Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

COMPTIA - Sec+ Textbook > Lesson 14: Explaining Risk Management and Disaster Recovery Concepts > Flashcards

Lesson 14: Explaining Risk Management and Disaster Recovery Concepts Flashcards

1
Q

vulnerable business process

A

if a company operates with one or more vulnerable business processes, it could result in disclosure, modification, loss, destruction, or interruption of critical data or it could lead to loss of service to customers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

risk management

A

process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

phases of risk management

A
  1. Identify mission essential functions—mitigating risk can involve a large amount of expenditure, so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed. Part of this process also involves identifying critical systems and assets that support these functions.
  2. Identify vulnerabilities—for each function or workflow (starting with the most critical), analyze systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. Vulnerability refers to a specific flaw or weakness that could be exploited to overcome a security system.
  3. Identify threats—for each function or workflow, identify the threats that may take advantage of or exploit or accidentally trigger vulnerabilities. Threat refers to the sources or motivations of people and things that could cause loss or damage.
  4. Analyze business impacts—the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems give factors for evaluating risks. There are quantitative and qualitative methods of analyzing impacts.
  5. Identify risk response—for each risk, identify possible countermeasures and assess the cost of deploying additional security controls. Most risks require some sort of mitigation, but other types of response might be more appropriate for certain types and level of risks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

mission essential function (MEF)

A
  • mission essential function (MEF) is one that cannot be deferred
  • means that the organization must be able to perform the function as close to continually as possible, and if there is any service disruption, the mission essential functions must be restored first
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

analysis of mission essential functions is generally governed by four main metrics

A
  • Maximum tolerable downtime (MTD) is the longest period of time that a business function outage may occur for without causing irrecoverable business failure. Each business process can have its own MTD, such as a range of minutes to hours for critical functions, 24 hours for urgent functions, 7 days for normal functions, and so on. MTDs vary by company and event. Each function may be supported by multiple systems and assets. The MTD sets the upper limit on the amount of recovery time that system and asset owners have to resume operations
  • Recovery time objective (RTO) is the period following a disaster that an individual IT system may remain offline. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance)
  • Work Recovery Time (WRT). Following systems recovery, there may be additional work to reintegrate different systems, test overall functionality, and brief system users on any changes or different working practices so that the business function is again fully supported
  • Recovery Point Objective (RPO) is the amount of data loss that a system can sustain, measured in time. That is, if a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

identification of critical systems

A
  • means compiling an inventory of its business processes and its tangible and intangible assets and resources
  • include:
  • People (employees, visitors, and suppliers).
  • Tangible assets (buildings, furniture, equipment and machinery (plant), ICT equipment, electronic data files, and paper documents).
  • Intangible assets (ideas, commercial reputation, brand, and so on).
  • Procedures (supply chains, critical procedures, standard operating procedures).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

business process analysis (BPA)

A
  • for mission essential functions, it is important to reduce the number of dependencies between components
  • dependencies are identified by performing a business process analysis (BPA) for each function
  • BPA should identify the following factors:
    • Inputs—the sources of information for performing the function (including the impact if these are delayed or out of sequence).
  • Hardware—the particular server or data center that performs the processing.
  • Staff and other resources supporting the function.
  • Outputs—the data or resources produced by the function.
  • Process flow—a step-by-step description of how the function is performed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

single points of failure (SPoF)

A

reducing dependencies makes it easier to provision redundant systems to allow the function to failover to a backup system smoothly. This means the system design can more easily eliminate the sort of weakness that comes from having single points of failure (SPoF) that can disrupt the function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

key performance indicators (KPI)

