Domain 7 - Security Operations Flashcards
EVIDENCE LIFECYCLE
- Discovery
- Protection
- Recording
- Collection and identification
- Analysis
- Storage, preservation, transportation
- Present in court
- Return to owner
Direct Evidence:
Can prove fact by itself and does not need any type of backup.
• Testimony from a witness –one of their 5 senses:
Oral Evidence is a type of Secondary Evidence so the case can’t simply stand on it alone
But it is Direct Evidence and does not need other evidence to substantiate
Circumstantial evidence
- Used to help assume another fact
* Cannot stand on its own to directly prove a fact
Corroborative Evidence:
Supports or substantiates other evidence presented in a case
The Process - Due Process
Prepare questions and topics, put witness at ease, • • • • • Summarize information
interview/interrogation plan
• Have one person as lead and 1-2 others involved as well
• never interrogate or interview alone
Admissible Evidence
• The evidence must be relevant to determining a fact.
• The fact that the evidence seeks to determine must be material (that is, related) to the case.
• The evidence must be competent, meaning it must have been obtained legally. Evidence that
results from an illegal search would be inadmissible because it is not competent.
Five rules of evidence:
- Be authentic; evidence tied back to scene
- Be accurate; maintain authenticity and veracity
- Be complete; all evidence collected, for & against view
- Be convincing; clear & easy to understand for jury
- Be admissible; be able to be used in court
Forensic Disk Controller
Intercepting and modifying or discarding commands sent to the storage
device
• Write Blocking, intercepts write commands sent to the device and prevents them from
modifying data on the device
• Return data requested by a read operation
• Returning access-significant information from device
• Reporting errors from device to forensic host
LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS
Criminal law
Individuals that violate government laws. Punishment mostly imprisonment
Civil law
wrongs against individual or organization that result in a damage or loss. Punishment can
include financial penalties. AKA tort law (I’ll Sue You!) Jury decides liability
Administrative/Regulatory law
how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties.
Uniform Computer Information Transactions Act (UCITA)
Is a federal law that provides a
common framework for the conduct of computer-related business transactions. UCITA contains
provisions that address software licensing. The terms of UCITA give legal backing to the previously
questionable practices of shrink-wrap licensing and click-wrap licensing by giving them status as
legally binding contracts.
Enticement
Is the legal action of luring an intruder, like in a honeypot
Entrapment
Is the illegal act of inducing a crime, the individual had no intent of committing the crime
at first Federal Sentencing Guidelines provides judges and courts procedures on the prevention,
detection and reporting
Security incident and event management
SIEM
Automating much of the routine work of log review.
Provide real‐time analysis of events occurring on systems throughout an organization but don’t
necessarily scan outgoing traffic
Network-based DLP -
Scans all outgoing data looking for specific data. Administrators would place it
on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing
restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP
system will send an alert, such as an email to an administrator.
Endpoint-based DLP
Can scan files stored on a system as well as files sent to external devices, such
as printers. For example, an organization endpoint-based DLP can prevent users from copying
sensitive data to USB flash drives or sending sensitive data to a printer
3 states of information
- data at rest (storage)
- data in transit (the network)
- data being processed (must be decrypted) / in use / end-point
FAIL SAFE:
doors UNLOCK
FAIL SECURE
doors LOCK
Incident Response (624) Events:
Anything that happens. Can be documented verified and analyzed
Security Incident -
event or series of events that adversely impact the ability of an organization to do
business. Suspected attack.
Incident Response Lifecycle
Detection→Response→Mitigation→Reporting→Recovery→Remediation→Lessons Learned→cycle
back to respons
RAID 0
Striped, one large disk out of several –Improved performance but no fault tolerance
RAID 1
Mirrored drives – fault tolerance from disk errors and single disk failure, expensive;
RAID 3
Striped on byte level with extra parity drive – Improved performance and fault tolerance, but
parity drive is a single point of failure and write intensive. 3 or more drives
RAID4
Same as Raid 3 but striped on block level; 3 or more drives
RAID 5
Striped on block level, parity distributed over all drives – requires all drives but one to be
present to operate hot-swappable. Interleave parity, recovery control; 3 or more drives
RAID 6
Dual Parity, parity distributed over all drives – requires all drives but two to be present to
operate hot-swappable
RAID 7
Is same as raid5 but all drives act as one single virtual disk
Electronic vaulting
Transfer of backup data to an offsite storage location via communication lines
Remote Journaling
Parallel processing of transactions to an alternative site via communication
lines
Database shadowing
Live processing of remote journaling and creating duplicates of the database
sets to multiple servers
Clearing Data
Overwriting media to be reused
Purging
Degaussing or overwriting to be removed
Desk Check
review plan contents
Table-top exercise
Members of the disaster recovery team gather in a large conference room and roleplay a disaster scenario.
Simulation tests
Are more comprehensive and may impact one or more noncritical business units of
the organization, all support personnel meet in a practice room
Parallel tests
Involve relocating personnel to the alternate site and commencing operations there.
Critical systems are run at an alternate site, main site open also
Full-interruption tests
Involve relocating personnel to the alternate site and shutting down operations
at the primary site.
BCP Scope and plan initiation
Consider amount of work required, resources required,
management practice
Business Continuity Plan development
- Use BIA to develop BCP (strategy development phase bridges the gap between the
business impact assessment and the continuity planning phases of BCP development) - Testing
Plan approval and implementation
- Management approval
2. Create awareness
Warded lock
hanging lock with a key (padlock)
Tumbler lock
cylinder slot
Cipher Lock
Electrical
Device lock
bolt down hardware
Preset
ordinary door
lock
Raking
circumvent a pin tumbler lock
Entitlement
Refers to the amount of privileges granted to users, typically when first provisioning an
account. A user entitlement audit can detect when employees have excessive privileges
Bind variables
Are placeholders for literal values in SQL query being sent to the database on a server. Bind variables in SQL used to enhance performance of a database