Domain 7: Forensics and Incident Response

Question 1

Ensures that multiple people are required to complete critical or sensitive transactions

Answer 1

Separation of duties

Question 2

Provides a type of knowledge redundancy, and moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information

Answer 2

Rotation of duties/Job rotation

Question 3

Requires employees to be away from work used to detect and deter fraud, or negligence

Answer 3

Mandatory leave/forced vacation

Question 4

Contractual agreement requiring an individual or organization not to discuss sensitive information pertaining to the company

Answer 4

Nondisclosure agreement (NDA)

Question 5

Portions of disk partition that are marked as actively containing data

Answer 5

Allocated space

Question 6

• Portions of disk partition that does not contain active data
• i.e. file is deleted the portion of the disk that held the deleted file

Answer 6

Unallocated space

Question 7

The leftover space inside a cluster

Answer 7

Slack space

Question 8

• Disk space that cannot be used generally due to some physical defect
• When marked OS ignores these sections
• Attackers will mark these sections in order to hide data within the portion of disk

Answer 8

“Bad” blocks/clusters/sectors

Question 9

• Logs can contain info about visited websites

- Server can be configured to block access to certain websites

Answer 9

Proxy logs

Question 10

Logs that track source and destination IP addresses and ports of network traffic

Answer 10

Firewall Logs

Question 11

Logs that monitor when a user accesses, modifies, or deletes a file or folder

Answer 11

Security logs

Question 12

• Logs that monitor computer, and OS events.

- i.e. computer or service stops and starts

Answer 12

System logs

Question 13

An individual or group who are responsible for a threat that exploits a give vulnerability

Answer 13

Threat agent

Question 14

Another name for a hypervisor

Answer 14

Virtual Machine Monitor (VMM)

Question 15

• Pre-trial routine of attorney’s on both sides exchanging evidence
• With this term we focus on electronic stored info (ESI) - i.e. emails, text messages, word processing documents, social media posts etc.

Answer 15

Electronic Discovery (eDiscovery)

Question 16

Name the 8 stages for the incident response methodology

Answer 16

1. Preparation
2. Detection (identification)
3. Response (containment)
4. Mitigation (eradication)
5. Reporting
6. Recovery
7. Remediation
8. Lessons learned (post incident activity, postmortem, or reporting)

Question 17

• Incident Response methodology
• Steps taken before an incident occurs
• i.e. training, writing incident response policies and procedures etc.

Answer 17

Preparation

Question 18

• Incident Response methodology

- Events are analyzed in order to determine whether these events might compromise a security incident

Answer 18

Detection (identification)

Question 19

• Incident Response methodology
• Incident Response team interacts with the affected systems and attempts to keep further damage from occurring as a result of the incident.
• i.e. power off system, isolating traffic

Answer 19

Response (containment)

Question 20

• Incident Response methodology

- In this process we understand the cause of the incident

Answer 20

Mitigation (eradication)

Question 21

• Incident Response methodology
• Occurs throughout the entire incident response process
• Explanation of the incident that from both a technical and nontechnical perspective

Answer 21

Reporting

Question 22

• Incident Response methodology

- The process of restoring the systems or systems to operational status

Answer 22

Recovery

Question 23

• Incident Response methodology

- At this stage vulnerabilities impacting the affected systems are addressed and mitigated

Answer 23

Remediation

Question 24

• Incident Response methodology
• Final report on incident that will be delivered to management
• Ways the compromise could have been identified sooner

Answer 24

Lessons learned (post incident activity, postmortem, or reporting)

Question 25

The vulnerability or weakness that allowed the incident to be realized

Answer 25

Root-Cause Analysis

Question 26

• When detected an attacker is automatically moved here

- Simulated network environment but attacker is unable to access any confidential data from inside

Answer 26

Padded cells

Question 27

• Are false vulnerabilities intentionally implanted in a system in an attempt to tempt attackers
• Often used in honeypots to emulate well-known OS vulnerabilities

Answer 27

Pseudo flaws

Question 28

• Record created by recording info about events and occurrences
• Used to reconstruct an event, extract info about an incident, and to prove or disprove culpability

Answer 28

Audit trails

Question 29

Process of extracting elements from a large body of data to construct a meaningful representation or summary of the whole

Answer 29

Sampling aka data extraction

Question 30

• Uses precise mathematical functions to extract meaningful info from a large volume of data
  Identify the margin of error
• i.e. Used by pollsters to learn opinions of large populations without interviewing everyone in the population

Answer 30

Statistical sampling