Domain 7 Flashcards

Question

What is patch windows and testing?

Answer 1

A maintenance window for patch installations should be agreed upon in advance as routine patch releases are to be expected. A process for accelerated patch deployment, in advance of a maintenance window, should be reviewed in case a time comes when a patch is so critical that waiting for a maintenance window introduces an unacceptable level of risk. Patch testing considerations are not clear-cute. A risk based decision must be made to determine the level of testing needed for an org. Patch-rinse-repeat: - there is a never ending cycle of patching - patch identification - possible patch testing - patch deployment - patch verification - ensure that the patches have been successfully installed on all systems.

Answer 2

Vulnerability scanning can provide a means outside of patch management solutions to answer if patches have been deployed and if any systems were missed. Focus is to determine if a patchable flaw persists and enumerate known flaws Goal is to pick up where scanning finishes and ensure prioritized remediation occurs in a timely fashion

Answer 3

The perimeter firewall is likely the first security tool to be encountered on the ingress and the last security tool for egress. Focus is to provide somewhat basic, but fast security screening before reaching a more capable firewall. Primarily designed for filtering traffic coming from external networks and should only expose necessary services to the external network.

Answer 4

It is a default deny rule for inbound traffic that is not explicitly allowed.

Answer 5

Firewalls should filter both inbound and outbound traffic. You can bolster the rule base with some additional prevention/detection outside of the implicit deny all function. You can do this through additional filters: Source IP address filters: - blacklist source IP addresses historically up to no good - blacklist bogus source IP (RFC 1918, Bogon (address that shouldnt be on the internet like private addresses), traffic coming from the internet using an internal address that is spoofed) - Blacklist regions based on geolocation Destination IP address filters: - unused public IPs allocated to your org.

Answer 6

1) Packet filtering 2) stateful 3) proxy 4) next generation firewalls

Answer 7

It is the most basic type of firewall. It is very fast but not very secure in protecting a network. It works by examining each packet independently and determines whether it should pass or be dropped. It has no idea of what traffic came before it. Only looks at the network protocol information in each packet to determine whether the packet should be dropped or allowed. ACL has no memory of previous packets and does not decide on the activity. It has to make assumptions. Decides based on the reply allow. They are faster because there is no state table lookup but wouldnt use one today

Answer 8

This firewall builds on top of packet filtering firewall and overcomes many of the limitations. This firewall keeps a state table of all traffic that occurred on the network and requests that went out are in the state table. By keeping a state table, assumptions no longer have to be made when filtering out or dropping packets. The state table is used to determine whether a packet should pass or be dropped because it remembers if someone in the network asked for that packet or not. This is more secure than packet filtering but it is slower and requires more resources to be used. State table lookup adds a split second delay.

Answer 9

A proxy firewall sits between two systems that are communicating. It creates two TCP connections for each request. It maintains one TCP connection with the client and one with the server. It is also known as an application proxy because it processes packets at all seven layers of the OSI model You connect to the proxy and it connects out. Great control - it allows you to inspect traffic and stop and initiate or not.

Answer 10

1) circuit level proxy firewall - does not use application level proxy software - develops a virtual connection between host and destination - typically sits at the session layer - SOCKS is the most common example. SOCKS is a circuit level proxy server that is used to authenticate a client. It supports hosts to connect through a firewall to an internal computer and it supports internal computer connections to external networks. replaces network system calls with socks calls. Network utilities have to be "socksified" to operate - operates as a proxy server - SOCKS doesnt understand the language - it just proxies things along. It is less granular but more universal because it can proxy more stuff - cannot understand the granularity of the content because it doesnt speak the language (e.g., doesnt know if someone is on an explicit site or not - just allows https) 2) application proxy firewall - implemented on a computer by using proxy server software - hides the origin of packet to the internet - acts as intermediary and moves an accepted packet from one network to another network - referred to as application layer gateway - operates at layer 7 - laid the foundation for NGFW - SQUID - application level - can undestand granularity of what people are doing and the actual content - e.g., can stop explicit site usage and knows a variety of protocols including HTTP, SMTP, FTP)

