midterm Flashcards
- Adverse events
- respective organizational units to prepare for,
detect, react to, and recover - restore normal modes of operation with minimal
cost
CONTIGENCY PLANNING
- crucial foundation for the initial planning
stages - serves as an investigation and assessment
of the impact - systematic process to determine and
evaluate the potential effects of an
interruption to critical business operations - preparatory activity common to both CP and
risk management. - helps the organization determine which
business functions and information systems
are the most critical to the success of the
organization.
BUSINESS IMPACT ANALYSIS
When undertaking the BIA, the organization should
consider the following:
Scope
Plan
Balance
Objective
Follow-up
maximum amount of time that a system
resource can remain unavailable
RECOVER TIME OBJECTIVE
point in time before a disruption or system
outage to which business process data can
be recovered
RECOVERY POINT OBJECTIVE
- total amount of time the system owner or
authorizing official is willing to accept for a
business process outage or disruption.
MAXIMUM TOLERABLE DOWNTIME
amount of effort (expressed as elapsed time)
needed to make business functions work
again after the technology element is
recovered.
WORK RECOVERY TIME
must be carefully planned and coordinated
* describe the overall process, and reaction
* planning and preparation efforts for
detecting, reacting to, and recovering from
an incident.
INCIDENT RESPONSE
describe the entire set of activities or a
specific phase in the overall reaction.
* focuses on the immediate response to an
incident.
* actions taken
INCIDENT RESPONSE PLAN
detailed step-by-step methods of preparing,
detecting, reacting to, and recovering from
an incident.
* During the incident - planners develop and
document the procedures that must be
performed during the incident.
* After the incident - must be performed
immediately after the incident has ceased.
* Before the incident — draft a third set of
procedures
IR PROCEDURES
Recognition that an incident is
under way
Detection
Responding to the incident in a
predetermined fashion to contain and
mitigate its potential damage
Reaction
— Returning all systems and data
to their state before the incident
3Recovery
A combination of
on-site and off-site tape-drive, hard-drive,
and cloud backup methods
Traditional Data Backups
—transfers data in bulk
batches to an off-site facility
Electronic Vaulting—
transfers only
transaction data in near real time to an offsite facility.
Remote Journaling
transfers duplicate
online transaction data and duplicate
databases to a remote site on a redundant
server
Database Shadowing
recommends the creation of at least three
copies of critical data (the original and two
copies)
3-2-1 BACKUP RULE
- events represent the potential for loss, they
are referred to as adverse events.
INCIDENT CANDIDATE
adverse event that could result in a loss of
information assets
INCIDENT
- composed of technical IT, managerial IT, and
InfoSec professionals who are prepared to
detect, react to, and recover from an incident;
may include members of the IRPT.
COMPUTER SECURITY INCIDENT RESPONSE
TEAM
— Relates to risk management and
governance
Identify
Relates to implementation of
effective security controls (policy, education,
training and awareness, and technology)
Protect
Relates to the identification of
adverse events
Detect
Relates to reacting to an incident
Respond
Relates to putting things “as they
were before” the incident
Recover
NIST CYBERSECURITY FRAMEWORK
Identify
Protect
Detect
Respond Recover
organization’s set of planning and
preparation efforts for detecting, reacting to,
and recovering from a disaster.
DISASTER RECOVERY
which focuses on restoring operations at the
primary site
DISASTER RECOVERY PLAN
policy document that guides the
development and implementation of DR
plans and the formulation and performance
of DR teams.
DISASTER RECOVERY POLICY
DISASTER CLASSIFICATION
- Fire
- Flood
- Earthquake
- Lightning
- Electrostatic Discharge (ESD)
when the damage is major or will affect the
organization’s functioning over the long term
* ensures that critical business functions can
continue if a disaster occurs.
BUSINESS CONTINUITY PLAN
CONTINUITY STRATEGIES
Hot Site Cold Site Warm Site
Real-time data synchronization.
Most Expensive
Hot Site
No data backup and No data
synchronization. Least Expensive
Cold Site
Data is synchronized daily or
weekly. Cost Effective
- Warm Site
6 KEY CONTIGENCY PLAN STEPS
IDENTIFY
CHOOSE
LEARN
DETERMIINE
DEVELOP
EDUCATE
collects information about the organization
and the threats it faces
* consists of a coordinating executive,
representatives from major business units,
and the managers responsible for each of the
other three teams.
* It should include the following personnel:
* Champion—high-level manager
(COO/CEO/PRESIDENT)
* Project manager—mid-level operations
manager
CONTIGENCY PLANNING MANAGEMENT TEAM
The team responsible for IR plan -
organization’s preparation, reaction, and
recovery from incident
Incident Response Planning Team (IRPT)
The team responsible for DR plan -
organization’s preparation, response, and
recovery from disasters
Disaster Recovery Planning Team (DRPT)
The team responsible for BC plan -
establishing primary operations at an
alternate site until the disaster recovery
planning team can recover the primary site
Business Continuity Planning Team (BCPT)
- functional areas of the organization assigned
to develop and implement the CM plan.
Crisis Management Planning Team (CMPT)
- Focuses on the effects that a disaster has on
people than its effects on other assets.
