Forensics, Frameworks & Regulations COPY

Question 1

Information Lifecycle Management stages

Answer 1

Creation/collection - data may be generated by an employee or automated system, or it may be submitted by a customer or supplier. At this stage, the data needs to be classified and tagged.

Distribution/use - data is made available on a need to know basis for authorized uses by authenticated account holders and third parties.

Retention - for regulatory reasons, data might have to be kept in an archive past the date when it is still used.

Disposal - when it no longer needs to be used or retained, media storing data assets must be sanitized to remove any remnants.

Question 2

A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.

Answer 2

Data Owner

Question 3

An individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.

Answer 3

Data Steward

Question 4

An individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.

Answer 4

Data Custodian

Question 5

Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.

Answer 5

Data Privacy Officer

Question 6

In privacy regulations, the entity that determines why and how personal data is collected, stored, and used.

Answer 6

Data Controller

Question 7

In privacy regulations, an entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.

Answer 7

Data Processor

Question 8

Information created by an organization, typically about the products or services that it makes or provides.

Answer 8

Proprietary Information or IP

Question 9

This label is typically used in the context of personal data in which privacy-sensitive information about a subject could harm them if made public and could prejudice decisions made about the subject.

Answer 9

Sensitive

Question 10

In data protection, the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented.

Answer 10

Purpose Limitation

Question 11

a contractual agreement setting out the detailed terms under which a service is provided. This can include terms for security access controls and risk assessments plus processing requirements for confidential and private data.

Answer 11

SLA

Question 12

Modifying or replacing identifying personal information in a data set so that reidentification depends on an alternate data source.

Answer 12

Pseudo-anonymization

Question 13

A deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.

Answer 13

Data Masking

Question 14

A deidentification method where a unique token is substituted for real data.

Answer 14

Tokenization

Question 15

Incident Response Process

Answer 15

1) Preparation
- Make the system resilient to attack

• Harden systems
• Establish confidential lines of communication to approved call list
• Create incident response resources and procedures

2) Identification

• Categorize alerts and notifications as incidents
• Assess incident priority (triage)
• Notify stakeholders

3) Containment
- Limit the scope and magnitude of the incident

• Isolate affected hosts and accounts
• Use segmentation to prevent spread

-Restrict communications to trusted parties only

4) Eradication
- Remove causes of incident from hosts and networks
- Sanitize infected media devices

Reconstruct/reimage hosts

• Reconstitute hosts and services

5) Recovery

6) Lessons Learned
Prepare incident summary reports for stakeholders

Conduct lessons learned/after action meeting

Create after action report with summary and recommendations

Question 16

A model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion.

Answer 16

Cyber Kill Chain

1)Recon

2) Weaponization

3) Delivery

4) Exploitation

5) Installation

6) Command & Control

7) Actions on Objectives

Question 17

A framework for analyzing cybersecurity incidents.

uses 4 core features

Adversary

Infrastructure

victim

capability

Answer 17

The Diamond Model of Intrusion Analysis

Question 18

This is the least costly type of training. The facilitator presents a scenario and the responders explain what action they would take to identify, contain, and eradicate the threat. The training does not use computer systems. The scenario data is presented as flashcards.

Answer 18

Tabletop

Question 19

in this model, a facilitator presents the scenario as for a tabletop exercise, but the incident responders demonstrate what actions they would take in response. Unlike a tabletop exercise, the responders perform actions such as running scans and analyzing sample files, typically on sandboxed versions of the company’s actual response and recovery tools.

Answer 19

Walkthrough

Question 20

__________—a ________ is a team-based exercise, where the red team attempts an intrusion, the blue team operates response and recovery controls, and a white team moderates and evaluates the exercise. This type of training requires considerable investment and planning.

Answer 20

Simulation

Question 21

_____ is a U.S. government action designed to motivate departments and people on how to address a myriad of circumstances regarding recovery and longevity during and after emergency situations. _____ plans should include alerting, identification of critical functions, personnel accountability, and establishment of an alternative location.

OR (Security+): A policy that describes and ratifies the organization’s overall business continuity strategy.

Answer 21

Continuity of Operation Planning (COOP)

Question 22

A console presenting selected information in an easily digestible format, such as a visualization.

Answer 22

Dashboard

Question 23

A _____ is a network tap or port mirror that performs packet capture and intrusion detection

Answer 23

Sensor

Question 24

The process of detecting patterns within a data set over time, and using those patterns to make predictions about future events or better understand past events.