Answer 11

Layer 7 content scanning. They are a great control and money well spent. Need to scan layers 3, 4 and 7. IP addresses and ports in 3 and 4 but need to scan the actual data (layer 7). Is the data clean or dirty? NGFW was built squarely with layer 7 in mind. It has application inspection capabilities. It exposes detailed understanding of client and web applications, not just IP addresses associated with a particular server/service. They can understand and filer specific client side application capabilities. Best example - you want to block facebook chat but you dont want to block all of facebook. A Stateful inspection (layer 3/4 firewall) will have to block the whole site because it blocks based on IP address or port number. A NGFW can block the particular contents of the facebook site by blocking only chat and allowing the other functions of facebook to be allowed. That is because it can dig deeper into the layer 7 content and filter specific capabilities ****NGFW does not replace stateful inspection - they should be used together for ideal security.

Answer 12

- exposed to the internet with nothing else protecting it (e.g., firewall) - computer in the public area or a DMZ - exposed to attack from the internet - must have functions to protect itself - web, mail ftp servers can be considered bastion hosts.

Answer 13

- Software that runs on the protected host - Additional defense in depth layer when combined with network firewalls - Examples: - --- windows firewall - --- iptables - ---IPFilter - --- Application firewall - --- McAfee personal firewall - ---zonealarm Should be used in addition to network firewalls e.g., symantec is a software loaded on your laptop which is the host and is the firewall for the host

Answer 14

Like an IDS but tries to prevent. - It will look to block suspect traffic - False positive on an IPS is a self-imposed DoS condition because it will be trying to drop traffic based on the payload and can cause service outages. The configuration must be so that false positives cannot occur Can also filter Layer 7 application data

Answer 15

MDD (malware detonation devices - called sandboxing in the CISSP. Devices that put things that seem suspect into a box isolated to see what it does. MDD does this automatically. You render and execute files in a box before passing it on to the targets. What are the capabilities? - bolster protection against malware from both an exploitation and post exploitation vantage. You run actual malware and see what it does so you have to do this in a very safe place. A lot of times malware will not detonate if it knows its in a sandbox - Sandbox will attempt to rapidly open/execute suspicious files and render content to determine endpoint impact. - main emphasis is automatically trying to render or execute files before passing them on.

Answer 16

It is the list of confirmed authorized or known good software and applications. Anything beyond the known good list requires exception handling. We allow a list of known good software that has been vetted and deemed approved. Anything beyond the list should be blocked or considered suspicious until handled. You whitelist the application - not the file. The whitelist will not care if a spreadsheet has changed. It does not give confidentiality and integrity of data. It also doesnt help with malicious executables being written to a compromised system - only becomes relevant when that malware tries to run. You can still copy malware to the system it just wont run.

Answer 17

Endpoint security software that attempts to block malware and virus threats. Antivirus focuses on worms and viruses antimalware might bundle antivirus, antispyware, host IPS, application whitelisting Do not set it and forget it Just get it - most professionals complain and dont like it but you should just get it

Answer 18

IDS is a passive system that sends alerts when malicious actions occur. requires read only access to a network Sits on network and sniffs traffic. It is a sniffer with rules that look for indication of an attack. It operates in two modes: 1) passive - sends alert but does not stop the attack 2) active - stops the attack, usually by sending resets IDS events are classified as: - true positive - sets off alert and its a real attack - true negative - does not set off an alert and it is normal traffic - false positive - sets off alert and its normal traffic - false negative - does not set off an alert and it is an attack Increase the true positives and true negatives. Both IDS and IPS run in three modes: - signature matching - protocol behavior - anomaly identification

Answer 19

This is a form of detection which alerts when specific patters are recognized Looks for any evil pattern and alerts - can only do this if it has seen a pattern in the past. If there is something brand new or custom, it wont work because it has never seen it. It is a form of blacklisting It is prone to false positives and tends to fail against: - new or custom malware attack techniques - polymorphic malware - changes as it spreads - encrypted traffic

Answer 20

Alert for malicious traffic that is not following modeled protocol behavior: Example: - model expected protocol usage for TCP as SYN-> SYN/ACK -> ACK. Alert when you receive non standard protocol usage such as SYN/FIN or SYN/RST This is prone to false positives with complex protocols, nonstandard implementations and changing protocol use

Answer 21

Models expected behavior and ignores it. IT alerts on anomalous behavior Could be new application, user or just statistically significant behavior changes but it will be alerted on. Prone to false positives when behavior changes and often difficult to understand cause of the alerts. It is best used on small, well designed networks and in specific high risk cases. It has earned a poor reputation based on poor design and deployments. It learns on learning mode different behaviors - it will learn and then when its on alert mode it will alert anything out of what it had learned.

