Domain 7 - Security Operations Flashcards

1
Q

Describe the proper process during an Incident Scene.

A
  • ID the Scene
  • Protect the environment
  • ID evidence and potential sources of evidence
  • Collect evidence

– hash + - Minimize the degree of contamination

Locard’s Exchange Principle

– perps leave something behind

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the important factors within Evidence?

A
Sufficient
Reliable
Relevant
Permissible
Preserved and identifiable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Sufficient

A

persuasive enough to convince one of its validity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Reliable

A

consistent with fact, evidence has not been tampered with or modified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Relevant

A

relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Permissible

A

lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Preserved and identifiable

A

collection, reconstruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Identification

A

labeling, recording serial number etc. Evidence must be preserved and identifiable

•Collection, documentation, classification, comparison, reconstruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

EVIDENCE LIFECYCLE

A
  1. Discovery
  2. Protection
  3. Recording
  4. Collection and identification
  5. Analysis
  6. Storage, preservation, transportation
  7. Present in court
  8. Return to owner

Witnesses that evidence is trustworthy, description of procedures, normal business methods collections, error precaution and correction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Best Evidence

A

–Primary Evidence–is used at the trial because it is the most reliable.

–Original documents–are used to document things such as contracts

– NOTE: no copies!

–Note: Oral is not best evidence though it may provide interpretation of documents, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Secondary Evidence

A

–Not as strong as best evidence.

–A copy, Secondary Evidence, is not permitted if the original, Best Evidence, is available –Copies of documents.

–Oral evidence like Witness testimony

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Direct Evidence

A

–Can prove fact by itself and does not need any type of backup.

–Testimony from a witness –one of their 5 senses:

•Oral Evidence is a type of Secondary Evidence so the case can’t simply stand on it alone But it is Direct Evidence and does not need other evidence to substantiate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Conclusive evidence

A

–Irrefutable and cannot be contradicted

–Requires no other corroboration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Circumstantial evidence

A

–Used to help assume another fact

–Cannot stand on its own to directly prove a fact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Corroborative Evidence

A

Supports or substantiates other evidence presented in a case

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Hearsay Evidence

A

something a witness hears another one say. Also business records are hearsay and all that’s printed or displayed. One exception to business records: audit trails and business records are not considered hearsay when the documents are created in the normal course of business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Interviewing

A

gather facts and determine the substance of the case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Interrogation

A

–Evidence retrieval method, ultimately obtain a confession

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The Process - Due Process

A

–Prepare questions and topics, put witness at ease, summarize information

–interview/interrogation plan

–Have one person as lead and 1-2 others involved as well

–never interrogate or interview alone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Opinion Rule

A

Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Expert Witnesses

A

–Used to educate the jury, can be used as evidence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:

A

 When dealing with digital evidence, all of the general forensic and procedural principles must be applied.  Upon seizing digital evidence, actions taken should not change that evidence.
 When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
 All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
 An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
 Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Media analysis

A

a branch of computer forensic analysis, involves the identification and extraction of information from storage media. This may include the following: Magnetic media (e.g., hard disks, tapes) Optical media (e.g., CDs, DVDs, Blu-ray discs) Memory (e.g., RAM, solid state storage) Techniques used for media analysis may include the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Network Analysis

A

Forensic investigators are also often interested in the activity that took place over the network during a security incident. Network forensic analysis, therefore, often depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log network activity. These include: Intrusion detection and prevention system logs Network flow data captured by a flow monitoring system Packet captures deliberately collected during an incident Logs from firewalls and other network security devices The task of the network forensic analyst is to collect and correlate information from these disparate sources and produce as comprehensive a picture of network activity as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Software Analysis

A

Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application. In some cases, when malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities. In other cases, forensic analysis may be asked to review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Hardware/ Embedded Device Analysis

A

Forensic analysts often must review the contents of hardware and embedded devices. This may include a review of Personal computers & Smartphones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Admissible Evidence

A
  • The evidence must be relevant to determining a fact.
  • The fact that the evidence seeks to determine must be material (that is, related) to the case.
  • The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Five rules of evidence