Answer 24

Trend Analysis

Question 25

A protocol enabling different appliances and software applications to transmit logs or event records to a central server.

usually uses UDP port 514

Answer 25

Syslog

Question 26

Software optimized for multi-platform log collection and aggregation.

open source

Answer 26

NXlog

Question 27

Log type

events generated by applications and services, such as when a service cannot start.

Answer 27

Application log

Question 28

Log type

Audit events, such as a failed logon or access to a file being denied

Answer 28

Security log

Question 29

Log type

events generated by the operating system and its services, such as storage volume health checks.

Answer 29

System log

Question 30

Log type

events generated during the installation of Windows.

Answer 30

Setup log

Question 31

Log type

events that are sent to the local log from other hosts.

Answer 31

Forwarded events log

Question 32

File containing data captured from system memory.

Answer 32

Dump file

Question 33

Information stored or recorded as a property of an object, state of a system, or transaction.

Answer 33

Meta Data

Question 34

A record of the email servers involved in transferring an email message from a sender to a recipient.

Answer 34

Internet Header in a email

Question 35

A Cisco-developed means of reporting network flow information to a structured database. ____ allows better understanding of IP traffic flows as used by different network applications and hosts

Answer 35

Netflow

Question 36

Web standard for using sampling to record network traffic statistics.

Answer 36

sFlow

Question 37

_________ provides execution control over apps and features of smartphones. Features include GPS, camera, and microphone. As with DLP, an intrusion might reveal a vector that allowed the threat actor to circumvent enrollment or a misconfiguration in the MDM’s policy templates.

Answer 37

Mobile Device Management (MDM)

Question 38

Using AI to identify vulnerabilities and attack vectors to circumvent security systems.

Answer 38

Adversial AI

Question 39

a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial.

Answer 39

E-discovery

Question 40

The NTFS file system stores time values in _____ format, so they are not affected by changes in time zone or daylight saving time.

Answer 40

UTC

Question 41

Order of volatility

Answer 41

CPU registers and cache memory (including cache on disk controllers, GPUs, and so on).
Contents of nonpersistent system memory (RAM), including routing table, ARP cache, process table, kernel statistics.
Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):
Partition and file system blocks, slack space, and free space.
System memory caches, such as swap space/virtual memory and hibernation files.
Temporary file caches, such as the browser cache.
User, application, and OS files and directories.
Remote logging and monitoring data.
Physical configuration and network topology.
Archival media and printed documents.

Question 42

The _______ is an open source collection of command-line and programming libraries for disk imaging and file analysis.

Autopsy is a graphical front-end for these tools and acts as a workflow tool.

Answer 42

Sleuth Kit

Question 43

Linux utility developed as part of the Coroner’s Toolkit to dump system memory data to a file.

Answer 43

memdump

Question 44

Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging.

Answer 44

ddcommand

Question 45

In digital forensics, being able to trace the source of evidence to a crime scene and show that it has not been tampered with.

Answer 45

Provenance

Question 46

Data Acquisition order

Answer 46

1) Hash is made using md5 or sha

2) bit-by-bit copy of the media is made

3) second hash is made (should match first hash)

4)copy is made of the reference image

Question 47

The process of extracting data from a computer when that data has no associated file system metadata.

Answer 47

carving

Question 48

A _____ is a live acquisition image of a persistent disk. While this may have less validity than an image taken from a device using a write blocker, it may be the only means of acquiring data from a virtual machine or cloud process.

Answer 48

snapshot

Question 49

Risk Management process (5 main steps)

Answer 49

• Identify Mission Essential Functions
• Identify vulnerabilities
• identify threats
• Analyze business impacts
• identify risk response

Question 50

In risk calculation, the percentage of an asset’s value that would be lost during a security incident or disaster scenario.

Answer 50

Exposure Factor

(EF)

Question 51

Risk that remains even after controls are put into place.

Answer 51

Residual Risk

Question 52

Risk that arises when a control does not provide the level of mitigation that was expected.

Answer 52

Control Risk

Question 53

A systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

Answer 53

Business Impact Analysis (BIA)

Question 54

To scale OUT

vs

To scale UP

Answer 54

To scale out is to add more resources in parallel with existing resources.

To scale up is to increase the power of existing resources.

Question 55

Scalability
vs
Elasticity

Answer 55

Scalability is the capacity to increase resources to meet demand within similar cost ratios.

Elasticity refers to the system’s ability to handle these changes on demand in real time. A system with high elasticity will not experience loss of service or performance if demand suddenly increases rapidly.

Question 56

A backup type in which all selected files, regardless of prior state, are backed up

(archive attribute?)

Answer 56

Full Backup

Cleared

Question 57

A backup type in which all selected files that have changed since the last full or incremental backup (whichever was most recent) are backed up.

(archive attribute?)

Answer 57

Incremental

Cleared

Question 58

A backup type in which all selected files that have changed since the last full backup are backed up.

(archive attribute?)

Answer 58

Differential

Not cleared

Question 59

Makes snapshot backups of files even if they are open. It is used for Windows backup and the System Restore and Previous Versions features.

Answer 59

Volume Shadow Copy Service (VSS)

Question 60

A storage device with an embedded OS that supports typical network file access protocols (TCP/IP and SMB for instance).

A ____ can be another good option for SOHO backup, but as a single device, it provides no offsite option. As it is normally kept online, it can be vulnerable to cryptoransomware as well.

Answer 60

NAS

Question 61

A network dedicated to data storage, typically consisting of storage devices and servers connected to switches via host bus adapters.

Where NAS uses file-level access to storage, a SAN is based on block-level addressing. A SAN can incorporate RAID arrays and tape systems within the same network. SANs can achieve offsite storage through replication

Answer 61

SAN

Question 62

Order of restoration

Answer 62

1) power

2) switch infrastructure then routing appliances

3) Firewalls

4) network servers (DHCP, DNS, NTP, Directory services)

5) Back end middleware

6) front end application

7) client workstations

Question 63

The property by which a computing environment is discarded once it has finished its assigned task.

Answer 63

Non-persistence

Question 64

A location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

Answer 64

Warm Site

Question 65

Deception strategy that returns spoofed data in response to network probes.

Answer 65

Fake Telemetry

Question 66

Temporary DNS record that redirects malicious traffic to a controlled IP address.

Answer 66

DNS Sinkhole

Question 67

a __________ alarm sounds when the circuit is opened or closed, depending on the type of alarm. This could be caused by a door or window opening or by a fence being cut.

Answer 67

Circuit Based

Question 68

A type of network isolation that physically separates a network from all other networks.

Answer 68

Air Gapped

Question 69

A wire mesh container that blocks external electromagnetic fields from entering into the container.

Answer 69

Faraday Cage

Question 70

A method of sanitizing a drive by setting all bits to zero.

Answer 70

Zero-filling

Question 71

A method of sanitizing a self-encrypting drive by erasing the media encryption key.

Answer 71

Crypto Erase

Question 72

Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, thirdparty software, or at the controller level by the disk device itself.

______ requires the secure storage of the key used to encrypt the drive contents. Normally, this is stored in a TPM. The TPM chip has a secure storage area that a disk encryption program, such as Windows BitLocker, can write its keys to

Answer 72

Full Disk Encyption

Question 73

A disk drive where the controller can automatically encrypt data that is written to it.

Answer 73

Self-encrypting drives (SED

Question 74

In storage encryption, the private key that is used to encrypt the symmetric bulk media encryption key (MEK). This means that a user must authenticate to decrypt the MEK and access the media.

Used in SED

Can change the password without having to decrypt and re-encrypt

Answer 74

KEK

Key encryption Key

Question 75

Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix.

Answer 75

CSA

Question 76

Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 Type II report is created for a restricted audience, while SOC3 reports are provided for general consumption.

Answer 76

Statements on Standards for Attestation Engagements (SSAE)

Question 77

A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).

Answer 77

Center for Internet Security (CIS)

Question 78

A charity and community publishing a number of secure application development resources.

Answer 78

Open Web Application Security Project (OWASP

Question 79

law enacted in 2002 that dictates requirements for the storage and retention of documents relating to an organization’s financial and business operations.

Answer 79

SOX

Question 80

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US’s Privacy Shield requirements.

Answer 80

General Data Protection Regulation (GDPR)

Question 81

A law enacted in 1999 that deregulated banks, but also instituted requirements that help protect the privacy of an individual’s financial information that is held by financial institutions.

Answer 81

GLBA

Question 82

The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.

Answer 82

Cyber Threat Intel

Question 83

Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.

Answer 83

Information Sharing and Analysis Centers (ISACs)

Question 84

A framework for analyzing cybersecurity incidents.

Answer 84

STIX

Question 85

A protocol for supplying codified information to automate incident detection and analysis.

Answer 85

TAXII

Question 86

Threat intelligence data feed operated by the DHS.

Answer 86

AIS