Domain 7 - Security Operations Flashcards
EVIDENCE LIFECYCLE
- Discovery
- Protection
- Recording
- Collection and identification
- Analysis
- Storage, preservation, transportation
- Present in court
- Return to owner
Direct Evidence:
Can prove fact by itself and does not need any type of backup.
• Testimony from a witness –one of their 5 senses:
Oral Evidence is a type of Secondary Evidence so the case can’t simply stand on it alone
But it is Direct Evidence and does not need other evidence to substantiate
Circumstantial evidence
- Used to help assume another fact
* Cannot stand on its own to directly prove a fact
Corroborative Evidence:
Supports or substantiates other evidence presented in a case
The Process - Due Process
Prepare questions and topics, put witness at ease, • • • • • Summarize information
interview/interrogation plan
• Have one person as lead and 1-2 others involved as well
• never interrogate or interview alone
Admissible Evidence
• The evidence must be relevant to determining a fact.
• The fact that the evidence seeks to determine must be material (that is, related) to the case.
• The evidence must be competent, meaning it must have been obtained legally. Evidence that
results from an illegal search would be inadmissible because it is not competent.
Five rules of evidence:
- Be authentic; evidence tied back to scene
- Be accurate; maintain authenticity and veracity
- Be complete; all evidence collected, for & against view
- Be convincing; clear & easy to understand for jury
- Be admissible; be able to be used in court
Forensic Disk Controller
Intercepting and modifying or discarding commands sent to the storage
device
• Write Blocking, intercepts write commands sent to the device and prevents them from
modifying data on the device
• Return data requested by a read operation
• Returning access-significant information from device
• Reporting errors from device to forensic host
LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS
Criminal law
Individuals that violate government laws. Punishment mostly imprisonment
Civil law
wrongs against individual or organization that result in a damage or loss. Punishment can
include financial penalties. AKA tort law (I’ll Sue You!) Jury decides liability
Administrative/Regulatory law
how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties.
Uniform Computer Information Transactions Act (UCITA)
Is a federal law that provides a
common framework for the conduct of computer-related business transactions. UCITA contains
provisions that address software licensing. The terms of UCITA give legal backing to the previously
questionable practices of shrink-wrap licensing and click-wrap licensing by giving them status as
legally binding contracts.
Enticement
Is the legal action of luring an intruder, like in a honeypot
Entrapment
Is the illegal act of inducing a crime, the individual had no intent of committing the crime
at first Federal Sentencing Guidelines provides judges and courts procedures on the prevention,
detection and reporting
Security incident and event management
SIEM
Automating much of the routine work of log review.
Provide real‐time analysis of events occurring on systems throughout an organization but don’t
necessarily scan outgoing traffic
Network-based DLP -
Scans all outgoing data looking for specific data. Administrators would place it
on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing
restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP
system will send an alert, such as an email to an administrator.
Endpoint-based DLP
Can scan files stored on a system as well as files sent to external devices, such
as printers. For example, an organization endpoint-based DLP can prevent users from copying
sensitive data to USB flash drives or sending sensitive data to a printer
3 states of information
- data at rest (storage)
- data in transit (the network)
- data being processed (must be decrypted) / in use / end-point
FAIL SAFE:
doors UNLOCK
FAIL SECURE
doors LOCK
Incident Response (624) Events:
Anything that happens. Can be documented verified and analyzed
Security Incident -
event or series of events that adversely impact the ability of an organization to do
business. Suspected attack.
Incident Response Lifecycle
Detection→Response→Mitigation→Reporting→Recovery→Remediation→Lessons Learned→cycle
back to respons
RAID 0
Striped, one large disk out of several –Improved performance but no fault tolerance
