Forensics, Frameworks & Regulations Flashcards
Information Lifecycle Management stages
Creation/collection - data may be generated by an employee or automated system, or it may be submitted by a customer or supplier. At this stage, the data needs to be classified and tagged.
Distribution/use - data is made available on a need to know basis for authorized uses by authenticated account holders and third parties.
Retention - for regulatory reasons, data might have to be kept in an archive past the date when it is still used.
Disposal - when it no longer needs to be used or retained, media storing data assets must be sanitized to remove any remnants.
A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.
Data Owner
An individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.
Data Steward
An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.
Data Custodian
Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.
Data Privacy Officer
In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.
Data Controller
In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.
Data Processor
Information created by an organization, typically about the products or services that it makes or provides.
Proprietary Information or IP
This label is typically used in the context of personal data in which privacy-sensitive information about a subject could harm them if made public and could prejudice decisions made about the subject.
Sensitive
In data protection, the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented.
Purpose Limitation
a contractual agreement setting out the detailed terms under which a service is provided. This can include terms for security access controls and risk assessments plus processing requirements for confidential and private data.
SLA
Modifying or replacing identifying personal information in a data set so that reidentification depends on an alternate data source.
Pseudo-anonymization
A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.
Data Masking
A deidentification method where a unique token is substituted for real data.
Tokenization
Incident Response Process
1) Preparation
- Make the system resilient to attack
- Harden systems
- Establish confidential lines of communication to approved call list
- Create incident response resources and procedures
2) Identification
- Categorize alerts and notifications as incidents
- Assess incident priority (triage)
- Notify stakeholders
3) Containment
- Limit the scope and magnitude of the incident
- Isolate affected hosts and accounts
- Use segmentation to prevent spread
-Restrict communications to trusted parties only
4) Eradication
- Remove causes of incident from hosts and networks
- Sanitize infected media devices
Reconstruct/reimage hosts
- Reconstitute hosts and services
5) Recovery
6) Lessons Learned
Prepare incident summary reports for stakeholders
Conduct lessons learned/after action meeting
Create after action report with summary and recommendations
A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.
Cyber Kill Chain
1)Recon
2) Weaponization
3) Delivery
4) Exploitation
5) Installation
6) Command & Control
7) Actions on Objectives
A framework for analyzing cybersecurity incidents.
uses 4 core features
Adversary
Infrastructure
victim
capability
The Diamond Model of Intrusion Analysis
This is the least costly type of training. The facilitator presents a scenario and the responders explain what action they would take to identify, contain, and eradicate the threat. The training does not use computer systems. The scenario data is presented as flashcards.
Tabletop
in this model, a facilitator presents the scenario as for a tabletop exercise, but the incident responders demonstrate what actions they would take in response. Unlike a tabletop exercise, the responders perform actions such as running scans and analyzing sample files, typically on sandboxed versions of the company’s actual response and recovery tools.
Walkthrough
__________—a ________ is a team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning.
Simulation
_____ is a U.S. government action designed to motivate departments and people on how to address a myriad of circumstances regarding recovery and longevity during and after emergency situations. _____ plans should include alerting, identification of critical functions, personnel accountability, and establishment of an alternative location.
OR (Security+): A policy that describes and ratifies the organization’s overall business continuity strategy.
Continuity of Operation Planning (COOP)
A console presenting selected information in an easily digestible format, such as a visualization.
Dashboard
A _____ is a network tap or port mirror that performs packet capture and intrusion detection
Sensor
The process of detecting patterns within a data set over time, and using those patterns to make predictions about future events or better understand past events.
Trend Analysis
A protocol enabling different appliances and software applications to transmit logs or event records to a central server.
usually uses UDP port 514
Syslog
Software optimized for multi-platform log collection and aggregation.
open source
NXlog
Log type
events generated by applications and services, such as when a service cannot start.
Application log
Log type
Audit events, such as a failed logon or access to a file being denied
Security log
Log type
events generated by the operating system and its services, such as storage volume health checks.
System log
Log type
events generated during the installation of Windows.
Setup log
Log type
events that are sent to the local log from other hosts.
Forwarded events log
File containing data captured from system memory.
Dump file
Information stored or recorded as a property of an object, state of a system, or transaction.
Meta Data
A record of the email servers involved in transferring an email message from a sender to a recipient.
Internet Header in a email