Domain 7 (Security Operations) Flashcards
Definition of an Event?
An observable change in state
Definition of Alerts?
Flagged events that may require further investigation to determine if an incident has taken place
Definition of Incident?
Adverse impact to the system or network
What are the four steps of Incident Response?
Preparation (training, hiring);
Detection and Analysis;
Containment, eradication and recovery;
Post-Incident review
Definition of a Problem?
An incident with an unknown cause
What are the five rules of Digital Evidence?
Must be: Authentic Accurate Complete Convincing Admissible
What are the seven steps of Forensic Investigation?
Identification Preservation Collection Examination Analysis Presentation Decision
What is Locard’s principle of exchange?
When a crime is committed, the attackers takes something and leaves something behind
What history must be recorded for the Chain of Custody?
How the evidence was: Collected Analyzed Transported Perserved
What are the eight types of Evidence?
Direct evidence Real evidence Best evidence Secondary evidence Corroborative evidence Circumstantial evidence Hearsay evidence Demonstrative evidence
What is Direct Evidence?
Can prove a fact by itself and does not need backup information
What is Real Evidence?
Smoking gun. Object used in a crime.
What is Best Evidence?
Most reliable - signed contract
What is Secondary Evidence?
Not strong enough to stand alone but can support another. IE Expert opinion
What is Corroborative Evidence?
Support evidence. Backs up other information presented.
What is Circumstantial Evidence?
Proves one fact which can be used to suggest another. Can’t stand on it’s own
What is Hearsay Evidence?
Second hand oral or written. Can also be copies of a document.
What is Demonstrative Evidence?
Presentation based like photos of crime scene
What is Disk Shadowing?
Same as mirroring
What is Electronic Vaulting?
Sends a BATCH of data to a remote location
What is Remote Journaling?
Moves transaction logs that can be used to recreate database
