Domain 7

Question 1

What is the information security lifecylce?

Answer 1

Note that the names of the phases are not important for the exam but the concepts of each are:

1) Planning
2) Provisioning
3) Operating
4) Decommissioning

You must own security from end to end. From inception to destruction

Question 2

What is the planning phase of the IS lifecycle?

Answer 2

Security should always be considered prior to deployment

Planning needs to account for security. It enables you to make risk based decisions

Question 3

What is the provisioning phase of the IS lifecylce?

Answer 3

This is concerned with preparing a user, service or system for active deployment. Provisioning ends with instantiation.

examples - creating a new user, deploying a new system, developing a new application

Security must be baked in at this level to ensure an initially secure deployment

Security baselines and configuration management are key

Question 4

What is baseline configuration?

Answer 4

Baseline configuration seeks to determine the required and necessary components of systems and software. Get rid of anything you do not need!

To build baseline security there are several goals:

• determine a reasonable secure starting point for systems configurations - identify what is necessary and what is not
• establish a consistent configuration across majority of systems
• reduce time to recover a deployed system

Do not start from scratch to determine baseline security and configurations - there are many free resources and guidance on this.

• CIS
• Microsoft
• NIST 800s
• DISA STIGs

Question 5

What is configuration Change Monitoring?

Answer 5

Once you get a secure baseline, you want to make sure it does not change.

You MUST control changes to the baseline configuration.

• You must have an approval process and maybe even a change control board so unauthorized changes dont occur
• you must have controlling and monitoring for security relevant changes

Question 6

What is baseline monitoring?

Answer 6

Monitoring for key security relevant changes. Make sure the organization continues to operate under correct assumptions about its security posture.

Must monitor our systems for configuration changes

Question 7

What is the Operating Phase of the IS lifecylce?

Answer 7

Secure provisioning and deployment
- the lengthiest phase within the lifecycle is typically the deployed operational phase

Key activities include:

• change management
• patching and vulnerability management
• security assessment
• preventing and detecting security issues

You cannot set it and forget it with security. Even if you have good security steps in planning and provisioning, you must continue to monitor it

Operating includes on-going maintenance:
- change and patch management

You must also keep an active inventory of all assets so that you can continue to monitor them

• invetory:
• — dont use spreadsheet methods - too slow and incomplete
• need inventories to ensure are are aware of assets that need a hardened configuration and have a grasp on software installed and patching requirements

Question 8

What is host discovery?

Answer 8

Identify all hosts on our networks so we have them ll in our inventory

• do you know all your laptops, desktops, routers, switches, HVAC, printers, building automation, physical security devices, etc.

Active host discovery:

• The most direct way to identify hosts is via active host discovery
• from one node, we send a stimulus trying to elicit response from possible endpoints
• examples are ping sweep of relevant IP address space

Passive host discovery:

• if a system does not have a listener, we can detect the systems by sniffing any IP addresses or unknown MAC addresses
• could also determine particular application for some that are generating traffic
• we employ a sniffer and look for evidence of traffic indicative of systems

Question 9

What is software application tracking?

Answer 9

You also see all the old applications and software out there being used.

Know the various endpoints and some applications. Most important to know about the vulnerable software they may be running

Can do this through vulnerability scans

Question 10

What is monitoring?

Answer 10

SOC can do this, outsource most of this but not all. You can continuously monitor the state of the organization’s systems, applications and users

Question 11

What is a security assessment?

Answer 11

Routinely assessing security posture. This is an operational task that must be done continuously.

Discussed in detail in domain 6

Question 12

What is the decommissioning phase of the IS Lifecylce

Answer 12

decommissioning - process of removing an application, system, user or data from active production

• systems - ensure no sensitive data persists
  
  • — wiping hard disks; formatting is not enough
  • — printers are systems too
• users - ensure post employment access is appropriate
  
  • — ensure orgs data is transferred to the right person
  • — ensure all users access ceases with their employment
• Data - ensure data past its retention data is appropriately removed/wiped from all locations

Question 13

What is cloud computing?

Answer 13

Cloud computing uses virtualization to provide highly available applications and servers

• modeled after the electrical grid
• based on network clouds

Question 14

What is elastic cloud computing?

Answer 14

Focuses on dynamically provisioning resources to cloud services - lowers friction by providing cloud resources dynamically. Instead of operating a service 24/7, a client may deploy a service as needed, from hours on up and then decommission the service when no longer needed.

Can also be used on-demand - e.g. rent a high volume web service for 8 hours

Organizations typically pay per unit not per virtual host

Question 15

What is IAAS, PASS, and SAAS?

Answer 15

• Infrastructure as a service - IAAS - cloud based virtual private servers sucah as a linux server. you have full control of the OS, including root and admin. You install software, patch the kernal and upgrade the OS
• Platform as a services (PAAS) - a server service, such as an apache web service. a web server instance. Admins have control over the service configuration only and not the general OS. You could restart the web service but not reboot the entire system
• Software as a service (SAAS) - a client service such as client email like Gmail - cloud based application access like webmail

Question 16

What is provisioning and deprovisioning cloud servers?

Answer 16

1) Provisioning
- you can configure everything yourself of you can provision a preconfigured server with all required software already installed and configured.
- this offers time savings
- risk is misconfiguration, mistakes, security vulnerabilities

2) deprovisioning
- secure deprovisioning is essential
- how do you know if virtual images are securely wiped?, do backups remain on the cloud?, have data remnants been securely deleted?
- contracts should spell out data retention and remanence policies

USE dual factor authentication for your cloud console

Question 17

What are multi-tenant clouds?

Answer 17

Clouds that combine virtual machines from multiple organizations onto one physical host.

Single-tenant is when clouds dedicate host hardware to a specific organization.

Multi-tenant you could assume some of the risk of the other consumers resources

Question 18

What are clouds without borders?