A
  • used to determine the reliability of each asset
  • main KPIs relating to service availability are as follows:
    • Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF) represent the expected lifetime of a product. MTTF should be used for non-repairable assets
    • The calculation for MTBF is the total time divided by the number of failures. For example, if you have 10 devices that run for 50 hours and two of them fail, the MTBF is 250 hours/failure (1050)/2
    • The calculation for MTTF for the same test is the total time divided by the number of devices, so (10    50)/10, with the result being 50 hours/failure
    • MTTF/MTBF can be used to determine the amount of asset redundancy a system should have. A redundant system can failover to another asset if there is a fault and continue to operate normally. It can also be used to work out how likely failures are to occur

• Mean Time to Repair (MTTR) is a measure of the time taken to correct a fault so that the system is restored to full operation. This can also be described as mean time to “replace” or “recover.” This metric is important in determining the overall Recovery Time Objective (RTO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

asset management

A
  • process takes inventory of and tracks all the organization’s critical systems, components, devices, and other objects of value
  • also involves collecting and analyzing information about these assets so that personnel can make more informed changes or otherwise work with assets to achieve business goals
  • many software suites and associated hardware solutions available for tracking and managing assets (or inventory)
  • asset management database can be configured to store as much or as little information as is deemed necessary, though typical data would be type, model, serial number, asset ID, location, user(s), value, and service information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

asset management troubleshooting tactics

A
  • Ensure that all relevant assets are participating in a tracking system like barcodes or passive radio frequency IDs (RFIDs).
  • Ensure that there is a process in place for tagging newly acquired or developed assets.
  • Ensure that there is a process in place for removing obsolete assets from the system.
  • Check to see if any assets have conflicting IDs.
  • Check to see if any assets have inaccurate metadata.
  • Ensure that asset management software can correctly read and interpret tracking tags.
  • Update asset management software to fix any bugs or security issues.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

threat assessment

A
  • means compiling a prioritized list of probable and possible threats
  • consider (for instance) the impact on business processes of the following:
    • Public infrastructure (transport, utilities, law and order).
  • Supplier contracts (security of supply chain).
  • Customer’s security (the sudden failure of important customers due to their own security vulnerabilities can be as damaging as an attack on your own organization).
  • Epidemic disease.
  • threat awareness must consider threats posed by events such as natural disasters, accidents, and by legal liabilities:
  • Natural disaster—threat sources such as river or sea floods, earthquakes, storms, and so on. Natural disasters may be quite predictable (as is the case with areas prone to flooding or storm damage) or unexpected, and therefore difficult to plan for.
  • Manmade disaster—intentional man-made threats such as terrorism, war, or vandalism/arson or unintentional threats, such as user error or information disclosure through social media platforms.
  • Environmental—those caused by some sort of failure in the surrounding environment. These could include power or telecoms failure, pollution, or accidental damage (including fire).
  • Legal and commercial—some examples include:
  • Downloading or distributing obscene material.
  • Defamatory comments published on social networking sites.
  • Hijacked mail or web servers used for spam or phishing attacks.
  • Third-party liability for theft or damage of personal data.
  • Accounting and regulatory liability to preserve accurate records.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

supply chain

A
  • series of companies involved in fulfilling a product
  • assessing a supply chain involves determining whether each link in the chain is sufficiently robust
  • each supplier in the chain may have their own suppliers, and assessing “robustness” means obtaining extremely privileged company information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

degree of risk

A
  • two main variables are likelihood and impact:
  • Likelihood is the probability of the threat being realized.
  • Impact is the severity of the risk if realized as a security incident. This may be determined by factors such as the value of the asset or the cost of disruption if the asset is compromised.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

business impact analysis (BIA)

