ISC2 - Study Notes 23 Flashcards
A cold site is a building with a roof, running water, and electricity. It doesn’t include the necessary hardware, software, or personnel. In the event of an emergency, personnel move all the resources to the cold site location, hook it up, and configure the site for operation. It’s difficult to test a cold site because nothing exists at the location.
warm site : Instead of ensuring that the site can be activated within minutes like a Hot Site, the organization may decide that 24 hours’ notice is enough to bring it online.
Info
indicates that risk management processes are not formalized and there is a limited awareness of cybersecurity risk.
Tier 1 (Partial) :
This tier indicates that risk management practices are in place but may not be followed. Personnel may be aware of risk, but an organization-wide approach to managing risk has not been established.
Tier 2 (Risk Informed)
This tier indicates that risk management practices are formally approved and documented in policies. Personnel have the knowledge and skills necessary to perform their roles. Personnel at all levels of leadership regularly communicate to each other on cybersecurity risk.
Tier 3 (Repeatable)
??? indicates that the organization adapts its practices based on previous and current cybersecurity activities. It has processes in place for continuous improvement. Executive management evaluates cybersecurity risk in the same manner that they evaluate financial risk.
Tier 4 (Adaptive)
(US-CERT) provides response support and defense against cyber-attacks for several government entities in the United States and for some industry and international partners.
SANS Institute is a private institution that sponsors other security certifications and sells training for these certifications, it also publishes some free resources.
CERT Division works closely with the government, industry, law enforcement, and academia personnel to improve security of computer systems and networks.
Info
The first step an organization takes in incident handling is preparation. Preparation includes implementing security controls (or countermeasures) to prevent, detect, and correct security incidents. Organizations typically create an incident response policy that outlines its plans to prepare for and respond to an incident.
Info
For serious incidents, recovery can include multiple actions, such as completely rebuilding systems from images and installing all appropriate patches, restoring data from backups, changing passwords, and tightening network security. After attackers have successfully infiltrated a network, it’s common for them to try again. Because of this, recovery may include increasing system logging or network monitoring to detect subsequent attacks.
Reporting an incident refers to informing personnel within the organization and entities outside the organization about the incident.
Info
experts use bit-by-bit copy which includes copying free and slack space on drive or partition, experts analyze copy of drive and not original drive. If they want to validate their analysis they make another copy of original drive and repeat analysis. The original drive remains as evidence in court of law if required. Also capture contents of computers memory, which has information on recently run processes and applications and computer should be running when this is done.
Forensics acquisition phase
magnetic media hard drives often hold data remnants as data remanence. This data remanence is not copied in a bit-by-bit copy but might hold valuable information. The only way to analyze data remanence is by analyzing the original hard drive.
info
