Forensics, Frameworks & Regulations Flashcards

1
Q

Information Lifecycle Management stages

A

Creation/collection - data may be generated by an employee or automated system, or it may be submitted by a customer or supplier. At this stage, the data needs to be classified and tagged.

Distribution/use - data is made available on a need to know basis for authorized uses by authenticated account holders and third parties.

Retention - for regulatory reasons, data might have to be kept in an archive past the date when it is still used.

Disposal - when it no longer needs to be used or retained, media storing data assets must be sanitized to remove any remnants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.

A

Data Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.

A

Data Steward

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.

A

Data Custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.

A

Data Privacy Officer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.

A

Data Controller

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.

A

Data Processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Information created by an organization, typically about the products or services that it makes or provides.

A

Proprietary Information or IP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This label is typically used in the context of personal data in which privacy-sensitive information about a subject could harm them if made public and could prejudice decisions made about the subject.

A

Sensitive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

In data protection, the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented.

A

Purpose Limitation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

a contractual agreement setting out the detailed terms under which a service is provided. This can include terms for security access controls and risk assessments plus processing requirements for confidential and private data.

A

SLA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Modifying or replacing identifying personal information in a data set so that reidentification depends on an alternate data source.

A

Pseudo-anonymization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.

A

Data Masking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A deidentification method where a unique token is substituted for real data.

A

Tokenization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Incident Response Process

A

1) Preparation
- Make the system resilient to attack

  • Harden systems
  • Establish confidential lines of communication to approved call list
  • Create incident response resources and procedures

2) Identification

  • Categorize alerts and notifications as incidents
  • Assess incident priority (triage)
  • Notify stakeholders

3) Containment
- Limit the scope and magnitude of the incident

  • Isolate affected hosts and accounts
  • Use segmentation to prevent spread

-Restrict communications to trusted parties only

4) Eradication
- Remove causes of incident from hosts and networks
- Sanitize infected media devices

Reconstruct/reimage hosts

  • Reconstitute hosts and services

5) Recovery

6) Lessons Learned
Prepare incident summary reports for stakeholders

Conduct lessons learned/after action meeting

Create after action report with summary and recommendations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.

A

Cyber Kill Chain

1)Recon

2) Weaponization

3) Delivery

4) Exploitation

5) Installation

6) Command & Control

7) Actions on Objectives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A framework for analyzing cybersecurity incidents.

uses 4 core features

Adversary

Infrastructure

victim

capability

A

The Diamond Model of Intrusion Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

This is the least costly type of training. The facilitator presents a scenario and the responders explain what action they would take to identify, contain, and eradicate the threat. The training does not use computer systems. The scenario data is presented as flashcards.

A

Tabletop

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

in this model, a facilitator presents the scenario as for a tabletop exercise, but the incident responders demonstrate what actions they would take in response. Unlike a tabletop exercise, the responders perform actions such as running scans and analyzing sample files, typically on sandboxed versions of the company’s actual response and recovery tools.

A

Walkthrough

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

__________—a ________ is a team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning.

A

Simulation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

_____ is a U.S. government action designed to motivate departments and people on how to address a myriad of circumstances regarding recovery and longevity during and after emergency situations. _____ plans should include alerting, identification of critical functions, personnel accountability, and establishment of an alternative location.

OR (Security+): A policy that describes and ratifies the organization’s overall business continuity strategy.

A

Continuity of Operation Planning (COOP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A console presenting selected information in an easily digestible format, such as a visualization.

A

Dashboard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A _____ is a network tap or port mirror that performs packet capture and intrusion detection

A

Sensor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

The process of detecting patterns within a data set over time, and using those patterns to make predictions about future events or better understand past events.

A

Trend Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A protocol enabling different appliances and software applications to transmit logs or event records to a central server.

usually uses UDP port 514

A

Syslog

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Software optimized for multi-platform log collection and aggregation.

open source

A

NXlog

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Log type

events generated by applications and services, such as when a service cannot start.

A

Application log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Log type

Audit events, such as a failed logon or access to a file being denied

A

Security log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Log type

events generated by the operating system and its services, such as storage volume health checks.

A

System log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Log type

events generated during the installation of Windows.

A

Setup log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Log type

events that are sent to the local log from other hosts.

A

Forwarded events log

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

File containing data captured from system memory.

A

Dump file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Information stored or recorded as a property of an object, state of a system, or transaction.

A

Meta Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A record of the email servers involved in transferring an email message from a sender to a recipient.

A

Internet Header in a email

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

A Cisco-developed means of reporting network flow information to a structured database. ____ allows better understanding of IP traffic flows as used by different network applications and hosts

A

Netflow

36
Q

Web standard for using sampling to record network traffic statistics.

A

sFlow

37
Q

_________ provides execution control over apps and features of smartphones. Features include GPS, camera, and microphone. As with DLP, an intrusion might reveal a vector that allowed the threat actor to circumvent enrollment or a misconfiguration in the MDM’s policy templates.

A

Mobile Device Management (MDM)

38
Q

Using AI to identify vulnerabilities and attack vectors to circumvent security systems.

A

Adversial AI

39
Q

a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.

A

E-discovery

40
Q

The NTFS file system stores time values in _____ format, so they are not affected by changes in time zone or daylight saving time.

A

UTC

41
Q

Order of volatility

A

CPU registers and cache memory (including cache on disk controllers, GPUs, and so on).
Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics.
Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):
Partition and file system blocks, slack space, and free space.
System memory caches, such as swap space/virtual memory and hibernation files.
Temporary file caches, such as the browser cache.
User, application, and OS files and directories.
Remote logging and monitoring data.
Physical configuration and network topology.
Archival media and printed documents.