Answer 22

System meant to be compromised. Meant to draw live fire from actual systems to fake ones or to do research on malware and attacks. Let something malicious in. It provides a system for which no business need exists. They are deployed with no direct business need for interaction and the intent is primarily to serve as a trap for adversaries that mean to cause harm. Any interactions with it are suspect. Primary focus is public facing honeypots. They are publicly accessible and masquerade as legitimate servers offering public services. A more valuable approach would be to deploy internal honeypots. Risks - if you mis-configure your honeypot it can attack other companies or PCs or it can open up a door to your actual network

Answer 23

A SIEM is deployed to deal with the volume and analysis of security relevant data generated in various cyber defense mechanisms. Issue is when you shovel too many events and you play quantity vs. quality game. You cant just shovel the data in, you need to analyze it. Have you tuned the dashboard?

Answer 24

It is not enough to just gather relevant network and log data. You need to also review logs to truly understand security posture. SIEM and IDS are key monitoring tools. System event logs, web server logs, firewall and proxy logs, and many others can provide key insights and should be monitored by the SIEM

Answer 25

If you monitor someone - it has to be fair. Electronic monitoring: - must be applied consistently and uniformly - should be conducted in a lawful manner Email monitoring: - user should be informed state that there is no guarantee of email privacy Must be fair and evenly applied. You have to make sure everyone is treated equally

Answer 26

Logs are critical to investigations - not just system logs from compromised devices - most organizations dont log enough - attackers will often clear out or alter logs of compromised systems - SIM/SIEM/SEM make logs usable - logging levels typically need to be increased, in addition to being centralized****

Answer 27

Audit trails: - must be reviewed regularly **** strong answer for most important part of the exam because it is part of a process - exam loves processes. Any exam that speaks to process is a good answer - may not be right but if 50/50 go with the process answer - must be part of a routine - ease task with use of tools - ensure tool works properly - records history - provides accountability - indicates abnormal behavior If its not centralized or not part of a routine, it is not recommended

Answer 28

Transaction information logged: - individual conducting transactions - date - time - location used to process the transaction - information should be protected to keep the integrity. - in a breach - audit information must be available.

Answer 29

No log, no audit - central logging - prevent users from covering their tracks - make sure you use an NTP server Maintain a centralized backup copy of your logs. It is critically important to monitoring. You must be able to ensure the logs are not modified, deleted, altered or changed in order to consider them reliable. Implement a centralized logging host where a copy of all logs will be sent. this server must be very secure. All systems must also use reliable and accurate time source. this will ease log correlation to reconstruct events that took place ****When determining universal coordinated time, NTP is the best answer - you want NTP - no daylight savings, etc.

Answer 30

The process of dealing with security incidents. - Not a matter of if incident response will be employed, but when - Stakes are high, highly stressful, mistakes can be very costly, but inaction is very costly as well

Answer 31

Critical decisions must be made before incidents can be effectively handled: - Will the org pursue legal action? - what action is incident response authorized to take without approval? - Will the org attempt to understand the root cause of the issue or just reimage/revert? - are the incident responders authorized to allow attackers to persist to gain intelligence? Templates should be built for data gathering and general guidelines. This will ensure that the incident will provide appropriate documentation and less likely to make mistakes

Answer 32

Types of security incidents vary. However, some types are common enough to warrant specific mention. Some are internal or external. The goal is to understand the ramifications of specific incident types to prepare for them in advance. Keep in mind, for any incident that results in employee termination, ensure proper evidence is maintained to be able to defend action in a wrongful dismissal lawsuit

Answer 33

Your org could be involved in criminal proceedings in different fashions - could be victims of a crime - network could be used to perpetrate crime - org could be accused of criminal actions * ***proper handling of evidence is key - burden of proof is "beyond a shadow of a doubt" - solid integrity measures around evidence collection and handling is necessary All evidence collected and handled by incident responders must employ solid integrity measures such as chain of custody, integrity checksums and detailed incident response journals