Answer 18

Most clouds provide no geographic boundaries: Infrastructure, platrforms, software, and data may move freely across the world.

Must know your regulations and carefully consider them.

Where is your data in the world?

Question 19

What are details in a cloud contract?

Answer 19

• SLA (establish contractual obligations required to be met in order to provide acceptable service. they must be measurable to determine compliance or noncompliance) - financial compensation if vendor does not meet the SLA
  
  • — turnaround times
  • — average response times
  • — number of online users
  • — system utilization rates
  • — system up time
  • — volume of transactions
  • — production problems
• Right to audit and pen test
• ownership of data
• termination agreement including secure return and or destruction of data and all copies

Question 20

What are the advantages and disadvantages of cloud?

Answer 20

Advantages:

• no need to manage data center to host equipment and software
• preconfigured services may be quickly deployed
• redundancy
• speedy deployment times
• lower cost
• higher performance
• easier scalability

Security Concerns:

• outsourcing trust to the cloud provider
• what if the cloud provider is compromised?
• where is the data?
• do you have the right to audit?
• no longer have direct control over applications and data

Question 21

What is Change Management?

Answer 21

The process of ensuring that changes dont negatively impact the system

Changes must be approved by the Change Control Board and documented in the change management database

Security should be considered when approving a change

Goals of change management:

• ensure that changes dont negatively impact the security posture of the organization
• notify stakeholders of upcoming changes
• determine potential system security impacts are acceptable
• document planned changes to allow for review
• identify possible means to revert to prior state should changes have unexpected negative impacts

Question 22

What is the change control board?

Answer 22

Group responsible for ensuring that changes happen in a manner that doesnt negatively impact the organization.

Helps in the management of change. Changes are proposed, presented, reviewed, approved and scheduled by the CCB.

Need for speed - need fast decision making

Question 23

What is the change control process?

Answer 23

• Notification of desire for change
• Formally documenting change details (also document failback plan should change not proceed as expected)
• determine appropriate schedule for change
• making the change
• reporting success, failure, and any relevant additional details regarding change
• uptime availability

Changes should be formally tested and a full report must be submitted to management with a summary of the change

Question 24

What is patch management?

Answer 24

Specific type of change that is routine updating of an OS and applications as vendor updates are released.

Should be done at least monthly if not faster.

Patch testing and deployment procedures are typically required. Need to find a balance between operational stability and uptime versus rapid patch deployment. There are risks with patching without testing as well as not patching fast enough

Patch Now = beyond critical - there is malware on the wire, go now! (do ASAP - within 2 days)

Critical = patch fast - about 2 weeks

Question 25

What is patch windows and testing?

Answer 25

A maintenance window for patch installations should be agreed upon in advance as routine patch releases are to be expected.

A process for accelerated patch deployment, in advance of a maintenance window, should be reviewed in case a time comes when a patch is so critical that waiting for a maintenance window introduces an unacceptable level of risk.

Patch testing considerations are not clear-cute. A risk based decision must be made to determine the level of testing needed for an org.

Patch-rinse-repeat:

• there is a never ending cycle of patching
• patch identification
• possible patch testing
• patch deployment
• patch verification - ensure that the patches have been successfully installed on all systems.

Question 26

What is vulnerability management?

Answer 26

Vulnerability scanning can provide a means outside of patch management solutions to answer if patches have been deployed and if any systems were missed.

Focus is to determine if a patchable flaw persists and enumerate known flaws

Goal is to pick up where scanning finishes and ensure prioritized remediation occurs in a timely fashion

Question 27

What is a firewall?

Answer 27

The perimeter firewall is likely the first security tool to be encountered on the ingress and the last security tool for egress.

Focus is to provide somewhat basic, but fast security screening before reaching a more capable firewall.

Primarily designed for filtering traffic coming from external networks and should only expose necessary services to the external network.

Question 28

What is default deny inbound?

Answer 28

It is a default deny rule for inbound traffic that is not explicitly allowed.

Question 29

What is additional layer 3 inbound filtering?

Answer 29

Firewalls should filter both inbound and outbound traffic. You can bolster the rule base with some additional prevention/detection outside of the implicit deny all function. You can do this through additional filters:

Source IP address filters:

• blacklist source IP addresses historically up to no good
• blacklist bogus source IP (RFC 1918, Bogon (address that shouldnt be on the internet like private addresses), traffic coming from the internet using an internal address that is spoofed)
• Blacklist regions based on geolocation

Destination IP address filters:
- unused public IPs allocated to your org.

Question 30

What are the four main types of firewalls?

Answer 30

1) Packet filtering
2) stateful
3) proxy
4) next generation firewalls

Question 31

What is a packet filtering firewall?

Answer 31

It is the most basic type of firewall. It is very fast but not very secure in protecting a network.

It works by examining each packet independently and determines whether it should pass or be dropped.

It has no idea of what traffic came before it. Only looks at the network protocol information in each packet to determine whether the packet should be dropped or allowed. ACL has no memory of previous packets and does not decide on the activity.

It has to make assumptions. Decides based on the reply allow.

They are faster because there is no state table lookup but wouldnt use one today

Question 32

What is stateful inspection firewall?

Answer 32

This firewall builds on top of packet filtering firewall and overcomes many of the limitations.

This firewall keeps a state table of all traffic that occurred on the network and requests that went out are in the state table. By keeping a state table, assumptions no longer have to be made when filtering out or dropping packets.

The state table is used to determine whether a packet should pass or be dropped because it remembers if someone in the network asked for that packet or not.

This is more secure than packet filtering but it is slower and requires more resources to be used. State table lookup adds a split second delay.

Question 33

What is a proxy firewall?

Answer 33

A proxy firewall sits between two systems that are communicating. It creates two TCP connections for each request. It maintains one TCP connection with the client and one with the server. It is also known as an application proxy because it processes packets at all seven layers of the OSI model

You connect to the proxy and it connects out. Great control - it allows you to inspect traffic and stop and initiate or not.