42
Q

The _______ is an open source collection of command-line and programming libraries for disk imaging and file analysis.

Autopsy is a graphical front-end for these tools and acts as a workflow tool.

A

Sleuth Kit

43
Q

Linux utility developed as part of the Coroner’s Toolkit to dump system memory data to a file.

A

memdump

44
Q

Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.

A

ddcommand

45
Q

In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.

A

Provenance

46
Q

Data Acquisition order

A

1) Hash is made using md5 or sha

2) bit-by-bit copy of the media is made

3) second hash is made (should match first hash)

4)copy is made of the reference image

47
Q

The process of extracting data from a computer when that data has no associated file system metadata.

A

carving

48
Q

A _____ is a live acquisition image of a persistent disk. While this may have less validity than an image taken from a device using a write blocker, it may be the only means of acquiring data from a virtual machine or cloud process.

A

snapshot

49
Q

Risk Management process (5 main steps)

A
  • Identify Mission Essential Functions
  • Identify vulnerabilities
  • identify threats
  • Analyze business impacts
  • identify risk response
50
Q

In risk calculation, the percentage of an asset’s value that would be lost during a security incident or disaster scenario.

A

Exposure Factor

(EF)

51
Q

Risk that remains even after controls are put into place.

A

Residual Risk

52
Q

Risk that arises when a control does not provide the level of mitigation that was expected.

A

Control Risk

53
Q

A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

A

Business Impact Analysis (BIA)

54
Q

To scale OUT

vs

To scale UP

A

To scale out is to add more resources in parallel with existing resources.

To scale up is to increase the power of existing resources.

55
Q

Scalability
vs
Elasticity

A

Scalability is the capacity to increase resources to meet demand within similar cost ratios.

Elasticity refers to the system’s ability to handle these changes on demand in real time. A system with high elasticity will not experience loss of service or performance if demand suddenly increases rapidly.

56
Q

A backup type in which all selected files, regardless of prior state, are backed up

(archive attribute?)

A

Full Backup

Cleared

57
Q

A backup type in which all selected files that have changed since the last full or incremental backup (whichever was most recent) are backed up.

(archive attribute?)

A

Incremental

Cleared

58
Q

A backup type in which all selected files that have changed since the last full backup are backed up.

(archive attribute?)

A

Differential

Not cleared

59
Q

Makes snapshot backups of files even if they are open. It is used for Windows backup and the System Restore and Previous Versions features.

A

Volume Shadow Copy Service (VSS)

60
Q

A storage device with an embedded OS that supports typical network file access protocols (TCP/IP and SMB for instance).

A ____ can be another good option for SOHO backup, but as a single device, it provides no offsite option. As it is normally kept online, it can be vulnerable to cryptoransomware as well.

A

NAS

61
Q

A network dedicated to data storage, typically consisting of storage devices and servers connected to switches via host bus adapters.

Where NAS uses file-level access to storage, a SAN is based on block-level addressing. A SAN can incorporate RAID arrays and tape systems within the same network. SANs can achieve offsite storage through replication

A

SAN

62
Q

Order of restoration

A

1) power

2) switch infrastructure then routing appliances

3) Firewalls

4) network servers (DHCP, DNS, NTP, Directory services)

5) Back end middleware

6) front end application

7) client workstations

63
Q

The property by which a computing environment is discarded once it has finished its assigned task.

A

Non-persistence

64
Q

A location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

A

Warm Site

65
Q

Deception strategy that returns spoofed data in response to network probes.

A

Fake Telemetry

66
Q

Temporary DNS record that redirects malicious traffic to a controlled IP address.

A

DNS Sinkhole

67
Q

a __________ alarm sounds when the circuit is opened or closed, depending on the type of alarm. This could be caused by a door or window opening or by a fence being cut.

A

Circuit Based

68
Q

A type of network isolation that physically separates a network from all other networks.

A

Air Gapped

69
Q

A wire mesh container that blocks external electromagnetic fields from entering into the container.

A

Faraday Cage

70
Q

A method of sanitizing a drive by setting all bits to zero.

A

Zero-filling

71
Q

A method of sanitizing a self-encrypting drive by erasing the media encryption key.

A

Crypto Erase

72
Q

Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, thirdparty software, or at the controller level by the disk device itself.

______ requires the secure storage of the key used to encrypt the drive contents. Normally, this is stored in a TPM. The TPM chip has a secure storage area that a disk encryption program, such as Windows BitLocker, can write its keys to

A

Full Disk Encyption

73
Q

A disk drive where the controller can automatically encrypt data that is written to it.

A

Self-encrypting drives (SED

74
Q

In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.

Used in SED

Can change the password without having to decrypt and re-encrypt

A

KEK

Key encryption Key

75
Q

Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.

A

CSA

76
Q

Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 Type II report is created for a restricted audience, while SOC3 reports are provided for general consumption.

A

Statements on Standards for Attestation Engagements (SSAE)

77
Q

A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).

A

Center for Internet Security (CIS)

78
Q

A charity and community publishing a number of secure application development resources.

A

Open Web Application Security Project (OWASP

79
Q

law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization’s financial and business operations.

A

SOX

80
Q

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US’s Privacy Shield requirements.

A

General Data Protection Regulation (GDPR)

81
Q

A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual’s financial information that is held by financial institutions.

A

GLBA

82
Q

The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.

A

Cyber Threat Intel

83
Q

Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.

A

Information Sharing and Analysis Centers (ISACs)

84
Q

A framework for analyzing cybersecurity incidents.

A

STIX

85
Q

A protocol for supplying codified information to automate incident detection and analysis.

A

TAXII

86
Q

Threat intelligence data feed operated by the DHS.

A

AIS