Answer 34

Citizen privacy is typically not considered as sacrosanct in the US as it is in other parts of the world - however, internal privacy policy and privacy law violations can certainly occur The org could be charged with having violated privacy policy or individuals within the org could have abused a persons right to privacy

Answer 35

The most commonly considered threat source is an external attacker - appreciate that attribution (determining the actual source) is very difficult - Detailed logs can be provided to the offending IP addresses ISP - Consider not just the attacking IP address, but also the IP addresses of drop locations if data was exfltrated - Also appreciate pivoting, which makes the external attacker into an internal attacker Logs: - key logs are perimeter facing devices logs; NAT logs; all systems that might have connected to all offending IP addresses - consider internal logs if pivoting seems likely - review historical logs associated with offending IP addresses to determine if the attack could have possibly been detected earlier

Answer 36

Can be an actual internal employee or a pivoted outsider - this shouldnt change your incident response too much - internal log sources are vital - unfortunately, less likely to exist than external - eg.g., host based system logs and network device logs. - most security infrastructures are designed with external attack in mind - internal systems attacking other internal systems are less likely to be detected and prevented

Answer 37

1) Preparation 2) Detection 3) Response 4) Mitigation 5) Reporting 6) Recovery 7) Remediation 8) Lessons Learned

Answer 38

Planning is everything. Preparation plays a key role. Have a policy in place that covers an orgs approach to dealing with an incident, including intraorganization approach and interorganization approach on how it will work with other companies on an incident The plan should cover: - whether the company is going to notify law enforcement agencies or run silently - whether the company is going to contain and clean up an incident or watch and learn IR team needs to have management support and buy in. Need to select team members that are team players and can work in a team environment, in a stressful time and thinks out solutions and does not make rash decisions Key Items: - update disaster recovery plan - compensate team members* - provide checklists and procedures - have emergency communications plan - escrow passwords and encryption keys - provide training - have a jump bag with everything you need to handle an incident

Answer 39

- This is where you attempt to detect malicious activity - Be willing to alert early but do not jump to a conclusion - look at all the facts. dont be afraid to alert if you think you are wrong but be mindful of what you are alerting. - Make sure to notify the correct people - Use the help desk to track trouble tickets and the problem. - Assign a primary handler - handles communication Determine whether an event is an incident - - event: any measurable occurrence on a system (user logged in, change to a file, etc.) - incident: a malicious event (unauthorized login to an administrative account, installing a rootkit on a system) - Use SMART - specific, measurable, achievable, realistic, timely Once you identify if an event is actually an incident, take the steps to build a criminal or civil case if appropriate. Immediately identify possible witnesses and evidence. At this point, you must make the decision whether to involve law enforcement of not - senior management must be involved in this decision unless you have a detailed policy to follow. When you validate if it is an incident, you also decide the "contain and clean" or "watch and learn decision. Always make a clean binary backup of the system before you start making any modifications.

Answer 40

This is the phase where you stabilize and stop malware from spreading. incident handlers begin interacting with the affected systems. They attempt to stabilize the system and prevent it from getting worse. First secure the area. Then make backups. Decide to pull the systems off the network or turn off the entire network from the internet. Also change all passwords that may have been compromised during attack. Handlers are responsible for meeting the expectations of the prudent person rule. The company will be held liable for what they do or dont do. They will be considered negligent if they fail to meet certain standards of care expected of a person of ordinary prudence. you must act with due care. - Secure the data - an incident handler should not make things worse (liability and negligence) - Make a forensic backup - --- both disk and ideally RAM - --- More details are discussed in the upcoming forensics section - Pull the system off the network or power it off - --- different circumstances may lead to different response/containment activities - --- Once size does not fit all

Answer 41

Now you "heal" the patient. It is the phase where incident handlers heal the system by removing malicious artifacts. Fix the problem before putting the system back online. Remove the malware entirely Identify the cause of the incident, the vector of infection and act to prevent it form happening again. Improve your defenses and security.