A
  • Be authentic; evidence tied back to scene
  • Be accurate; maintain authenticity and veracity
  • Be complete; all evidence collected, for & against view
  • Be convincing; clear & easy to understand for jury
  • Be admissible; be able to be used in court
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Forensic Disk Controller

A

intercepting and modifying or discarding commands sent to the storage device  Write Blocking, intercepts write commands sent to the device and prevents them from modifying data on the device

 Return data requested by a read operation

 Returning access-significant information from device

 Reporting errors from device to forensic host

LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

MOM

A

means, opportunity and motive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Victimology

A

why certain people are victims of crime and how lifestyle affects the chances that a certain person will fall victim to a crime Investigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Types of Investigations

A
  • Operational
  • Criminal
  • Civil
  • eDiscovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is a very important step when investigating a hard drive?

A

don’t use message digest because it will change the timestamps of the files when the file-system is not set to Read-Only

Slack space on a disk should be inspected for hidden data and should be included in a disk image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Common Law

A

USA, UK Australia Canada (judges)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Civil Law

A

Europe, South America

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Islamite and other Religious laws

A

ME, Africa, Indonesia

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

United States 3 Branches for Laws

A

Legislative: writing laws (statutory laws).

Executive: enforces laws (administrative laws)

Juridical: Interprets laws (makes common laws out of court decisions)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What are the 3 categories of law?

A

Criminal law
Civil law
Administrative/Regulatory law

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Criminal law

A

individuals that violate government laws. Punishment mostly imprisonment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Civil law

A

wrongs against individual or organization that result in a damage or loss.

Punishment can include financial penalties. AKA tort law (I’ll Sue You!) Jury decides liability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Administrative/Regulatory law

A

how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Uniform Computer Information Transactions Act (UCITA

A

A federal law that provides a common framework for the conduct of computer-related business transactions.

UCITA contains provisions that address software licensing.

The terms of UCITA give legal backing to the previously questionable practices of shrink-wrap licensing and click-wrap licensing by giving them status as legally binding contracts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Computer Crime Laws -3 types of harm

A
  • unauthorized intrusion,
  • unauthorized alteration or destruction
  • malicious code
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Admissible evidence

A

relevant, sufficient, reliable, does not have to be tangible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Hearsay

A

second-hand data not admissible in court

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Enticement

A

the legal action of luring an intruder, like in a honeypot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Entrapment

A

the illegal act of inducing a crime, the individual had no intent of committing the crime at first

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Federal Sentencing Guidelines

A

provides judges and courts procedures on the prevention, detection and reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

SIEM

A

Security incident and event management

Automating much of the routine work of log review. Provide real‐time analysis of events occurring on systems throughout an organization but don’t necessarily scan outgoing traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Intrusion Detection and Prevention

A

An intrusion occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources. Intrusion detection is a specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

IDS

A

Intrusion Detection System

automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. IDSs are an effective method of detecting many DoS and DDoS attacks. They can recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once they detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack. A primary goal of an IDS is to provide a means for a timely and accurate response to intrusions. An IDS is intended as part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

IPS

A

Intrusion Prevention System

Includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions. If desired, administrators can disable these extra features of an IPS, essentially causing it to function as an IDS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Data Loss Prevention (DLP)

A

PROTECT SENSITIVE INFORMATION

Data loss prevention systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Network-based DLP

A

scans all outgoing data looking for specific data. Administrators would place it on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP system will send an alert, such as an email to an administrator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

Endpoint-based DLP

A

Can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

3 states of information

A
  • data at rest (storage)
  • data in transit (the network)
  • data being processed (must be decrypted) / in use / end-point

Can look for sensitive information stored on hard drives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Configuration item (CI)

A

component whose state is recorded Version: recorded state of the CI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Configuration

A

collection of component CI’s that make another CI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Building

A

assembling a version of a CI using component CI’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Build list

A

set of versions of component CI’s used to build a CI Software Library - controlled area only accessible for approved users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Recovery procedures

A

system should restart in secure mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

maintenance mode

A

Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Fault-tolerant

A

continues to function despite failure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Fail safe system

A

program execution is terminated and system protected from compromise when hardware or software failure occurs

DOORS usually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Fail Closed/secure

A

most conservative from a security perspective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Fail Hard

A

BSOD, human to see why it failed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Fail soft or resilient system

A

reboot, selected, non-critical processing is terminated when failure occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

FAIL SAFE

A

doors UNLOCK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

FAIL SECURE

A

doors LOCK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Trusted Path

A

Protect data between users and a security component. Channel established with strict standards to allow necessary communication to occur without exposing the TCB to security vulnerabilities. A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB interchange.

ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Events

A

anything that happens. Can be documented verified and analyzed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Security Incident

A

event or series of events that adversely impact the ability of an organization to do business

suspected attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Security intrusion

A

evidence attacker attempted or gained access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Lifecycle - Response Capability

A

policy, procedures, a team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

Incident response and handling

A

Triage, investigation, containment, and analysis & tracking

76
Q

Recovery

A

Recovery / Repair

77
Q

Debriefing / Feedback

A

External Communications

78
Q

Mitigation

A

limit the effect or scope of an incident

79
Q

List the steps for an Incidence Response

A
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons Learned
80
Q

Root Cause Analysis (RCA)

A

Tree / Boolean -FAULT TREE ANALYSIS

  • 5Ways
  • Failure Mode and Effects analysis
  • Pareto Analysis
  • Fault Tree Analysis
  • Cause Mapping
81
Q

HIDS

A

Host-based IDS, monitors activity on a single computer, including process calls and information recorded in firewall logs. It can often examine events in more detail than an NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker. A benefit of HIDSs over NIDSs is that HIDSs can detect anomalies on the host system that NIDSs cannot detect.

82
Q

NIDS

A

Network-based IDS, monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details. A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console.

83
Q

List the 3 Backup types

A

Full
Incremental
Differential

84
Q

Full

A

All files, archive bit and modify bit are cleared. Advantage: only previous day needed for full restore, disadvantage: time consuming

85
Q

Incremental

A

only modified files, archive bit cleared, Advantage: least time and space, Disadvantage: first restore full then all incremental backups, thus less reliable because it depends on more components

86
Q

Differential

A

only modified files, doesn’t clear archive bit. Advantage: full and only last diff needed, Intermediate time between full and diff.

87
Q

Redundant servers

A

applies raid 1 mirroring concept to servers. On error servers can do a fail-over. This AKA server fault tolerance

88
Q

Server clustering

A

group of independent servers which are managed as a single system. All servers are online and take part in processing service requests. Individual computing devices on a cluster vs. a grid system – cluster devices all share the same OS and application software but grid devices can have different OSs while still working on same problem

89
Q

Tape Rotation Schemes

A

GF/Father/Son, Tower of Hanoi, Six Cartridge Weekly

90
Q

RAIT

A

robotic mechanisms to transfer tapes between storage and drive mechanisms

91
Q

RAID 0

A

Striped, one large disk out of several –Improved performance but no fault tolerance

92
Q

RAID 1

A

Mirrored drives –fault tolerance from disk errors and single disk failure, expensive; redundancy only, not speed

93
Q

RAID 2

A

not used commercially. Hammering Code Parity/error

94
Q

RAID 3

A

Striped on byte level with extra parity drive –Improved performance and fault tolerance, but parity drive is a single point of failure and write intensive. 3 or more drives

95
Q

RAID4

A

Same as Raid 3 but striped on block level; 3 or more drives

96
Q

RAID 5

A

Striped on block level, parity distributed over all drives – requires all drives but one to be present to operate hot- swappable. Interleave parity, recovery control; 3 or more drives

97
Q

RAID 6

A

Dual Parity, parity distributed over all drives –requires all drives but two to be present to operate hot- swappable

98
Q

RAID 7

A

same as raid5 but all drives act as one single virtual disk

99
Q

Transaction Redundancy Implementations

A

Electronic vaulting
Remote Journaling
Database shadowing

100
Q

Electronic vaulting

A

transfer of backup data to an offsite storage location via communication lines

101
Q

Remote Journaling

A

parallel processing of transactions to an alternative site via communication lines

102
Q

Database shadowing

A

live processing of remote journaling and creating duplicates of the database sets to multiple servers

103
Q

Data destruction and reuse

A
Object reuse 
Data remanence 
Clearing
Purging
Destruction
104
Q

Object reuse

A

use after initial use

105
Q

Data remanence

A

remaining data after erasure Format magnetic media 7 times (orange book)

106
Q

Clearing

A

overwriting media to be reused

107
Q

Purging

A

degaussing or overwriting to be removed

108
Q

Destruction

A

complete destroy preferably by burning

109
Q

What is the end goal of Disaster Recovery Planning?

