support teams can help move your hardware into the data center and get you back uop and running
  • Cost = LOW
  • Effort = HIGH
35
Q

Recovery Site Types
WARM

A

Preventative site that allows you to pre-install your hardware and pre-configure your bandwidth needs

  • If disaster strikes, all you have to do is load your software and data to restore business systems
  • Cost = MID
  • Effort = MID
36
Q

Recovery Site Types
HOT

A

Proactive site allows you to keep servers and a live backup site up and running

  • Allows for an immediate cutover in case of a disaster at primary site.
  • Cost = HIGH
  • Effort = LOW
37
Q

Recovery Site Types
Service Bureau

A

A company that lease computer time
- Larger server farms or fields of workstation
- May be onsite or remote

38
Q

Recovery Site Types
Mobile Site

A

Typically self-contained trailers or moveable units

39
Q

Recovery Point Objective (RPO)

A

The age of files that must be recovered from backup storage for normal operations to resume if a system or network goes down

40
Q

Recovery Time Objective (RTO)

A

The duration of time and a service level within which a business process must be restored.

41
Q

Mutual Assistance Agreements (MAAs)
(Pros and Cons)

A

Pros:
- Provide inexpensive alternative to disaster recovery sites

Cons:
- Orgs involved may be shut down by the same disaster and MAAs raise confidentiality concerns

  • MAAs are uncommon bc they are difficult to enforce
42
Q

More BCP Definitions
Business Resumption Plan (BRP)

A

Plan to move from the disaster recovery site back to business environment

43
Q

More BCP Definitions
Mean Time Between Failures (MTBF)

A

Time determination for how long a piece of IT infrastructure will continue to work before it fails

44
Q

More BCP Definitions
Mean Time to Repair (MTTR)

A

How long it will take to get a piece of hardware / software repaired and back on line

45
Q

More BCP Definitions
Max Tolerable Downtime (MTD)

A

Amount of time we can be without an asset BEFORE we must declare a disaster

46
Q

Disaster Recovery Plan Test Types
Read-through Test

A

Distribute copies of disaster recovery plans to the members of the disaster recovery team for review

47
Q

Disaster Recovery Plan Test Types
Structured Walk-through

A

AKA Table-top exercise

Members of recovery team meet and role-play disaster scenario

  • Usually exact scenario is only known to the test monitor
48
Q

Disaster Recovery Plan Test Types
Simulation Test

A

Similar to walk through but some of the response measures are actually tested

49
Q

Disaster Recovery Plan Test Types
Parallel Test

A

Relocating personnel to. alternative recovery site and implementing site activation procedures

  • Practice disaster recovery at alt site
50
Q

Disaster Recovery Plan Test Types
Full Interruption Test

A

Actually shutting down operations at the primary site and shifting them to the alt site

51
Q

DR Related Terms
Recovery Team

A

Gets the critical business functions running at alt site

52
Q

DR Related Terms
Salvage Team

A

Used to return the primary site to normal conditions

53
Q

Backup Strategies
Electronic Vaulting

A

Used to transfer DB backups to a remote site as part of bulk transfer

54
Q

Backup Strategies
Remote Journaling

A

Transmitting only the journal / transaction logs to the off-site facility and not the actual files

55
Q

Backup Strategies
Remote Mirroring

A

Live DB Server is maintained at the backup site

  • Most advanced and most expensive