Answer 42

Reporting occurs throughout the process of incident handling. Beginning with detection. It must begin immediately upon detection. There are two areas of focus: - technical: technical details of the incident as they begin the incident handling process while maintaining sufficient bandwidth to also notify management of serious incidents - non-technical: notify non-technical stakeholders like business and mission owners Formal reporting begins right before the recovery phase

Answer 43

Start to restore backups during this phase: - make sure you do not restore compromised code from your backups - Validate the system after you have restored and get the owners of the machine to sign that it is back to full operation and ensure the system is working before leaving the scene - Decide when to restore operations - this should be made by the system owner. - Monitor the systems - make sure the attacker does not come back in

Answer 44

This step occurs during the mitigation phase, where vulnerabilities within the impacted system or systems are mitigated. Remediation continues after that and becomes broader. Remediation occurs in phases - during the incident; throughout the incident; after the incident Examples of short-term remediation steps vs. long term remediation: changing passwords of affected users vs. reconfiguring systems to use dual factor authentication

Answer 45

Develop a report which is written by the on-site handler but has consensus from everyone involved. Conduct a lessons learned meeting Send recommendations to management Conduct a follow-up meeting for process improvement and to avoid this happening again in the future. The purpose is to improve security operations and posture in light of the incident. How can the org: - detect the incident faster - prevent elements from being successful - respond more quickly and completely - root-cause analysis will help inform answers Lessons learned should feed directly back into preparation for the next incident.

Answer 46

It is a investigation process driven with a lawyer. A policy guiding forensics tasks should be established in advance of its being needed. Key considerations are: - will forensic analysis be performed after a potential compromise - will it be performed in house? - will the goal be root cause analysis or prosecution / civil litigation? Incident handling is what happened and prevent it from happening again Forensics goes deeper than incident handling. It focuses heavily on artifacts and evidence through detailed and thorough analysis, greater expectation that legal system could be involved at some point, presumes that a violation or offense might have been committed

Answer 47

Look at the following possible impacts: - internal/operational? - regulatory implications? - possible criminal matter? - likely civil proceeding? This helps guide you with expectations to be met and needs to be addressed Always maintain integrity of information and evidence

Answer 48

- industry - public safety - shareholder implications - regulatory compliance (HIPAA) - data breach

Answer 49

- Data should be collected in a forensically sound manner - attempt to avoid making any unnecessary changes to the system before / during evidence collection - evidence should be acquired according to its volatility (highly volatile data such as RAM should be acquired before HDDs - Data collection should use binary backups - Additionally, hashing algorithms such as MD5 or SHA1 can be used during acquisition and after to provide assurances to the integrity of the images acquired - Analysis of copies of the forensic images can be performed Before making any changes to the system you must make a binary backup. This captures all files on the system and deleted files that remain on the hard drive. Then digitally sign the backup so you can prove integrity. Then make another copy and analyze the copy of the copy for forensics.

Answer 50

- Physical or real - relevant physical objects - Testimony: - --- direct - testimony from a firsthand witness of the legal matter being considered - --- circumstantial - testimony from a firsthand witness of circumstances related to the legal matter under consideration - --- expert - opinion/interpretation by someone deemed an expert by the court due to education, training or experience - documentary - corroborating - supports evidence already conveyed

Answer 51

Best evidence - where possible, courts prefer the best possible version of evidence (original vs. copy) Secondary evidence - copies or descriptions rather than the original Hearsay - this is secondhand evidence vs. direct evidence. - --- this is generally inadmissible although specific exceptions exist - --- by default, most computer generated data is considered hearsay - --- rule 803 includes exception for routinely used business records disk / memory images not treated as hearsay - these are considered duplicates of real evidence according to rule 1001

Answer 52

Authenticity and integrity of evidence should not be questionable. This details how evidence was obtained and how it was managed after gathering. When evidence is used in court, you have to show that you properly preserved that evidence to minimize the chance that it was modified or tampered with in any way. Must be able to account for who touched evidence and when and how it was preserved. Hashing algorithms help with integrity but does not speak to authenticity A provable chain of custody speaks to integrity and authenticity : - document time, location and manner of collection - specify individual response for control of evidence - where possible, employ tamper resistant/evidence storage - attestation - responsible parties sign initial to signify their agreement with stated role with evidence - ensure entire chain of evidence control could be reviewed

Answer 53

Must make sure the evidence is reliable and accurate. Where possible, hashing algorithms, chain of custody, and preservation of original evidence should be applied Evidence must also be relevant to the case.

Answer 54

You made need to seize a computer or obtain a warrant to further investigate something. - subpeona: - issued by the court to an individual - search warrant - issued to law enforcement - warrant should specify computer system - warrant should specify computers role in offense

Answer 55

Discovery is the process by which evidence is disclosed and exchanged - This is when the defense is given access to all of the evidence and is allowed to gather their own evidence and ask questions of witnesses. You must make evidence available to the defense. You cannot have surprises with new evidence.

Answer 56

- Electronic data requested by opposing counsel - must not be destroyed or inaccessible - if the enterprise is supposed to have it, it must be provided to defense - must be provided on a timely basis - if an enterprise does not have robust content management, these issues can be serious - failure to provide the data in the expected manner and timeline can result in significant fees and fines

Answer 57

To fully support ediscovery, the org must be able to quickly identify all relevant data (e.g., emails, IMS, etc.)

Answer 58

Tracking and inventories of physical devices - This is the physical side of electronic inventory - physical backup media serving as the sole source of data being placed on a legal hold illustrates the importance of asset control

Answer 59

Need to know how long specific types of data should be retained by the org Data named to a custodian, that person must be able to provide the data otherwise this can result in fines

Answer 60

RAID does one of two things but not necessarily both, it can make things faster and it can make things redundant but does not necessarily do both. RAID can help availability and reliability but can sometimes harm availability. RAID is the method used to provide fault tolerance if one of the hard drives crash on your system. It will protect only against a hard drive failure, not failures in any other hardware components.

Answer 61

RAID 0 provides better performance but ZERO fault tolerance. This is referred to as striping. There is no redundancy or protection of your data. It treats multiple disks as one large disk. Data is striped across multiple disks, which can increase performance of reads and writes. It is increased performance by maximizing the usable space to store data and also increases read and write performance but there is no protection against data loss However, if you lose one disk you are in BIG trouble because you rely on all disks because the information is across all files. It is like a shredded piece of paper, every other shred goes on disk A or disk B

Answer 62

RAID 1 is also called mirroring because this level mirrors data from each disk to another. 1:1 mirror - not super high performance. It creates a duplicate copy of your data across two disks. It is a one-to-one relationship between active disks and backup disks. If you have three disks that you want to implement RAID 1 on, you need a total of 6 disks to do this. Requires double the number of disk storage that would normally be required for housing the data without redundancy This protects data and enables redundancy - drive failure means the system will leverage the mirror of the failed disk

Answer 63

Not used in the real world - not used today - legacy - exam probably wont ask about them Want redundant data without paying 1:1 cost and dont want single point of failure This provides protection of data by interleaving the data at a bit level across multiple disks. This is not a general method of protecting your data, however, but a specific method in which a certain number of disks are required across the system. You need specifically 39 disks - 32 for storage and 7 for resistance (error recovery of the data) Uses hamming code to handle error checking and recovery and operates at the bit level (not as efficient as other methods)

Answer 64

not used today - legacy - exam probably wont ask about them They operate and protect the data in a similar manner. The data is striped across several drives. They employ a dedicated parity drive to provide fault tolerance. They do not require a set number of drives. ****RAID 3 - operates at the byte level - less data to be replicated but less efficient ****RAID 4 - operates at the block level

Answer 65

Most common Operates at block level. Called the interleave parity. Does not use dedicated drives for data and dedicated drives for error information. It interleaves both data and error information or parity information across all the drives at the block level. Flexible and somewhat more complex than previous RAID levels.

Answer 66

Referred to as double distributed parity, but adds a second set of striped parity information. Stripes data across the disks at the block level. By doubling the distributed parity information, additional redundancy is achieved. Allows for recovery from two drive failures.

Answer 67

0 - striped set, no redundancy 1 - mirrored set, fully redundant 2 - obsolete, bit interleaved, hamming code 3 - dedicated parity, byte level striping 4 - dedicated parity, block level striping 5 - distributed parity, block level striping 6 - double distributed parity, block level striping

Answer 68

Allows the management of multiple servers to present as one system to clients or services leveraging them. Load sharing is occurring as opposed to simple active/passive. Consists of a group of servers that present as a single system. The server cluster can achieve more resiliency than an individual server while also providing more scalability. The cluster acts as a single entity and balances the traffic load to improve performance. Increased availability and scalability.