A

process of assessing what losses might occur for each threat scenario

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

impacts on property

A

risks whose impacts affect property (premises) mostly arise due to natural disaster, war/terrorism, and fire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

impacts on finance and reputation

A
  • important to realize that the value of an asset does not refer solely to its material value
  • two principal additional considerations are direct costs associated with the asset being compromised (downtime) and consequent costs to intangible assets, such as the company’s reputation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

impacts on privacy

A
  • important source of risk is the unauthorized disclosure of personally identifiable information (PII)
  • modelled on formal audit documents mandated by US laws, notably The Privacy Act and the Federal Information Security Management Act (FISMA):
  • Privacy Threshold Analysis (PTA)—An initial audit to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a PIA must be performed. PTAs must be repeated every three years.
  • Privacy Impact Assessment (PIA)—A detailed study to assess the risks associated with storing, processing, and disclosing PII. The study should identify vulnerabilities that may lead to data breach and evaluate controls mitigating those risks.
  • System of Records Notice (SORN)—A formal document listing PII maintained by a federal agency of the US government.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

methods of assessing likelihood and risk

A
  • quantitative risk assessment aims to assign concrete values to each risk factor:
    • Single Loss Expectancy (SLE)—The amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). EF is the percentage of the asset value that would be lost.

• Annual Loss Expectancy (ALE)—The amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO).

  • qualitative risk assessment:
  • avoids the complexity of the quantitative approach and is focused on identifying significant risk factors
  • security Categorizations (SC) to information systems based on the impact that a breach of confidentiality, integrity, or availability would have on the organization as a whole. Potential impacts can be classified as:
    • Low—minor damage or loss to an asset or loss of performance (though essential functions remain operational).
  • Moderate—significant damage or loss to assets or performance.
  • High—major damage or loss or the inability to perform one or more essential functions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

risk response strategies

A
  • Avoidance means that you stop doing the activity that is risk-bearing
  • Transference (or sharing) means assigning risk to a third party (such as an insurance company or a contract with a supplier that defines liabilities)
  • Acceptance (or retention) means that no countermeasures are put in place either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

risk register

A
  • document showing the results of risk assessments in a comprehensible format
  • register may resemble the “traffic light” grid shown earlier with columns for impact and likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status
  • commonly depicted as scatterplot graphs, where impact and likelihood are each an axis, and the plot point is associated with a legend that includes more information about the nature of the plotted risk
  • risk register should be shared between stakeholders (executives, department managers, and senior technicians) so that they understand the risks associated with the workflows that they manage
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

reactive

A

need to change is often described either as reactive, where the change is forced on the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

proactive

A

need for change is initiated internally

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Request for Change (RFC)

A
  • in a formal change management process, the need for change and the procedure for implementing the change is captured in a Request for Change (RFC) document and submitted for approval
  • RFC will then be considered at the appropriate level
  • major or significant changes might be managed as a separate project and require approval through a Change Advisory Board (CAB)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

risk management processes

A
  • Identify mission-essential functions and the critical systems within each function.
  • Identify those assets supporting business functions and critical systems, and determine their values.
  • Calculate MTD, RPO, RTO, MTTF, MTTR, and MTBF for functions and assets.
  • Look for possible vulnerabilities that, if exploited, could adversely affect each function or system.
  • Determine potential threats to functions and systems.
  • Determine the probability or likelihood of a threat exploiting a vulnerability.
  • Determine the impact of the potential threat, whether it be recovery from a failed system or the implementation of security controls that will reduce or eliminate risk.
  • Identify impact scenarios that put your business operations at risk.
  • Identify the risk analysis method that is most appropriate for your organization. For quantitative and semi-quantitative risk analysis, calculate SLE and ARO for each threat, and then calculate the ALE.

Identify potential countermeasures, ensuring that they are cost-effective and perform as expected. For example, identify single points of failure and, where possible, establish redundant or alternative systems and solutions.