A

Restore normal business operations. Statement of actions that have to be taken before, during and after a disruptive event that causes a significant loss of information Goal: provide organized way for decision making, reduce confusion and deal with the crisis. Planning and development must occur before the disaster BIA has already been done, now were going to protect!

110
Q

What is a Disaster?

A

any event, natural or manmade, that can disrupt normal IT operations The disaster is not over until all operations have been returned to their normal location and function It will be officially over when the data has been verified at the primary site, as accurate

111
Q

Recovery team

A

mandated to implement recovery after the declaration of the disaster

112
Q

Salvage team

A

goes back to the primary site to normal processing environmental conditions. Clean, repair, Salvage. Can declare when primary site is available again

113
Q

Normal Operations Resume plan

A

has all procedures on how the company will return processing from the alternate site

114
Q

Other recovery issues

A

Interfacing with other groups: everyone outside the corporation Employee relations: responsibility towards employees and families Fraud and Crime: like vandalism, looting and people grabbing the opportunity Financial disbursement, Media relations 1. Find someone to run it

Documenting the Plan Activation and recovery procedures Plan management
HR involvement
Costs
Required documentation Internal /external communications
Detailed plans by team members

GET COMMUNICATIONS UP FIRST THEN MOST CRITCAL BUSINESS FUNCTIONS
Disaster

115
Q

Disaster Recovery Test

A
Desk Check 
Table-top exercise 
Simulation tests 
Parallel tests
Full-interruption tests
116
Q

Desk Check

A

review plan contents

117
Q

Table-top exercise

A

members of the disaster recovery team gather in a large conference room and role-play a disaster scenario.

118
Q

Simulation tests

A

are more comprehensive and may impact one or more noncritical business units of the organization, all support personnel meet in a practice room

119
Q

Parallel tests

A

involve relocating personnel to the alternate site and commencing operations there. Critical systems are run at an alternate site, main site open also

120
Q

Full-interruption tests

A

involve relocating personnel to the alternate site and shutting down operations at the primary site.

121
Q

BCP

A

Plan for emergency response, backup operations and post disaster recovery maintained by an activity as a part of its security program that will ensure the availability of critical resources and facilitate the continuity of operations in an emergency situation

122
Q

BCP (pro) & DRP (reactive)Goals

A

Business continuity- Ensuring the business can continue in an emergency, 1st business organization analysis

Focus on business processes

  1. Scope and plan initiation - Consider amount of work required, resources required, management practice
  2. BIA – helps to understand impact of disruptive processes
  3. Business Continuity Plan development a. Use BIA to develop BCP (strategy development phase bridges the gap between the business impact assessment and the continuity planning phases of BCP development) b. Testing
  4. Plan approval and implementation - Management approval - Create awareness

Update plan as needed, At least once a year testing

Disaster Recovery – Recover as quickly as possible

  • Heavy IT focus
  • Allows the execution of the BCP
  • Needs Planning
  • Needs Testing

CRITICA, URGENT, IMPORTANT

123
Q

Business Continuity plans development

A
  • Defining the continuity strategy
  • Computing: strategy to preserve the elements of hardware/software/ communication lines/ applications/ data
  • Facilities: use of main buildings or any remote facilities
  • People: operators, management, technical support persons
  • Supplies and equipment: paper, forms HVAC
  • Documenting the continuity strategy
124
Q

Roles and responsibilities: BCP committee

A

BCP committee

  • Senior staff (ultimate responsibility, due care/diligence)
  • Various business units (identify and prioritize time critical systems)
  • Information Systems
  • Security Administrator
  • People who will carry out the plan (execute) representatives from all departments
125
Q