Answer 69

1) Electronic vaulting: batch process - transmitting data through communication lines to storage on a remote server (e.g., batch processing) 2) Remote journaling - transmitting data in real time or near real time to backup storage at a remote location 3) Database shadowing: active passive type setup. provides additional robust backup by storing duplicate data on multiple remote storage devices 3) disk duplexing - RAID - disk controller duplicated. one controller fails, another operates

Answer 70

Complete backup of everything, everyday. Should be done at least once a week. Makes a complete backup of every file on the server every time its run. Restoring requires one backup tape Full backups set the file archive bits to zero - the file system sets the archive bit to one when files are created or changed (indicates backup is required)

Answer 71

Backs up files that have been created or modified since the last full or incremental backup. Only the data that has changed since the last backup is backed up. If your system crashes, you need the last full backup and all the incremental backups since. This backs up the least amount of data each day. it requires the most amount of tapes to restore your data. Used if time and space is at a premium.

Answer 72

It is a cross between a full and an incremental. It backs up all data that has changed since the last full backup. Does not set the archive bit to zero. Restore from most recent full and most recent differential.

Answer 73

Plan to avoid irreparable loss of mission critical operations - the primary goal is to ensure that the business remains viable even in the face of disasters

Answer 74

Is a recovery term that is focused on the restoration of mission critical functions in the event they are impacted. It is an approach that is focused on restoration of mission critical functions - --- subset of BCP - --- typically considers use of alternate facility / location that can be used in the event that the primary location is unavailable for restoration The goal is to be able to recover critical functions rapidly. also includes potential contingent operations lasting for 30+ days if needed

Answer 75

Plan that provides detailed steps to restore critical information systems and data - --- focused on the information systems and data that are identified as mission critical in the BCP - --- subset of BCP DRP is short term focused and BCP is long term focused

Answer 76

DRP: - provides a response to disruption - short time span of activities - when a disaster strikes, all normal business activities are heavily modified, reduced or completely suspended. Only critical business processes resume and usually at an alternate site BCP: - implements the recovery - long term and pervasive activities - As repairs are completed, normal business activities resume as the BCP dictates. - every day - broad plan with sub plans - you work on bcp everyday

Answer 77

Assess risk associated with people, processes and technology to ensure that the organization is operating with an acceptable level of risk Main components of risk analysis include: - threat identification/assessment - vulnerability identification/assessment - impact assessment - approaches to risk mitigation focus on the business and the risks so that a disaster can be recovered. And make sure that anything that needs to be redundant is backed up

Answer 78

1) identify all natural threats relevant to your business 2) identify all man made threats relevant to your business 3) identify all IT and tech based threats relevant to your business 4) identify all environmental/infrastructure threats relevant to your business 5) for each threat, identify threat sources 6) for each threat source, identify the likelihood of occurrence 7) based on likelihood of occurrence, assess company's vulnerability to each threat source 8) based on likelihood and vulnerability, prioritize list of threats to company

Answer 79

1) business function priorities 2) time frame for recovery 3) resource requirements ****Determine the maximum allowable downtime / maximum tolerable downtime determine mission critical business processes and the impact associated with disruption of these services primary focus is the disruption of availability and to determine the impact and effect of an outage over a period of time. Impact informs requirements regarding recovery times This builds upon the risk analysis and is focused on key business functions to determine time and date recovery requirements vulnerability assessment is a sub-set

Answer 80

Total amount of time a process can be non-functioning before critical financial or operational impact. Basis for determining recovery resource requirements. Used to identify resource requirements Ask the business, not IT short MAD - more expense the plan longer the MAD - less expensive the plan

Answer 81

MTD is based upon business impact of services being disrupted - this can be calculated without consideration of the supporting IT systems and infrastructure. RTO is a measure of when the system will be available to begin processing recovery work before being put back into a normalized production mode - how long it takes to recovery the necessary hardware and software. how long it takes to recover hardware/software - cannot be longer than the MTD. how soon you can get the servers back online

Answer 82

Downtime/service disruption/outage must be kept below the threshold of the defined MTD - downtime includes more than just the amount of time it takes to get hardware/software up and operations (RTO) - must also take into account restoring operational data from backup and processing data generated during the disruption WRT is the amount of time it takes to recover the data to the pointw here normal operation can resume MTD = RTO + WRT

Answer 83

How much data loss is acceptable for a given business function? - not lost from a data breach perspective but lost operationally This will dictate the approaches for backup and resiliency for business functions as needed. For example, if backups are done weekly, is it acceptable to possibly lose a weeks worth of date?

Answer 84

1) Never do it alone 2) get C level support You must involve senior management and they must approve the final plan. Teams are essential. There is a lot of paperwork and the more complex the business, the more help you need.

Answer 85

1) Business unit managers 2) IT and security staff 3) Human resources 4) Payroll - big in determining and driving MTD 5) Physical plan manager 6) Office Managers You will have an executive team (executive managers responsible for recovering critical functions),? management team (People in the command center who manage, control and guide recovery) and response team (executing the recovery)

Answer 86

- No strategy - DO NOT DO THIS - bad answer on the exam - self-service - attempt to handle the disruption within current facilities - reciprocal agreements - agreement with another entity to attempt to help on another during disruption. It assumes both entities are not impacted simultaneously - Alternate sites: hot, warm, cold, hybrid and mobile

Answer 87

Hot Site: fully equipped running 24/7. Good for functions that cannot tolerate any downtime. Not instant but can cut over quickly. there would still be a short disruption. Very fast but not instant. Not seamless to the user. Warm Site: pre-equipped but not necessarily ready to go. Business processes can tolerate a few hours of downtime. Apps and servers exist but there is no data. you need to restore data Cold Site: Empty facility that the company must equip in the event of disruption. Could take hours or days to set up. empty room with nothing in it. electricity available but no computers. Provision it as fast as you can get computers. Hybrid Site: combination of hot ,warm and cold. An example is hot and cold which is immediate failover for a hot site, and for long term disasters, eventual failover to a cold site Multiple processing sites: multiple internal processing locations geographically dispersed to assist in the backup and recovery of vital company data (aka mirror). You have multiple sites - active active cluster of buildings performing transactions for you. Each three can do the work of the other 2. If one goes down you have 2 other sites. This is the fastest and most expensive. Instant and seamless to the user. People work here everyday. Mobile Site: same as hot site but not quite. It is "office on wheels" that you can locate conveniently near the company. can only meet 12 to 72 hour response time depending on the proximity of the service provider who will deliver the mobile facility. Data center on wheels. You wheel it in. Reciprocal: formalized agreement between two business entities to facilitate recovery after a disaster. Such as temp office space and use of company resources to resume operations. Highest speed is multiple processing sites

Answer 88

The types of testing are: - read through, checklist or consistency testing - --- simply reviewing the BCP to ensure all areas are covered. least expensive and lease valuable - structured walkthrough or validity testing - --- team members step through the plan looking for errors or false assumptions. walkthrough a scenario - talk through it. Ok the power is out, what happens. walkthrough one generic outage - simulation or tabletop - --- walkthrough test that involves specific mock up scenarios. mock up of an actual emergency where team members respond as if an emergency is occurring. you may recover locations and enable communications links but do not actually restore backups. you go through many different specific scenarios and examples - parallel - --- recovery to an alternate site with main site still active. You do actual recovery to an alternate computing facility while normal operations are still maintained at the primary location - full interruption - --- actual failover to the alternate computing facility

Answer 89

How to operate the alternate site How to start emergency power How to perform a restorative backup Training is very important for executing BCP

Answer 90

Physical security and safety of people must be maintained. Safety is #1 Personnel safety, authorized access, equipment protection, information protection, availability Train everyone on evacuation - post where to go - practice where to go - have a meeting point You should always have a: - safety warden - check premise for employees and clears the area. Last one out. - meeting point leader - getting to the meeting point and beginning the process of accounting for all employees. Should be the first out as rapidly as possible - employee - know how to react and their roles and responsibilities Travel safety and duress warning systems - track and issue travel warnings - warnings should be consulted and heeded before traveling to foreign countries - give alerts if there is severe weather, threat of violence, chemical contamination