• Clearly document all findings discovered and decisions made during the assessment in a risk register.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Continuity of Operations Planning (COOP) or business continuity plan (BCP)

A
  • collection of processes that enable an organization to maintain normal business operations in the face of some adverse event
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

single points of failure

A
  • when implementing a network, the goal will always be to minimize the single points of failure and to allow ongoing service provision despite a disaster
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

IT Contingency Planning (ITCP)

A
  • to perform IT Contingency Planning (ITCP), think of all the things that could fail, determine whether the result would be a critical loss of service, and whether this is unacceptable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

high availability

A

availability is the percentage of time that the system is online, measured over the defined period (typically one year)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

fault tolerant

A
  • often achieved by provisioning redundancy for critical components and single points of failure
  • examples of devices and solutions that provide fault tolerance include the following:
  • Redundant components (power supplies, network cards, drives (RAID), and cooling fans) provide protection against hardware failures. Hot swappable components allow for easy replacement (without having to shut down the server).
  • Uninterruptible Power Supplies (UPS) and Standby Power Supplies.
  • Backup strategies—provide protection for data.
  • Cluster services are a means of ensuring that the total failure of a server does not disrupt services generally.
31
Q

properties of resilient system

A

• Scalability means that the costs involved in supplying the service to more users are linear. For example, if the number of users doubles in a scalable system, the costs to maintain the same level of service would also double (or less than double). If costs more than double, the system is less scalable.

To scale out is to add more resources in parallel with existing resources. To scale up is to increase the power of existing resources.

• Elasticity refers to the system’s ability to handle changes in demand in real time. A system with high elasticity will not experience loss of service or performance if demand suddenly doubles (or triples, or quadruples). Conversely, it may be important for the system to be able to reduce costs when demand is low. Elasticity is a common selling point for cloud services. Instead of running a cloud resource for 24 hours a day, 7 days a week, that resource can diminish in power or shut down completely when demand for that resource is low. When demand picks up again, the resource will grow in power to the level required. This results in cost-effective operations.

32
Q

distributive allocation

A
  • refers to the ability to switch between available processing and data resources to meet service requests
  • typically achieved using load balancing services during normal operations or automated failover during a disaster
33
Q

Redundant Array of Independent Disks (RAID)

A
  • many disks can act as backups for each other to increase reliability and fault tolerance
  • if one disk fails, the data is not lost, and the server can keep functioning
34
Q

Redundant Array of Independent Disks (RAID) Levels

A
  • Level 0: Striping without parity (no fault tolerance). This means that data is written in blocks across several disks simultaneously. This can improve performance, but if one disk fails, so does the whole volume and data on it will be corrupted.
  • Level 1: Mirroring—Data is written to two disks simultaneously, providing redundancy (if one disk fails, there is a copy of data on the other). The main drawback is that storage efficiency is only 50%.
  • Level 5: Striping with parity—Data is written across three or more disks, but additional information (parity) is calculated. This allows the volume to continue if one disk is lost. This solution has better storage efficiency than RAID 1.
  • Level 6: Double parity or level 5 with an additional parity stripe. This allows the volume to continue when two disks have been lost.
  • Nested (0+1, 1+0, or 5+0): Nesting RAID sets generally improves performance or redundancy (for example, some nested RAID solutions can support the failure of more than one disk).
35
Q

multiple paths

A

network cabling should be designed to allow for multiple paths between the various servers, so that during a failure of one part of the network, the rest remains operational (redundant connections). Routers are great fault tolerant devices, because they can communicate system failures and IP packets can be routed via an alternate device

36
Q

automated courses of action

A

a resiliency strategy can specify automated courses of action that can work to maintain or to restore services with minimal human intervention or even no intervention at all

37
Q

continuous monitoring

A

an automation solution will have a system of continuous monitoring to detect service failures and security incidents. Continuous monitoring might use a locally installed agent or heartbeat protocol or may involve checking availability remotely. As well as monitoring the primary site, it is important to observe the failover components to ensure that they are recovery ready