CRISIS MANAGEMENT
systems determine whether and how to
admit a user into a trusted area of the
organization
ACCESS CONTROL
provide the ability to share resources in a
peer-to-peer configuration, which allows
users to control and possibly provide access
to information or resources at their disposal.
DISCRETIONARY ACCESS CONTROLS (DACS)
are managed by a central authority in the
organization.
NONDISCRETIONARY ACCESS CONTROLS
(NDACS)
users are assigned a matrix of authorizations
for particular areas of access.
LATTICE-BASED ACCESS CONTROL (LBAC)
position or temporary assignment like project
manager
ROLE-BASED ACCESS CONTROLS (RBACS
are tied to a particular chore or responsibility
such as a department’s printer administrator
TASK-BASED ACCESS CONTROLS (TBACS)
use data classification schemes; they give
users and data owners limited control over
access to information resources.
MANDATORY ACCESS CONTROLS (MACS)
grants or denies access to resources based
on attributes of the user, the resource, and
the environment
ATTRIBUTE-BASED ACCESS CONTROLS
(ABACS)
unverified or unauthenticated entities who
seek access to a resource provide a unique
label by which they are known to the system.
* I am a user of the system.
IDENTIFICATION
- process of validating an unauthenticated
entity’s purported identity. - I can prove I’m a user of the system.
- Something you know, Something you have,
Something you are
AUTHENTICATION
involves confirming that a person or
automated entity is approved to use an
information asset by matching them to a
database
AUTHORIZATION
also known as auditability
* every action performed on a computer
system or using an information asset can be
associated with an authorized user or
system.
ACCOUNTABILITY
- information security program
- software service running on an existing
router or server
FIREWALL
- examines the header information of data
packets that come into a network. - scan network data packets looking for
compliance with the rules of the firewall’s
database or violations of those rules.
PACKET-FILTERING MODEL
THREE (3) SUBSETS OF PACKET-FILTERING
FIREWALLS ARE:
Static Packet Filtering
Dynamic Packet Filtering
Stateful Packet Inspection (SPI)
that requires the
configuration rules to be manually created,
sequenced, and modified within the firewall.
. Static Packet Filtering
can react to
network traffic and create or modify its
configuration rules to adapt.
Dynamic Packet Filtering
keeps
track of each network connection between
internal and external systems using a state
table and that expedites the filtering of those
communications.
Stateful Packet Inspection (SPI)
also known as an application firewall
* is frequently installed on a dedicated
computer separate from the filtering router,
but it is commonly used in conjunction with a
filtering router.
APPLICATION LAYER PROXY FIREWALLS
designed to operate at the media access
control sublayer of the network’s data link
layer (Layer 2).
MEDIA ACCESS CONTROL LAYER FIREWALLS
combine the elements of other types of
firewalls—that is, the elements of packetfiltering, application layer proxy, and media
access control layer firewalls.
HYBRID FIREWALLS
All firewall devices can be configured in
several network connection architectures
FIREWALL ARCHITECTURES
- An architecture can be implemented as a
packet-filtering router, or it could be a firewall
behind a router that is not configured for
packet filtering.
SINGLE BASTION HOSTS
- A networking scheme in which multiple real,
routable external IP addresses are converted
to special ranges of internal IP addresses,
usually on a one-to-one basis; that is, one
external valid address directly maps to one
assigned internal address.
Network Address Translation (NAT)
combines the packet-filtering router with a
separate, dedicated firewall
SCREENED HOST ARCHITECTURE
The dominant architecture today is the
screened subnet used with a DMZ.
SCREENED SUBNET ARCHITECTURE (WITH
DMZ)
Firewalls operate by examining a data packet
and performing a comparison with some
predetermined logical rules.
FIREWALL RULES
is another utility that can help protect an
organization’s systems from misuse and
unintentional denial-of-service problems.
CONTENT FILTER
The connections between company
networks and the Internet use firewalls to
safeguard that interface.
REMOTE ACCESS
- is a technology that enables the creation of a
secure and encrypted connection between
your device and the internet. - NORDVPN
- PROTON
- MULLVAD
- EXPRESSVPN
VIRTUAL PRIVATE NETWORKS (VPNS)
also known as a legacy VPN, uses leased
circuits from a service provider and conducts
packet switching over these leased circuits.
TRUSTED VPN
use security protocols like IPSec to encrypt
traffic transmitted across unsecured public
networks like the Internet.
SECURE VPNS
- combines the trusted and secure
technologies, providing encrypted
transmissions (as in secure VPN) over some
or all of a trusted VPN network.
HYBRID VPN
of incoming and outgoing data, in which the
native protocol of the client is embedded
within the frames of a protocol that can be
routed over the public network and be usable
by the server network environment.
ENCAPSULATION
- of incoming and outgoing data to keep the
data contents private while in transit over the
public network, but usable by the client and
server computers and/or the local networks
on both ends of the VPN connection.
ENCRYPTION
of the remote computer and perhaps the
remote user as well. Authentication and
subsequent user authorization to perform
specific actions are predicated on accurate
and reliable identification of the remote
system and user
AUTHENTICATION
the data within an IP packet is encrypted, but
the header information is not.
TRANSPORT MODE
- establishes two perimeter tunnel servers to
encrypt all traffic that will traverse an
unsecured network.
TUNNEL MODE