CCTV

A

Multiplexer allows multiple camera screens shown over one cable on a monitor

Via coax cables (hence closed)

Attacks: replayed (video images)

Fixed mounting versus PTZ Pan Tilt Zoom accunicator system (detects movements on screen and alerts guards)

Recording (for later review) = detective control

CCTV enables you to compare the audit trails and access logs with a visual recording

126
Q

Importance of Lighting

A

Glare protection - against blinding by lights

Continuous lightning - evenly distributed lightning

Controlled lightning - no bleeding over no blinding

Standby Lightning - timers

Responsive areas illumination - IDS detects activities and turns on lightning

NIST: for critical areas the area should be illuminated 8 feet in height with 2-foot candle power

127
Q

Fences

A

Small mesh and high gauge is most secure

3-4 feet deters casual trespasser

6-7 feet too hard to climb easily

8 feet + wires deters intruders, difficult to climb

no one STOPS a determined intruder

128
Q

Local alarms

A

audible alarm for at least 4000 feet far

129
Q

Central stations

A

less than 10mins travel time for e.g. an private security firm

130
Q

Proprietary systems

A

owned and operated by the customer. System provides many of the features in-house

131
Q

Auxiliary Station systems

A

on alarm ring out to local fire or police

132
Q

Line supervision check

A

if no tampering is done with the alarm wires

133
Q

Power supplies

A

alarm systems needs separate circuitry and backup power

134
Q

PHYSICAL PARAMETER DETECTION : Electromechanical

A

detect a break or change in a circuit magnets pulled lose, wires door, pressure pads

135
Q

Photoelectric

A

light beams interrupted (as in an store entrance)

136
Q

Passive infrared

A

detects changes in temperature

137
Q

Acoustical detection

A
  • microphones, vibrations sensors
138
Q

wave pattern motion detectors

A

detects motions

139
Q

proximity or capacitance detector

A

magnetic field detects presence around an object

140
Q

Types of Locks

A
Warded lock 
Tumbler lock 
Combination lock 
Cipher Lock 
Device lock 
Preset
Programmable
141
Q

Warded lock

A

hanging lock with a key

142
Q

Tumbler lock

A

cylinder slot

143
Q

Combination lock

A

3 digits with wheels

144
Q

Cipher Lock

A

Electrical

145
Q

Device lock

A

bolt down hardware

146
Q

Preset

A

ordinary door lock

147
Q

Programmable

A

combination or electrical lock

148
Q

Raking

A

circumvent a pin tumbler lock

149
Q

Audit trails

A

Date and time stamps Successful or not attempt Where the access was granted
Who attempted access
Who modified access privileges at supervisor level

150
Q

Security access cards

A

Photo id card: dumb cards Digital-coded cards:

  • Swipe cards
  • Smartcards Wireless proximity cards
  • User activated
  • System sensing

o Passive device, no battery, uses power of the field

o Field Powered device: active electronics, transmitter but gets power from the surrounding field from the reader

Transponders: both card and receiver holds power, transmitter and electronics

151
Q

What is a Trusted recovery ?

A

Ensures that the security is not breached when a system crash or failure occurs. Only required for a B3 and A1 level systems.

152
Q

Failure preparation

A

Backup critical information thus enabling data recovery

153
Q

System recovery after a system crash

A
  1. Rebooting system in single user mode or recovery console, so no user access is enabled
  2. Recovering all file systems that were active during failure
  3. Restoring missing or damaged files
  4. Recovering the required security characteristic, such as file security labels
  5. Checking security-critical files such as system password file
154
Q

Common criteria hierarchical recovery types

A
  1. Manual System administrator intervention is required to return the system to a secure state
  2. Automatic Recovery to an secure state is automatic when resolving a single failure (though system administrators are needed to resolve additional failures)
  3. Automatic without Undo Loss Higher level of recovery defining prevention against the undue loss of protected objects
  4. Function system can restore functional processes automatically
155
Q

Types of system failure

A

System reboot
Emergency restart
System cold start

156
Q

System reboot

A

System shuts itself down in a controlled manner after detecting inconsistent data structures or runs out of resources

157
Q

Emergency restart

A

when a system restarts after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments

158
Q

System cold start

A

when an unexpected kernel or media failure happens and the regular recovery procedure cannot recover the system in a more consistent state.

159
Q

Hackers and crackers

A

want to verify their skills as intruders

160
Q

Entitlement

A

refers to the amount of privileges granted to users, typically when first provisioning an account. A user entitlement audit can detect when employees have excessive privileges

161
Q

Aggregation

A

Privilege Creep, accumulate privileges

162
Q

Hypervisor

A

software component that manages the virtual components. The hypervisor adds an additional attack surface, so it’s important to ensure it is deployed in a secure state and kept up-todate with patches, controls access to physical resources

163
Q

Notebook

A

most preferred in the legal investigation is a bound notebook, pages are attached to a binding.

164
Q

Exigent circumstances

A

allows officials to seize evidence before its destroyed (police team fall in)

165
Q

Data haven

A

is a country or location that has no laws or poorly enforced laws

166
Q

Chain of custody

A

= collection, analysis and preservation of data Forensics uses bit-level copy of the disk

167
Q

Darknet

A

unused network space that may detect unauthorized activity

168
Q

Pseudo flaw

A

– false vulnerability in a system that may attract an attacker

169
Q

FAIR INFORMATION PRACTICES

A
  • Openness
  • Collection Limitation
  • Purpose Specification
  • Use Limitation
  • Data Quality
  • Individual Participation
  • Security Safeguards
  • Accountability
170
Q

Noise and perturbation

A

inserting bogus information to hope to mislead an attacker

171
Q

GANTT and PERT charts

A

Monitor progress and planning of projects through GANTT and PERT charts

172
Q

Piggybacking

A

looking over someone’s shoulder to see how someone gets access.

173
Q

Data center should have:

A
  • Walls from floor to ceiling • Floor: Concrete slab: 150 pounds square foot
  • No windows in a datacenter
  • Air-conditioning should have own Emergency Power Off (EPO)

Electronic Access Control (EAC): proximity readers, programmable locks or biometric systems
Location

174
Q

CPTED

A

Crime Prevention Through Environmental design

  • Natural Access control: guidance of people by doors fences bollards lightning. Security zones defined
  • Natural surveillance: cameras and guards
  • Territorial Reinforcements: walls fences flags Target Hardening: focus on locks, cameras guards
175
Q

Facility site:

A

CORE OF BUILDING (thus with 6 stores, on 3rd floor)

176
Q

Hacktivists

A

combination of hacker and activist), often combine political motivations with the thrill of hacking.

177
Q

Thrill attacks

A

are the attacks launched only for the fun of it. Pride, bragging rights

178
Q

Script kiddies

A

Attackers who lack the ability to devise their own attacks will often download programs that do their work for them. The main motivation behind these attacks is the “high” of successfully breaking into a system. Service interruption. An attacker may destroy data, the main motivation is to compromise a system and perhaps use it to launch an attack against another victim. Common to do website defacements,

179
Q

Business Attacks

A

focus on illegally obtaining an organization’s confidential information. The use of the information gathered during the attack usually causes more damage than the attack itself.

180
Q

Financial Attacks

A

carried out to unlawfully obtain money or services.

181
Q

Terrorist Attacks

A

purpose of a terrorist attack is to disrupt normal life and instill fear

182
Q

Military or intelligence attack

A

designed to extract secret information.

183
Q

Grudge Attacks

A

are attacks that are carried out to damage an organization or a person. The damage could be in the loss of information or information processing capabilities or harm to the organization or a person’s reputation.

184
Q

Sabotage

A

is a criminal act of destruction or disruption committed against an organization by an employee. It can become a risk if an employee is knowledgeable enough about the assets of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled.

185
Q

Espionage

A

is the malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization. Attackers often commit espionage with the intent of disclosing or selling the information to a competitor or other interested organization (such as a foreign government). Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization. Countermeasures against espionage are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.

186
Q

Integrity breaches

A

unauthorized modification of information, violations are not limited to intentional attacks. Human error, oversight, or ineptitude accounts for many instances

187
Q

Confidentiality breaches

A

theft of sensitive information