38
Q

mastering instructions of automation system

A
  • Master image—this is the “gold” copy of a server instance, with the OS, applications, and patches all installed and configured. This is faster than using a template, but keeping the image up to date can involve more work than updating a template.
  • Template—similar to a master image, this is the build instructions for an instance. Rather than storing a master image, the software may build and provision an instance according to the template instructions.
39
Q

configuration validation

A
  • process ensures that a recovery solution is working at each layer (hardware, network connectivity, data replication, and application)
  • important process in automating resiliency strategies
40
Q

non-persistence

A
  • non-persistence means that any given instance is completely static in terms of processing function. Data is separated from the instance so that it can be swapped out for an “as new” copy without suffering any configuration problems
  • mechanisms for ensuring non-persistence:
  • Snapshot/revert to known state—This is a saved system state that can be reapplied to the instance.
  • Rollback to known configuration—A physical instance might not support snapshots but has an “internal” mechanism for restoring the baseline system configuration, such as Windows System Restore.
  • Live boot media—another option is to use an instance that boots from read-only storage to memory rather than being installed on a local read/write hard disk.
41
Q

Continuity of Operations Plan (COOP) Guidelines

A
  • Be aware of the different ways your business could be threatened.
  • Implement an overall business continuity process in response to real events.
  • Ensure the continuity planning is comprehensive and addresses all critical dimensions of the organization.
  • Draft an IT contingency plan to ensure that IT procedures continue after an adverse event.
  • Ensure that IT personnel are trained on this plan.
  • Incorporate failover techniques into continuity planning.
  • Ensure that systems are highly available and meet an adequate level of performance.
  • Ensure that critical systems have redundancy to mitigate loss of data and resources due to adverse events.
  • Ensure that critical systems are fault tolerant so that service disruption is minimized in the event of failure or compromise.
  • Ensure that systems are adequately scalable and can meet the long-term increase in demand as the business grows.
  • Ensure that systems are elastic and can meet the short-term increase and decrease in resource demands.
  • Consider consolidating multiple storage devices in a RAID for redundancy and fault tolerance.
  • Choose the RAID level that provides the appropriate level of redundancy and fault tolerance for your business needs.
  • Supplement manual security processes with automated processes in order to increase efficiency and accuracy.
  • Consider incorporating non-persistent virtual infrastructure to more easily maintain baseline security.
42
Q

alternate processing sites or recovery sites

A
  • site is another location that can provide the same (or similar) level of service
  • alternate processing site might always be available and in use, while a recovery site might take longer to set up or only be used in an emergency
43
Q

failover

A
  • technique that ensures a redundant component, device, application, or site can quickly and efficiently take over the functionality of an asset that has failed
  • operations are designed to failover to the new site until the previous site can be brought back online
44
Q

hot site

A
  • failover almost immediately

- means that the site is already within the organization’s ownership and is ready to deploy

45
Q

cold site

A

takes longer to set up (up to a week), and a warm site is something between the two

46
Q

warm site

A

requirement that the latest data set will need to be loaded

47
Q

subscription service

A

providing redundancy on this scale can be very expensive. Sites are often leased from service providers, such as Comdisco or IBM (a subscription service)

48
Q

reciprocal arrangements

A

provide mutual support

49
Q

replication

A
  • process of duplicating data between different servers or sites. RAID mirroring and server clustering are examples of disk-to-disk and server-to-server replication
  • can either be synchronous or asynchronous
  • synchronous replication means that the data must be written at both sites before it can be considered committed
  • asynchronous replication means that data is mirrored from a primary site to a secondary site
  • farther apart the sites are, the costlier replication will be
50
Q

order of restoration

A
  1. Enable and test power delivery systems (grid power, Power Distribution Units (PDUs), UPS, secondary generators, and so on).
  2. Enable and test switch infrastructure, then routing appliances and systems.
  3. Enable and test network security appliances (firewalls, IDS, proxies).
  4. Enable and test critical network servers (DHCP, DNS, NTP, and directory services).
  5. Enable and test backend and middleware (databases and business logic). Verify data integrity.
  6. Enable and test front-end applications.
  7. Enable client workstations and devices and client browser access.
51
Q

alternate business practice

A

allow the information flow to resume to at least some extent

52
Q

succession planning

A

targets the specific issue of leadership and senior management

53
Q

backup types

A
  • when considering a backup made against an original copy of data, the backup can usually be performed using one of three main types: full, incremental, and differential:
  • Type: Full - Data Selection:
    All selected data regardless of when it was previously backed up - Backup Restore Time: High/low (one tape set) - Archived Attribute: Cleared
  • Type: Incremental - Data Selection:
    New files and files modified since the last backup - Backup Restore Time:
    Low/high (multiple tape sets) - Archived Attribute: Cleared
  • Type: Incremental - Data Selection:

All data modified since the last full backup - Backup Restore Time:
Moderate/moderate (no more than two sets) - Archived Attribute: Not Cleared

54
Q

snapshots

A

means of getting around the problem of open files

55
Q

Volume Shadow Copy Service (VSS)

A

in Windows, snapshots are provided for on NTFS volumes by the Volume Shadow Copy Service (VSS)

56
Q

After-Action Report (AAR)

A

“lessons learned” report is a process to determine how effective COOP and DR planning and resources were

57
Q

business continuity and disaster recovery processes

A
  • Implement disaster recovery to restore IT operations after a major adverse event.
  • Form a recovery team with multiple job roles and responsibilities.
  • Follow a disaster recovery process from notifying stakeholders to actually beginning recovery.
  • Ensure the DRP includes alternate sites, asset inventory, backup procedures, and other critical information.
  • Ensure that recovery processes are secure from attack or other compromise.
  • Consider maintaining alternate recovery sites to quickly restore operations when the main site is compromised.
  • Choose between a hot, warm, and cold site depending on your business needs and means.
  • Determine an order of restoration to get business-critical systems back online first.
  • Incorporate alternate business practices into the BCP if necessary.
  • Draft a succession plan in case personnel are not available to put the DRP into effect.
  • Choose a data backup type that meets your speed, reliability, and storage needs.
  • Ensure that backups are stored in a secure location.
  • Consider the security implications of maintaining multiple backups.
  • Regularly test the integrity of your backups.
  • Consider placing backups offsite to mitigate damage to a particular location.
  • Be aware of the advantages and disadvantages of close vs. distant backup sites.
  • Research the legal and data sovereignty issues affecting regions where your backup sites are located.
  • Conduct testing exercises to prepare personnel for executing the DRP.
  • Draft AARs to learn from your successes and mistakes.
  • Ask yourself key questions about the event to identify areas for improvement.
  • Modify the DRP as needed in response to lessons learned.
58
Q

forensics

A
  • computer forensics is the practice of collecting evidence from computer systems to a standard that will be accepted in a court of law. It is unlikely that a computer forensic professional will be retained by an organization, so such investigations are normally handled by law enforcement agencies. In some cases, however, an organization may conduct a forensic investigation without the expectation of legal action
  • electronically stored information (ESI): Like DNA or fingerprints, digital evidence—often referred to as electronically stored information (ESI)—is mostly latent. Latent means that the evidence cannot be seen with the naked eye; rather, it must be interpreted using a machine or process. Forensic investigations are most likely to be launched against crimes arising from insider threats, notably fraud or misuse of equipment (to download or store obscene material, for instance).
59
Q

due process

A

require that people only be convicted of crimes following the fair application of the laws of the land

60
Q

legal hold

A

refers to the fact that information that may be relevant to a court case must be preserved. Information subject to legal hold might be defined by regulators or industry best practice, or there may be a litigation notice from law enforcement or lawyers pursuing a civil action. This means that computer systems may be taken as evidence, with all the obvious disruption to a network that entails

61
Q

eDiscovery

A

means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial. eDiscovery software tools have been produced to assist this process. Some of the functions of eDiscovery suites are:

  • Identify and de-duplicate files and metadata—many files on a computer system are “standard” installed files or copies of the same file. eDiscovery filters these types of files, reducing the volume of data that must be analyzed.
  • Search—allow investigators to locate files of interest to the case. As well as keyword search, software might support semantic search. Semantic search matches keywords if they correspond to a particular context.
  • Security—at all points evidence must be shown to have been stored, transmitted, and analyzed without tampering.
  • Disclosure—an important part of trial procedure is that the same evidence be made available to both plaintiff and defendant. eDiscovery can fulfill this requirement. Recent court cases have required parties to a court case to provide searchable ESI rather than paper records.
62
Q

document the scene

A
  • first phase of a forensic investigation is to document the scene
  • crime scene must be thoroughly documented using photographs and ideally audio and video. Investigators must record every action they take in identifying, collecting, and handling evidence
63
Q

order of volatility

A
  • CPU registers and cache memory (including cache on disk controllers, GPUs, and so on).
  • Routing table, arp cache, process table, kernel statistics.
  • Memory (RAM).
  • Temporary file systems.
  • Disk.
  • Remote logging and monitoring data.
  • Physical configuration and network topology.
  • Archival media.
64
Q

Coordinated Universal Time (UTC)

A
  • different OS and different file systems use different methods to identify the time at which something occurred
  • benchmark time is Coordinated Universal Time (UTC), which is essentially the time at the Greenwich meridian
65
Q

Retrospective Network Analysis (RNA)

A

solution provides the means to record network events at either a packet header or payload level

66
Q

image acquisition

A

process of obtaining a forensically clean copy of data from a device held as evidence. An image can be acquired from either volatile or non-volatile storage

67
Q

write blocker

A
  • assures this process by preventing any data on the disk or volume from being changed by filtering write commands at the driver and OS level. Mounting a drive as read-only is insufficient.
  • write blocker can be implemented as a hardware device or as software running on the forensics workstation.
68
Q

cryptographic hash or fingerprint

A

critical step in the presentation of evidence will be to demonstrate that analysis has been performed on an image of the data that is identical to the data present on the disk and that neither data set has been tampered with. The standard means of proving this is to create a cryptographic hash or fingerprint of the disk contents and of the image subsequently made of it.

69
Q

imaging

A

once the target disk has been safely attached to the forensics workstation and verified by generating a cryptographic hash of the contents, the next task is to use an imaging utility to obtain a sector-by-sector copy of the disk contents (a forensic duplicate)

70
Q

timeline

A

vital that the evidence collected at the crime scene conform to a valid timeline. Digital information is susceptible to tampering, so access to the evidence must be tightly controlled.

71
Q

chain of custody

A

records where, when, and who collected the evidence, who subsequently handled it, and where it was stored

72
Q

forensics report

A
  • detailing any matters of interest or potential evidence discovered
  • all analysis should be performed on a copy of the evidence rather than on the original devices or the secure image created at the crime scene
  • when analyzing information from hard drives taken as evidence (data recovery), one of the most significant challenges is dealing with the sheer volume of information captured. Within the thousands of files and hundreds of gigabytes there may only be a few items that provide incriminating evidence
  • forensic analysis tools help to identify what could be of interest to the forensic examiner
73
Q

Big Data

A
  • refers to large stores of unstructured information
  • data analysis tools use search query like functions to identify patterns and information of interest within unstructured files such as documents and spreadsheets
  • data visualization–Big data analysis software often includes data visualization tools | very powerful analysis technique for identifying trends or unusual activity
74
Q

guidelines for investigating security incidents

A
  • Develop or adopt a consistent process for handling and preserving forensic data.
  • Determine if outside expertise is needed, such as a consultant firm.
  • Notify local law enforcement, if needed.
  • Secure the scene, so that the hardware is contained.
  • Collect all the necessary evidence, which may be electronic data, hardware components, or telephony system components.
  • Observe the order of volatility as you gather electronic data from various media.
  • Interview personnel to collect additional information pertaining to the crime.
  • Report the investigation’s findings to the required people.

COMPTIA - Sec+ Textbook (16 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions