Domain 7: Forensics and Incident Response Flashcards
Ensures that multiple people are required to complete critical or sensitive transactions
Separation of duties
Provides a type of knowledge redundancy, and moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information
Rotation of duties/Job rotation
Requires employees to be away from work used to detect and deter fraud, or negligence
Mandatory leave/forced vacation
Contractual agreement requiring an individual or organization not to discuss sensitive information pertaining to the company
Nondisclosure agreement (NDA)
Portions of disk partition that are marked as actively containing data
Allocated space
- Portions of disk partition that does not contain active data
- i.e. file is deleted the portion of the disk that held the deleted file
Unallocated space
The leftover space inside a cluster
Slack space
- Disk space that cannot be used generally due to some physical defect
- When marked OS ignores these sections
- Attackers will mark these sections in order to hide data within the portion of disk
“Bad” blocks/clusters/sectors
- Logs can contain info about visited websites
- Server can be configured to block access to certain websites
Proxy logs
Logs that track source and destination IP addresses and ports of network traffic
Firewall Logs
Logs that monitor when a user accesses, modifies, or deletes a file or folder
Security logs
- Logs that monitor computer, and OS events.
- i.e. computer or service stops and starts
System logs
An individual or group who are responsible for a threat that exploits a give vulnerability
Threat agent
Another name for a hypervisor
Virtual Machine Monitor (VMM)
- Pre-trial routine of attorney’s on both sides exchanging evidence
- With this term we focus on electronic stored info (ESI) - i.e. emails, text messages, word processing documents, social media posts etc.
Electronic Discovery (eDiscovery)
Name the 8 stages for the incident response methodology
- Preparation
- Detection (identification)
- Response (containment)
- Mitigation (eradication)
- Reporting
- Recovery
- Remediation
- Lessons learned (post incident activity, postmortem, or reporting)
- Incident Response methodology
- Steps taken before an incident occurs
- i.e. training, writing incident response policies and procedures etc.
Preparation
- Incident Response methodology
- Events are analyzed in order to determine whether these events might compromise a security incident
Detection (identification)
- Incident Response methodology
- Incident Response team interacts with the affected systems and attempts to keep further damage from occurring as a result of the incident.
- i.e. power off system, isolating traffic
Response (containment)
- Incident Response methodology
- In this process we understand the cause of the incident
Mitigation (eradication)
- Incident Response methodology
- Occurs throughout the entire incident response process
- Explanation of the incident that from both a technical and nontechnical perspective
Reporting
- Incident Response methodology
- The process of restoring the systems or systems to operational status
Recovery
- Incident Response methodology
- At this stage vulnerabilities impacting the affected systems are addressed and mitigated
Remediation
- Incident Response methodology
- Final report on incident that will be delivered to management
- Ways the compromise could have been identified sooner
Lessons learned (post incident activity, postmortem, or reporting)
The vulnerability or weakness that allowed the incident to be realized
Root-Cause Analysis
- When detected an attacker is automatically moved here
- Simulated network environment but attacker is unable to access any confidential data from inside
Padded cells
- Are false vulnerabilities intentionally implanted in a system in an attempt to tempt attackers
- Often used in honeypots to emulate well-known OS vulnerabilities
Pseudo flaws
- Record created by recording info about events and occurrences
- Used to reconstruct an event, extract info about an incident, and to prove or disprove culpability
Audit trails
Process of extracting elements from a large body of data to construct a meaningful representation or summary of the whole
Sampling aka data extraction
- Uses precise mathematical functions to extract meaningful info from a large volume of data
Identify the margin of error - i.e. Used by pollsters to learn opinions of large populations without interviewing everyone in the population
Statistical sampling