Domain 7: Security Operations Flashcards
What are the four types of disk-based forensic data?
Four basic types of disk-based forensic data: • Allocated space • Unallocated space • Slack space • “Bad” blocks/clusters/sectors
What is allocated space?
• Allocated space: portions of a disk partition that are marked as actively containing data.
What is unallocated space?
• Unallocated space: portions of a disk partition that do not contain active data. This includes portions that have never been allocated, as well as previously allocated portions that have been marked unallocated. If a file is deleted, the portions of the disk that held the deleted file are marked as unallocated and made available for use.
What is slack space?
• Slack space: data is stored in specific-sized chunks known as clusters, which are sometimes referred to as sectors or blocks. A cluster is the minimum size that can be allocated by a file system. If a particular file, or final portion of a file, does not require the use of the entire cluster, then some extra space will exist within the cluster. This leftover space is known as slack space; it may contain old data, or it can be used intentionally by attackers to hide information.
What are bad blocks/sectors?
• “Bad” blocks/clusters/sectors: hard disks routinely end up with sectors that cannot be read due to some physical defect. The sectors marked as bad will be ignored by the operating system
since no data could be read in those defective portions. Attackers could intentionally mark sectors or clusters as being bad in order to hide data within this portion of the disk.
What are the 8 steps in the incident response process?
Steps in incident response process:
- Preparation - The preparation phase includes steps taken before an incident occurs
- Detection (identification) - events are analyzed in order to determine whether these events might comprise a security incident.
- Response (containment) - the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident
- Mitigation (eradication) - process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase
- Reporting - The reporting phase of incident handling occurs throughout the process, beginning with detection. Reporting must begin immediately upon detection of malicious activity.
- Recovery - involves cautiously restoring the system or systems to operational status.
- Remediation - Remediation steps occur during the mitigation phase, where vulnerabilities within
- Lessons learned (postincident activity, postmortem, or reporting) - provide a final report on the incident, which will be delivered to management
What is the difference between a true/false positive/negative?
- True positive: A worm is spreading on a trusted network; NIDS alerts
- True negative: User surfs the Web to an allowed site; NIDS is silent
- False positive: User surfs the Web to an allowed site; NIDS alerts
- False negative: A worm is spreading on a trusted network; NIDS is silent
What is security baselining?
Security baselining is the process of capturing a snapshot of the current system security configuration.
What is a zero day vulnerability?
A zero-day vulnerability is a vulnerability that is known before the existence of a patch
What is a zero day exploit?
A zero-day exploit, rather than vulnerability, refers to the existence of exploit code for a vulnerability that has yet to be patched
What are the 8 steps in the change management process?
Flow of the change management process:
• Identifying the change
• Proposing the change
• Assessing the risk associated with the change
• Testing the change
• Scheduling the change
• Notifying impacted parties of the change
• Implementing the change
• Reporting results of the change implementation
What does RAID mirroring accomplish?
Three critical RAID terms are mirroring, striping, and parity.
• Mirroring achieves full data redundancy by writing the same data to multiple hard disks.
What is the goal of BCP?
The overarching goal of BCP is to ensure that the business will continue to operate before, throughout, and after a disaster event is experienced. The focus of BCP is on the business as a whole, ensuring that those critical services or functions the business provides or performs can still be carried out both in the wake of a disruption and after the disruption has been weathered.
What does a disaster recovery plan provide?
The Disaster Recovery Plan (DRP) provides a short-term plan for dealing with specific IT-oriented disruptions
What does a disaster recovery plan focus on?
The DRP focuses on efficiently attempting to mitigate the impact of a disaster by preparing the immediate response and recovery of critical IT systems. DRP is considered tactical rather than strategic and provides a means for immediate response to disasters.
What does a business continuity plan contain?
The BCP is an umbrella plan that includes multiple specific plans, most importantly the DRP. DRP serves as a subset of the overall BCP, which would be doomed to fail if it did not contain a tactical method for immediately dealing with disruption of information systems
What does NIST 800-34 provide?