Question 34

What are the two types of proxy firewalls?

Answer 34

1) circuit level proxy firewall
- does not use application level proxy software
- develops a virtual connection between host and destination
- typically sits at the session layer
- SOCKS is the most common example. SOCKS is a circuit level proxy server that is used to authenticate a client. It supports hosts to connect through a firewall to an internal computer and it supports internal computer connections to external networks. replaces network system calls with socks calls. Network utilities have to be “socksified” to operate
- operates as a proxy server
- SOCKS doesnt understand the language - it just proxies things along. It is less granular but more universal because it can proxy more stuff
- cannot understand the granularity of the content because it doesnt speak the language (e.g., doesnt know if someone is on an explicit site or not - just allows https)

2) application proxy firewall
- implemented on a computer by using proxy server software
- hides the origin of packet to the internet
- acts as intermediary and moves an accepted packet from one network to another network
- referred to as application layer gateway
- operates at layer 7
- laid the foundation for NGFW
- SQUID - application level
- can undestand granularity of what people are doing and the actual content - e.g., can stop explicit site usage and knows a variety of protocols including HTTP, SMTP, FTP)

Question 35

What is a Next Generation Firewall (NGFW)?

Answer 35

Layer 7 content scanning. They are a great control and money well spent.

Need to scan layers 3, 4 and 7. IP addresses and ports in 3 and 4 but need to scan the actual data (layer 7). Is the data clean or dirty?

NGFW was built squarely with layer 7 in mind. It has application inspection capabilities. It exposes detailed understanding of client and web applications, not just IP addresses associated with a particular server/service.

They can understand and filer specific client side application capabilities.

Best example - you want to block facebook chat but you dont want to block all of facebook. A Stateful inspection (layer 3/4 firewall) will have to block the whole site because it blocks based on IP address or port number. A NGFW can block the particular contents of the facebook site by blocking only chat and allowing the other functions of facebook to be allowed. That is because it can dig deeper into the layer 7 content and filter specific capabilities

**NGFW does not replace stateful inspection - they should be used together for ideal security.

Question 36

What is a bastion host?

Answer 36

• exposed to the internet with nothing else protecting it (e.g., firewall)
• computer in the public area or a DMZ
• exposed to attack from the internet
• must have functions to protect itself
• web, mail ftp servers can be considered bastion hosts.

Question 37

What is host-based firewalls?

Answer 37

• Software that runs on the protected host
• Additional defense in depth layer when combined with network firewalls
• Examples:
  
  • — windows firewall
  • — iptables
  • —IPFilter
  • — Application firewall
  • — McAfee personal firewall
  • —zonealarm

Should be used in addition to network firewalls

e.g., symantec is a software loaded on your laptop which is the host and is the firewall for the host

Question 38

What is an intrusion protection system (IPS)?

Answer 38

Like an IDS but tries to prevent.

• It will look to block suspect traffic
• False positive on an IPS is a self-imposed DoS condition because it will be trying to drop traffic based on the payload and can cause service outages. The configuration must be so that false positives cannot occur

Can also filter Layer 7 application data

Question 39

What is malware detonation/sandboxing?

Answer 39

MDD (malware detonation devices - called sandboxing in the CISSP.

Devices that put things that seem suspect into a box isolated to see what it does. MDD does this automatically. You render and execute files in a box before passing it on to the targets.

What are the capabilities?

• bolster protection against malware from both an exploitation and post exploitation vantage. You run actual malware and see what it does so you have to do this in a very safe place. A lot of times malware will not detonate if it knows its in a sandbox
• Sandbox will attempt to rapidly open/execute suspicious files and render content to determine endpoint impact.
• main emphasis is automatically trying to render or execute files before passing them on.

Question 40

What is application whitelisting?

Answer 40

It is the list of confirmed authorized or known good software and applications.

Anything beyond the known good list requires exception handling.

We allow a list of known good software that has been vetted and deemed approved. Anything beyond the list should be blocked or considered suspicious until handled.

You whitelist the application - not the file. The whitelist will not care if a spreadsheet has changed. It does not give confidentiality and integrity of data. It also doesnt help with malicious executables being written to a compromised system - only becomes relevant when that malware tries to run. You can still copy malware to the system it just wont run.

Question 41

What is antimalware and antivirus?

Answer 41

Endpoint security software that attempts to block malware and virus threats.

Antivirus focuses on worms and viruses

antimalware might bundle antivirus, antispyware, host IPS, application whitelisting

Do not set it and forget it

Just get it - most professionals complain and dont like it but you should just get it

Question 42

What is Intrusion detection system? (IDS)

Answer 42

IDS is a passive system that sends alerts when malicious actions occur. requires read only access to a network

Sits on network and sniffs traffic. It is a sniffer with rules that look for indication of an attack. It operates in two modes:

1) passive - sends alert but does not stop the attack
2) active - stops the attack, usually by sending resets

IDS events are classified as:

• true positive - sets off alert and its a real attack
• true negative - does not set off an alert and it is normal traffic
• false positive - sets off alert and its normal traffic
• false negative - does not set off an alert and it is an attack

Increase the true positives and true negatives.

Both IDS and IPS run in three modes:

• signature matching
• protocol behavior
• anomaly identification

Question 43

What is signature matching?

Answer 43

This is a form of detection which alerts when specific patters are recognized

Looks for any evil pattern and alerts - can only do this if it has seen a pattern in the past. If there is something brand new or custom, it wont work because it has never seen it.

It is a form of blacklisting

It is prone to false positives and tends to fail against:

• new or custom malware attack techniques
• polymorphic malware - changes as it spreads
• encrypted traffic

Question 44

What is protocol behavior?

Answer 44

Alert for malicious traffic that is not following modeled protocol behavior:
Example:
- model expected protocol usage for TCP as SYN-> SYN/ACK -> ACK. Alert when you receive non standard protocol usage such as SYN/FIN or SYN/RST

This is prone to false positives with complex protocols, nonstandard implementations and changing protocol use

Question 45

What is anomaly detection?

Answer 45

Models expected behavior and ignores it. IT alerts on anomalous behavior

Could be new application, user or just statistically significant behavior changes but it will be alerted on.

Prone to false positives when behavior changes and often difficult to understand cause of the alerts.

It is best used on small, well designed networks and in specific high risk cases. It has earned a poor reputation based on poor design and deployments.

It learns on learning mode different behaviors - it will learn and then when its on alert mode it will alert anything out of what it had learned.

Question 46

What are honeypots and honeynets?

Answer 46

System meant to be compromised. Meant to draw live fire from actual systems to fake ones or to do research on malware and attacks.

Let something malicious in. It provides a system for which no business need exists. They are deployed with no direct business need for interaction and the intent is primarily to serve as a trap for adversaries that mean to cause harm. Any interactions with it are suspect.

Primary focus is public facing honeypots. They are publicly accessible and masquerade as legitimate servers offering public services.

A more valuable approach would be to deploy internal honeypots.

Risks - if you mis-configure your honeypot it can attack other companies or PCs or it can open up a door to your actual network

Question 47

What is a SIEM - Security information and event management system

Answer 47

A SIEM is deployed to deal with the volume and analysis of security relevant data generated in various cyber defense mechanisms.

Issue is when you shovel too many events and you play quantity vs. quality game.

You cant just shovel the data in, you need to analyze it. Have you tuned the dashboard?

Question 48

Why is monitoring so important?

Answer 48

It is not enough to just gather relevant network and log data. You need to also review logs to truly understand security posture.

SIEM and IDS are key monitoring tools.

System event logs, web server logs, firewall and proxy logs, and many others can provide key insights and should be monitored by the SIEM

Question 49

User monitoring considerations

Answer 49

If you monitor someone - it has to be fair.

Electronic monitoring:

• must be applied consistently and uniformly
• should be conducted in a lawful manner

Email monitoring:
- user should be informed

state that there is no guarantee of email privacy

Must be fair and evenly applied. You have to make sure everyone is treated equally

Question 50

What are audit/event logs?

Answer 50

Logs are critical to investigations

• not just system logs from compromised devices
• most organizations dont log enough
• attackers will often clear out or alter logs of compromised systems
• SIM/SIEM/SEM make logs usable
• logging levels typically need to be increased, in addition to being centralized**

Question 51

What are audit trails?

Answer 51

Audit trails:

• must be reviewed regularly ** strong answer for most important part of the exam because it is part of a process - exam loves processes. Any exam that speaks to process is a good answer - may not be right but if 50/50 go with the process answer
• must be part of a routine
• ease task with use of tools
• ensure tool works properly
• records history
• provides accountability
• indicates abnormal behavior

If its not centralized or not part of a routine, it is not recommended

Question 52

What should be in an audit trail?

Answer 52

Transaction information logged:

• individual conducting transactions
• date
• time
• location used to process the transaction
• information should be protected to keep the integrity.
• in a breach - audit information must be available.

Question 53

What is the importance of audit log backup?

Answer 53

No log, no audit

• central logging - prevent users from covering their tracks
• make sure you use an NTP server

Maintain a centralized backup copy of your logs. It is critically important to monitoring. You must be able to ensure the logs are not modified, deleted, altered or changed in order to consider them reliable.

Implement a centralized logging host where a copy of all logs will be sent. this server must be very secure.

All systems must also use reliable and accurate time source. this will ease log correlation to reconstruct events that took place

**When determining universal coordinated time, NTP is the best answer - you want NTP - no daylight savings, etc.

Question 54

What is incident response?

Answer 54

The process of dealing with security incidents.

• Not a matter of if incident response will be employed, but when
• Stakes are high, highly stressful, mistakes can be very costly, but inaction is very costly as well

Question 55

How do you prepare for incidents?

Answer 55

Critical decisions must be made before incidents can be effectively handled:

• Will the org pursue legal action?
• what action is incident response authorized to take without approval?
• Will the org attempt to understand the root cause of the issue or just reimage/revert?
• are the incident responders authorized to allow attackers to persist to gain intelligence?

Templates should be built for data gathering and general guidelines. This will ensure that the incident will provide appropriate documentation and less likely to make mistakes

Question 56

What are the varying types of incidents?

Answer 56

Types of security incidents vary. However, some types are common enough to warrant specific mention. Some are internal or external.

The goal is to understand the ramifications of specific incident types to prepare for them in advance.

Keep in mind, for any incident that results in employee termination, ensure proper evidence is maintained to be able to defend action in a wrongful dismissal lawsuit

Question 57

Incident response - criminal actions

Answer 57

Your org could be involved in criminal proceedings in different fashions

• could be victims of a crime
• network could be used to perpetrate crime
• org could be accused of criminal actions
• ***proper handling of evidence is key
• burden of proof is “beyond a shadow of a doubt” - solid integrity measures around evidence collection and handling is necessary

All evidence collected and handled by incident responders must employ solid integrity measures such as chain of custody, integrity checksums and detailed incident response journals

Question 58

Incident response - privacy policy violations

Answer 58

Citizen privacy is typically not considered as sacrosanct in the US as it is in other parts of the world
- however, internal privacy policy and privacy law violations can certainly occur

The org could be charged with having violated privacy policy or individuals within the org could have abused a persons right to privacy

Question 59

Incident response - external attacker

Answer 59

The most commonly considered threat source is an external attacker - appreciate that attribution (determining the actual source) is very difficult

• Detailed logs can be provided to the offending IP addresses ISP
• Consider not just the attacking IP address, but also the IP addresses of drop locations if data was exfltrated
• Also appreciate pivoting, which makes the external attacker into an internal attacker

Logs:

• key logs are perimeter facing devices logs; NAT logs; all systems that might have connected to all offending IP addresses
• consider internal logs if pivoting seems likely
• review historical logs associated with offending IP addresses to determine if the attack could have possibly been detected earlier

Question 60

Incident response - internal attacker

Answer 60

Can be an actual internal employee or a pivoted outsider - this shouldnt change your incident response too much

• internal log sources are vital - unfortunately, less likely to exist than external - eg.g., host based system logs and network device logs.
• most security infrastructures are designed with external attack in mind - internal systems attacking other internal systems are less likely to be detected and prevented

Question 61

What is the Incident Handling Process and steps?

Answer 61

1) Preparation
2) Detection
3) Response
4) Mitigation
5) Reporting
6) Recovery
7) Remediation
8) Lessons Learned

Question 62

What are the details of the PREPARATIONS stage of IR?

Answer 62

Planning is everything. Preparation plays a key role.

Have a policy in place that covers an orgs approach to dealing with an incident, including intraorganization approach and interorganization approach on how it will work with other companies on an incident

The plan should cover:

• whether the company is going to notify law enforcement agencies or run silently
• whether the company is going to contain and clean up an incident or watch and learn

IR team needs to have management support and buy in.

Need to select team members that are team players and can work in a team environment, in a stressful time and thinks out solutions and does not make rash decisions

Key Items:

• update disaster recovery plan
• compensate team members*
• provide checklists and procedures
• have emergency communications plan
• escrow passwords and encryption keys
• provide training
• have a jump bag with everything you need to handle an incident

Question 63

What are the details of the DETECTION stage of IR?

Answer 63

• This is where you attempt to detect malicious activity
• Be willing to alert early but do not jump to a conclusion - look at all the facts. dont be afraid to alert if you think you are wrong but be mindful of what you are alerting.
• Make sure to notify the correct people
• Use the help desk to track trouble tickets and the problem.
• Assign a primary handler - handles communication

Determine whether an event is an incident -

• event: any measurable occurrence on a system (user logged in, change to a file, etc.)
• incident: a malicious event (unauthorized login to an administrative account, installing a rootkit on a system)
• Use SMART - specific, measurable, achievable, realistic, timely

Once you identify if an event is actually an incident, take the steps to build a criminal or civil case if appropriate. Immediately identify possible witnesses and evidence.

At this point, you must make the decision whether to involve law enforcement of not - senior management must be involved in this decision unless you have a detailed policy to follow.

When you validate if it is an incident, you also decide the “contain and clean” or “watch and learn decision. Always make a clean binary backup of the system before you start making any modifications.

Question 64

What are the details of the RESPONSE stage of IR? (also known as containment)

Answer 64

This is the phase where you stabilize and stop malware from spreading. incident handlers begin interacting with the affected systems. They attempt to stabilize the system and prevent it from getting worse. First secure the area. Then make backups. Decide to pull the systems off the network or turn off the entire network from the internet. Also change all passwords that may have been compromised during attack.

Handlers are responsible for meeting the expectations of the prudent person rule. The company will be held liable for what they do or dont do. They will be considered negligent if they fail to meet certain standards of care expected of a person of ordinary prudence. you must act with due care.

• Secure the data
• an incident handler should not make things worse (liability and negligence)
• Make a forensic backup
  
  • — both disk and ideally RAM
  • — More details are discussed in the upcoming forensics section
• Pull the system off the network or power it off
  
  • — different circumstances may lead to different response/containment activities
  • — Once size does not fit all

Question 65

What are the details of the MITIGATION stage of IR?

Answer 65

Now you “heal” the patient. It is the phase where incident handlers heal the system by removing malicious artifacts. Fix the problem before putting the system back online. Remove the malware entirely

Identify the cause of the incident, the vector of infection and act to prevent it form happening again.

Improve your defenses and security.

Question 66

What are the details of the REPORTING stage of IR?

Answer 66

Reporting occurs throughout the process of incident handling. Beginning with detection. It must begin immediately upon detection.

There are two areas of focus:

• technical: technical details of the incident as they begin the incident handling process while maintaining sufficient bandwidth to also notify management of serious incidents
• non-technical: notify non-technical stakeholders like business and mission owners

Formal reporting begins right before the recovery phase

Question 67

What are the details of the RECOVERY stage of IR?

Answer 67

Start to restore backups during this phase:

• make sure you do not restore compromised code from your backups
• Validate the system after you have restored and get the owners of the machine to sign that it is back to full operation and ensure the system is working before leaving the scene
• Decide when to restore operations - this should be made by the system owner.
• Monitor the systems - make sure the attacker does not come back in

Question 68

What are the details of the REMEDIATION stage of IR?

Answer 68

This step occurs during the mitigation phase, where vulnerabilities within the impacted system or systems are mitigated. Remediation continues after that and becomes broader.

Remediation occurs in phases - during the incident; throughout the incident; after the incident

Examples of short-term remediation steps vs. long term remediation: changing passwords of affected users vs. reconfiguring systems to use dual factor authentication

Question 69

What are the details of the Lessons Learned stage of IR?

Answer 69

Develop a report which is written by the on-site handler but has consensus from everyone involved.

Conduct a lessons learned meeting

Send recommendations to management

Conduct a follow-up meeting for process improvement and to avoid this happening again in the future. The purpose is to improve security operations and posture in light of the incident.

How can the org:

• detect the incident faster
• prevent elements from being successful
• respond more quickly and completely
• root-cause analysis will help inform answers

Lessons learned should feed directly back into preparation for the next incident.

Question 70

What is investigations and forensics?

Answer 70

It is a investigation process driven with a lawyer. A policy guiding forensics tasks should be established in advance of its being needed.

Key considerations are:

• will forensic analysis be performed after a potential compromise
• will it be performed in house?
• will the goal be root cause analysis or prosecution / civil litigation?

Incident handling is what happened and prevent it from happening again

Forensics goes deeper than incident handling. It focuses heavily on artifacts and evidence through detailed and thorough analysis, greater expectation that legal system could be involved at some point, presumes that a violation or offense might have been committed

Question 71

How do you determine which type of investigation needs to be conducted?

Answer 71

Look at the following possible impacts:

• internal/operational?
• regulatory implications?
• possible criminal matter?
• likely civil proceeding?

This helps guide you with expectations to be met and needs to be addressed

Always maintain integrity of information and evidence

Question 72

How do you determine if you need to disclose an incident?

Answer 72

• industry
• public safety
• shareholder implications
• regulatory compliance (HIPAA)
• data breach

Question 73

How do you perform forensic collection?

Answer 73

• Data should be collected in a forensically sound manner
• attempt to avoid making any unnecessary changes to the system before / during evidence collection
• evidence should be acquired according to its volatility (highly volatile data such as RAM should be acquired before HDDs
• Data collection should use binary backups
• Additionally, hashing algorithms such as MD5 or SHA1 can be used during acquisition and after to provide assurances to the integrity of the images acquired
• Analysis of copies of the forensic images can be performed

Before making any changes to the system you must make a binary backup. This captures all files on the system and deleted files that remain on the hard drive. Then digitally sign the backup so you can prove integrity. Then make another copy and analyze the copy of the copy for forensics.

Question 74

What are the various types of evidence?

Answer 74

• Physical or real - relevant physical objects
• Testimony:
  
  • — direct - testimony from a firsthand witness of the legal matter being considered
  • — circumstantial - testimony from a firsthand witness of circumstances related to the legal matter under consideration
  • — expert - opinion/interpretation by someone deemed an expert by the court due to education, training or experience
• documentary
• corroborating - supports evidence already conveyed

Question 75

What are the rules of evidence?

Answer 75

Best evidence - where possible, courts prefer the best possible version of evidence (original vs. copy)

Secondary evidence - copies or descriptions rather than the original

Hearsay - this is secondhand evidence vs. direct evidence.

- --- this is generally inadmissible although specific exceptions exist
- --- by default, most computer generated data is considered hearsay
- --- rule 803 includes exception for routinely used business records

disk / memory images not treated as hearsay - these are considered duplicates of real evidence according to rule 1001

Question 76

What is the chain of custody?

Answer 76

Authenticity and integrity of evidence should not be questionable.

This details how evidence was obtained and how it was managed after gathering. When evidence is used in court, you have to show that you properly preserved that evidence to minimize the chance that it was modified or tampered with in any way. Must be able to account for who touched evidence and when and how it was preserved.

Hashing algorithms help with integrity but does not speak to authenticity

A provable chain of custody speaks to integrity and authenticity :

• document time, location and manner of collection
• specify individual response for control of evidence
• where possible, employ tamper resistant/evidence storage
• attestation - responsible parties sign initial to signify their agreement with stated role with evidence
• ensure entire chain of evidence control could be reviewed

Question 77

How do you determine reliability of evidence?

Answer 77

Must make sure the evidence is reliable and accurate. Where possible, hashing algorithms, chain of custody, and preservation of original evidence should be applied

Evidence must also be relevant to the case.

Question 78

What is a search and seizure?

Answer 78

You made need to seize a computer or obtain a warrant to further investigate something.

• subpeona: - issued by the court to an individual
• search warrant - issued to law enforcement
• warrant should specify computer system
• warrant should specify computers role in offense

Question 79

What is discovery?

Answer 79

Discovery is the process by which evidence is disclosed and exchanged - This is when the defense is given access to all of the evidence and is allowed to gather their own evidence and ask questions of witnesses. You must make evidence available to the defense. You cannot have surprises with new evidence.

Question 80

What are ediscovery issues?

Answer 80

• Electronic data requested by opposing counsel
• must not be destroyed or inaccessible
• if the enterprise is supposed to have it, it must be provided to defense
• must be provided on a timely basis
• if an enterprise does not have robust content management, these issues can be serious
• failure to provide the data in the expected manner and timeline can result in significant fees and fines

Question 81

What is electronic inventory?

Answer 81

To fully support ediscovery, the org must be able to quickly identify all relevant data (e.g., emails, IMS, etc.)

Question 82

What is asset control?

Answer 82

Tracking and inventories of physical devices

• This is the physical side of electronic inventory
• physical backup media serving as the sole source of data being placed on a legal hold illustrates the importance of asset control

Question 83

What are data retention and ownership policies?

Answer 83

Need to know how long specific types of data should be retained by the org

Data named to a custodian, that person must be able to provide the data otherwise this can result in fines

Question 84

What is RAID? Redundant Array of Inexpensive Disks (RAID)

Answer 84

RAID does one of two things but not necessarily both, it can make things faster and it can make things redundant but does not necessarily do both.

RAID can help availability and reliability but can sometimes harm availability.

RAID is the method used to provide fault tolerance if one of the hard drives crash on your system. It will protect only against a hard drive failure, not failures in any other hardware components.

Question 85

What is RAID 0?

Answer 85

RAID 0 provides better performance but ZERO fault tolerance. This is referred to as striping. There is no redundancy or protection of your data.

It treats multiple disks as one large disk. Data is striped across multiple disks, which can increase performance of reads and writes. It is increased performance by maximizing the usable space to store data and also increases read and write performance but there is no protection against data loss

However, if you lose one disk you are in BIG trouble because you rely on all disks because the information is across all files. It is like a shredded piece of paper, every other shred goes on disk A or disk B

Question 86

What is RAID 1?

Answer 86

RAID 1 is also called mirroring because this level mirrors data from each disk to another.

1:1 mirror - not super high performance.

It creates a duplicate copy of your data across two disks. It is a one-to-one relationship between active disks and backup disks. If you have three disks that you want to implement RAID 1 on, you need a total of 6 disks to do this.

Requires double the number of disk storage that would normally be required for housing the data without redundancy

This protects data and enables redundancy - drive failure means the system will leverage the mirror of the failed disk

Question 87

What is RAID 2?

Answer 87

Not used in the real world - not used today - legacy - exam probably wont ask about them

Want redundant data without paying 1:1 cost and dont want single point of failure

This provides protection of data by interleaving the data at a bit level across multiple disks. This is not a general method of protecting your data, however, but a specific method in which a certain number of disks are required across the system.

You need specifically 39 disks - 32 for storage and 7 for resistance (error recovery of the data)

Uses hamming code to handle error checking and recovery and operates at the bit level (not as efficient as other methods)

Question 88

What is RAID 3 and 4?

Answer 88

not used today - legacy - exam probably wont ask about them

They operate and protect the data in a similar manner. The data is striped across several drives. They employ a dedicated parity drive to provide fault tolerance. They do not require a set number of drives.

**RAID 3 - operates at the byte level - less data to be replicated but less efficient

**RAID 4 - operates at the block level

Question 89

What is RAID 5?

Answer 89

Most common

Operates at block level. Called the interleave parity. Does not use dedicated drives for data and dedicated drives for error information. It interleaves both data and error information or parity information across all the drives at the block level.

Flexible and somewhat more complex than previous RAID levels.

Question 90

What is RAID 6?

Answer 90

Referred to as double distributed parity, but adds a second set of striped parity information. Stripes data across the disks at the block level. By doubling the distributed parity information, additional redundancy is achieved.

Allows for recovery from two drive failures.

Question 91

What are the characteristics of RAID 0-6?

Answer 91

0 - striped set, no redundancy
1 - mirrored set, fully redundant
2 - obsolete, bit interleaved, hamming code
3 - dedicated parity, byte level striping
4 - dedicated parity, block level striping
5 - distributed parity, block level striping
6 - double distributed parity, block level striping

Question 92

What is server clustering?

Answer 92

Allows the management of multiple servers to present as one system to clients or services leveraging them.

Load sharing is occurring as opposed to simple active/passive.

Consists of a group of servers that present as a single system. The server cluster can achieve more resiliency than an individual server while also providing more scalability. The cluster acts as a single entity and balances the traffic load to improve performance.

Increased availability and scalability.

Question 93

What are examples of data redundancy:

Answer 93

1) Electronic vaulting: batch process - transmitting data through communication lines to storage on a remote server (e.g., batch processing)
2) Remote journaling - transmitting data in real time or near real time to backup storage at a remote location
3) Database shadowing: active passive type setup. provides additional robust backup by storing duplicate data on multiple remote storage devices
3) disk duplexing - RAID - disk controller duplicated. one controller fails, another operates

Question 94

What is a full backup?

Answer 94

Complete backup of everything, everyday. Should be done at least once a week.

Makes a complete backup of every file on the server every time its run.

Restoring requires one backup tape

Full backups set the file archive bits to zero - the file system sets the archive bit to one when files are created or changed (indicates backup is required)

Question 95

What is an incremental backup?

Answer 95

Backs up files that have been created or modified since the last full or incremental backup.

Only the data that has changed since the last backup is backed up.

If your system crashes, you need the last full backup and all the incremental backups since.

This backs up the least amount of data each day. it requires the most amount of tapes to restore your data. Used if time and space is at a premium.

Question 96

What is a differential backup?

Answer 96

It is a cross between a full and an incremental.

It backs up all data that has changed since the last full backup.

Does not set the archive bit to zero.

Restore from most recent full and most recent differential.

Question 97

What is business continuity planning?

Answer 97

Plan to avoid irreparable loss of mission critical operations - the primary goal is to ensure that the business remains viable even in the face of disasters

Question 98

What is the continuity of operations plan?

Answer 98

Is a recovery term that is focused on the restoration of mission critical functions in the event they are impacted. It is an approach that is focused on restoration of mission critical functions

• — subset of BCP
• — typically considers use of alternate facility / location that can be used in the event that the primary location is unavailable for restoration

The goal is to be able to recover critical functions rapidly. also includes potential contingent operations lasting for 30+ days if needed

Question 99

What is a disaster recovery plan? (DRP)

Answer 99

Plan that provides detailed steps to restore critical information systems and data

• — focused on the information systems and data that are identified as mission critical in the BCP
• — subset of BCP

DRP is short term focused and BCP is long term focused

Question 100

BCP vs. DRP

Answer 100

DRP:

• provides a response to disruption
• short time span of activities
• when a disaster strikes, all normal business activities are heavily modified, reduced or completely suspended. Only critical business processes resume and usually at an alternate site

BCP:

• implements the recovery
• long term and pervasive activities
• As repairs are completed, normal business activities resume as the BCP dictates.
• every day - broad plan with sub plans - you work on bcp everyday

Question 101

What is the goal of risk analysis in BCP?

Answer 101

Assess risk associated with people, processes and technology to ensure that the organization is operating with an acceptable level of risk

Main components of risk analysis include:

• threat identification/assessment
• vulnerability identification/assessment
• impact assessment
• approaches to risk mitigation

focus on the business and the risks so that a disaster can be recovered. And make sure that anything that needs to be redundant is backed up

Question 102

What is the threat and vulnerability assessment checklist?

Answer 102

1) identify all natural threats relevant to your business
2) identify all man made threats relevant to your business
3) identify all IT and tech based threats relevant to your business
4) identify all environmental/infrastructure threats relevant to your business
5) for each threat, identify threat sources
6) for each threat source, identify the likelihood of occurrence
7) based on likelihood of occurrence, assess company’s vulnerability to each threat source
8) based on likelihood and vulnerability, prioritize list of threats to company

Question 103

What is the business impact analysis?