NIST Special Publication 800-34, provides a visual means for understanding the interrelatedness of BCP and DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others.
What are the three categories of disasters?
The three common ways of categorizing the causes for disasters are derived from whether the threat agent is natural, human, or environmental in nature.
What do natural disaster include?
Natural—This category includes threats such as earthquakes, hurricanes, tornadoes, floods, and some types of fires. Historically, natural disasters have provided some of the most devastating disasters to which an organization must respond.
What do human disasters include?
Human—The human category of threats represents the most common source of disasters. Human threats can be further classified by whether they constitute an intentional or unintentional threat.
What do environmental disasters include?
Environmental—Threats focused on information systems or datacenter environments; includes items such as power issues (blackout, brownout, surge, spike, etc.), system component or other equipment failures, and application or software flaws
What are the 7 types of disruptive events?
Types of disruptive events include:
• Errors and omissions: typically considered the most common source of disruptive events. This type of threat is caused by humans who unintentionally serve as a source of harm.
• Natural disasters: include earthquakes, hurricanes, floods, tsunamis, etc.
• Electrical or power problems: loss of power may cause availability issues, as well as integrity issues due to corrupted data.
• Temperature and humidity failures: may damage equipment due to overheating, corrosion, or static electricity.
• Warfare, terrorism, and sabotage: threats can vary dramatically based on geographic location, industry, and brand value, as well as the interrelatedness with other high-value target organizations.
• Financially motivated attackers: attackers who seek to make money by attacking victim organizations, includes exfiltration of cardholder data, identity theft, pump-and-dump stock
schemes, bogus antimalware tools, corporate espionage, and others.
• Personnel shortages: may be caused by strikes, pandemics, or transportation issues. A lack of staff may lead to operational disruption.
What are the five steps in the disaster recovery process?
Steps in the disaster recovery process:
Respond - assessing the damage. determine if event constitutes a disaster
Activate team
Communicate - This communication often must occur out-of-band, meaning that the typical communication method of leveraging an office phone will quite often not be a viable option
Access - Though an initial assessment was carried out during the initial response portion of the disaster recovery process, a more detailed and thorough assessment will be performed by the disaster recovery team
Reconstitution - successfully recover critical business operations at either a primary or secondary site.
What are the 8 steps withing NIST 800-34 for creating a BCP/DRP?
NIST SP 800-34 Steps in creating a BCP/DRP:
- Project Initiation
- Scope of the Project
- Business Impact Analysis (BIA)
- Identify Preventive Controls
- Recovery Strategy
- Plan Design and Development
- Implementation, Training, and Testing
- BCP/DRP Maintenance
What is a continuity of operations plan?
Continuity of operations plan- The COOP describes the procedures required to maintain operations during a disaster. This includes transfer of personnel to an alternate disaster recovery site and operations of that site.
What is a business recovery plan?
Business recovery plan- The BRP, also known as the Business Resumption Plan, details the steps required to restore normal business operations after recovering from a disruptive event. This may include switching operations from an alternate site back to a repaired primary site. The BRP picks up when the COOP is complete. This plan is narrow and focused: the BRP is sometimes included as an appendix to the BCP.
What is a continuity of support plan?
Continuity of support plan- The Continuity of Support Plan focuses narrowly on support of specific IT systems and applications. It is also called the IT Contingency Plan, emphasizing IT over general business support.
What is a cyber incident response plan?
Cyberincident response plan- The Cyberincident Response Plan is designed to respond to disruptive cyberevents, including network-based attacks. Loss of network connectivity alone may constitute a disaster for many organizations.
What is an occupant emergency plan?
Occupant emergency plan- The OEP provides the “response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency.” This plan is facilities-focused, as opposed to business- or IT-focused. The OEP is focused on safety and evacuation, and should describe specific safety drills, including evacuation or fire drills.
What is a crisis management plan?
Crisis management plan- The CMP is designed to provide effective coordination among the managers of the organization in the event of an emergency or disruptive event. The CMP details the actions management must take to ensure that life and safety of personnel and property are immediately protected in case of a disaster.