Answer 103

1) business function priorities
2) time frame for recovery
3) resource requirements

**Determine the maximum allowable downtime / maximum tolerable downtime

determine mission critical business processes and the impact associated with disruption of these services

primary focus is the disruption of availability and to determine the impact and effect of an outage over a period of time.

Impact informs requirements regarding recovery times

This builds upon the risk analysis and is focused on key business functions to determine time and date recovery requirements

vulnerability assessment is a sub-set

Question 104

What is maximum tolerable downtime?

Answer 104

Total amount of time a process can be non-functioning before critical financial or operational impact.

Basis for determining recovery resource requirements.

Used to identify resource requirements

Ask the business, not IT

short MAD - more expense the plan
longer the MAD - less expensive the plan

Question 105

What is the Recovery Time Objective? (RTO)

Answer 105

MTD is based upon business impact of services being disrupted - this can be calculated without consideration of the supporting IT systems and infrastructure.

RTO is a measure of when the system will be available to begin processing recovery work before being put back into a normalized production mode - how long it takes to recovery the necessary hardware and software.

how long it takes to recover hardware/software - cannot be longer than the MTD. how soon you can get the servers back online

Question 106

What is the work recovery time? (WRT)

Answer 106

Downtime/service disruption/outage must be kept below the threshold of the defined MTD

• downtime includes more than just the amount of time it takes to get hardware/software up and operations (RTO)
• must also take into account restoring operational data from backup and processing data generated during the disruption

WRT is the amount of time it takes to recover the data to the pointw here normal operation can resume

MTD = RTO + WRT

Question 107

What is the recovery point objective? (RPO)

Answer 107

How much data loss is acceptable for a given business function?
- not lost from a data breach perspective but lost operationally

This will dictate the approaches for backup and resiliency for business functions as needed. For example, if backups are done weekly, is it acceptable to possibly lose a weeks worth of date?

Question 108

What are the keys to building a BCP?

Answer 108

1) Never do it alone
2) get C level support

You must involve senior management and they must approve the final plan.

Teams are essential. There is a lot of paperwork and the more complex the business, the more help you need.

Question 109

What are the possible members of a BCP team

Answer 109

1) Business unit managers
2) IT and security staff
3) Human resources
4) Payroll - big in determining and driving MTD
5) Physical plan manager
6) Office Managers

You will have an executive team (executive managers responsible for recovering critical functions),? management team (People in the command center who manage, control and guide recovery) and response team (executing the recovery)

Question 110

What are some site recovery strategies?

Answer 110

• No strategy - DO NOT DO THIS - bad answer on the exam
• self-service - attempt to handle the disruption within current facilities
• reciprocal agreements - agreement with another entity to attempt to help on another during disruption. It assumes both entities are not impacted simultaneously
• Alternate sites: hot, warm, cold, hybrid and mobile

Question 111

What are alternate sites?

Answer 111

Hot Site: fully equipped running 24/7. Good for functions that cannot tolerate any downtime. Not instant but can cut over quickly. there would still be a short disruption. Very fast but not instant. Not seamless to the user.

Warm Site: pre-equipped but not necessarily ready to go. Business processes can tolerate a few hours of downtime. Apps and servers exist but there is no data. you need to restore data

Cold Site: Empty facility that the company must equip in the event of disruption. Could take hours or days to set up. empty room with nothing in it. electricity available but no computers. Provision it as fast as you can get computers.

Hybrid Site: combination of hot ,warm and cold. An example is hot and cold which is immediate failover for a hot site, and for long term disasters, eventual failover to a cold site

Multiple processing sites: multiple internal processing locations geographically dispersed to assist in the backup and recovery of vital company data (aka mirror). You have multiple sites - active active cluster of buildings performing transactions for you. Each three can do the work of the other 2. If one goes down you have 2 other sites. This is the fastest and most expensive. Instant and seamless to the user. People work here everyday.

Mobile Site: same as hot site but not quite. It is “office on wheels” that you can locate conveniently near the company. can only meet 12 to 72 hour response time depending on the proximity of the service provider who will deliver the mobile facility. Data center on wheels. You wheel it in.

Reciprocal: formalized agreement between two business entities to facilitate recovery after a disaster. Such as temp office space and use of company resources to resume operations.

Highest speed is multiple processing sites

Question 112

How do you test your BCP?

Answer 112

The types of testing are:

• read through, checklist or consistency testing
  
  • — simply reviewing the BCP to ensure all areas are covered. least expensive and lease valuable
• structured walkthrough or validity testing
  
  • — team members step through the plan looking for errors or false assumptions. walkthrough a scenario - talk through it. Ok the power is out, what happens. walkthrough one generic outage
• simulation or tabletop
  
  • — walkthrough test that involves specific mock up scenarios. mock up of an actual emergency where team members respond as if an emergency is occurring. you may recover locations and enable communications links but do not actually restore backups. you go through many different specific scenarios and examples
• parallel
  
  • — recovery to an alternate site with main site still active. You do actual recovery to an alternate computing facility while normal operations are still maintained at the primary location
• full interruption
  
  • — actual failover to the alternate computing facility

Question 113

What is possibly including in training for BCP?

Answer 113

How to operate the alternate site
How to start emergency power
How to perform a restorative backup

Training is very important for executing BCP

Question 114

During a disaster always evacuate! SAFETY is NUMBER 1!

Answer 114

Physical security and safety of people must be maintained.

Safety is #1

Personnel safety, authorized access, equipment protection, information protection, availability

Train everyone on evacuation

• post where to go
• practice where to go
• have a meeting point

You should always have a:

• safety warden - check premise for employees and clears the area. Last one out.
• meeting point leader - getting to the meeting point and beginning the process of accounting for all employees. Should be the first out as rapidly as possible
• employee - know how to react and their roles and responsibilities

Travel safety and duress warning systems

• track and issue travel warnings
• warnings should be consulted and heeded before traveling to foreign countries
• give alerts if there is severe weather, threat of violence, chemical contamination