OPS Flashcards
Microphones, vibrations sensors
Acoustical Detection
Relevant, sufficient, reliable, does not have to be tangible
Admissible Evidence
The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks
Alarm filtering
A signal suggesting a system has been or is being attacked.
Alert/Alarm
Systematic assessment of threats and vulnerabilities that provides a basis for effective management of risk.
Analysis
When resolving a single failure (though system administrators are needed to resolve additional failures
Automatic Recovery
Higher level of recovery defining prevention against the undue loss of protected objects
Automatic Recovery Without Undo Loss
Alarm to local fire or police
Auxiliary Station Systems
Tape: sequential, slow read, fast write 200GB an hour, historically
cheaper than disk (now changing), robotic libraries
Disk: fast read/write, less robust than tape
Optical drive: CD/DVD. Inexpensive
Solid state: USB drive, security issues, protected by AES
Backup Storage Media
Primary: used at the trial because it is the most reliable.
Original documents are used to document things such as contracts
Best Evidence
Placeholders for literal values in SQL query being sent to the database on a server; Used to enhance performance of a database
Bind Variables
Focus on illegally obtaining an organization’s confidential information. The use of the information gathered usually causes more damage than the initial event itself.
Business Attacks
Less than 10mins travel time for e.g. an private security firm
Central Stations
Collection, analysis and preservation of data
Forensics uses bit-level copy of the disk
Chain of Custody
Maintaining full control over requests, implementation, traceability, and proper documentation of changes.
Change Control
Electrical
Cipher Lock
Used to help assume another fact
Cannot stand on its own to directly prove a fact
Circumstantial Evidence
Europe, South America
Civil Law
The assignment of a level of sensitivity to data (or information) that results in the specification of controls for each level of classification.
Classification
organization way of classifying data by factors such as criticality, sensitivity and ownership.
Classification Scheme
Overwriting media to be reused
Clearing
3 digits with wheels
Combination Lock
USA, UK Australia Canada (judges)
Common Law
3 types of harm:
unauthorized intrusion
unauthorized alteration or destruction
malicious code
Computer Crime Laws
Irrefutable, cannot be contradicted
Requires no other corroboration
Conclusive Evidence
A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack
Confidence value
Collection of component CI’s that make another CI
Configuration
Component whose state is recorded
Configuration item (CI)
Mitigate damage by isolating compromised systems from the network.
Containment
Supports or substantiates other evidence presented in a case
Corroborative Evidence
Unused network space that may detect unauthorized activity
Darknet
Individuals and departments responsible for the storage and safeguarding of computerized data.
Data Custodian
A database that contains the name, type, range of values, source and authorization for access for each data element
Data Dictionary
Is a country or location that has no laws or poorly enforced laws
Data Haven
The property that data meet with a priority expectation of quality and that the data can be relied upon.
Data Integrity
Siphoning out or leaking information by dumping computer files or stealing computer reports and tapes.
Data Leakage
Systems attempt to detect and block exfiltration attempts. These systems have the capability of scanning for keywords and patterns.
Data Loss Prevention (DLP)
Individuals, normally managers or directors, who have responsibility for the integrity, accurate reporting and use of computerized data.
Data Owner
Real-time data backup ( Data Mirroring)
Database Shadowing
External communications
Debriefing / Feedback
Protection of stored or displayed information by removal/reduction of the magnetic field (demagnetization).
Degauss
Identification and notification of an unauthorized and/or undesired action
Detection
Bolt down hardware
Device Lock
Only modified files, doesn’t clear archive bit. Advantage: full and only last one needed, Intermediate time between.
Differential backup
Can prove fact by itself and does not need any type of backup.
Testimony from a witness; one of their 5 senses.
Oral: case can’t stand on it alone
Oral: does not need other evidence to substantiate
Direct Evidence
Senses a break or change in a circuit magnets pulled lose, wires door, pressure pads
Electromechanical Detection
Periodic, automatic and transparent backup of data in bulk.
Electronic Vaulting
Occurs after a failure happens in an uncontrolled manner. E.g. when a low privileged user tries to access restricted memory segments
Emergency Restart Failure
Can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization ? can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.
Endpoint-based DLP
The legal action of luring an intruder, like in a honeypot
Enticement
Refers to the amount of privileges granted to users, typically when first provisioning an account. A user audit can detect when employees have excessive privileges
Entitlement
The illegal act of inducing a crime; the individual had no intent of committing the crime at first
Entrapment
Malicious act of gathering proprietary, secret, private, sensitive, or confidential information about an organization.
Espionage
Often with the intent of disclosing or selling the information to a competitor or other interested organization (such as a foreign government). Attackers can be dissatisfied employees, and in some cases, employees who are being blackmailed from someone outside the organization. Countermeasures are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track all employee activities.
Must be preserved and identifiable
Evidence
Sufficient –persuasive enough to convince one of its validity
Reliable –consistent with fact, evidence has not been tampered with or modified
Relevant –relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts
Permissible – lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
Preserved and identifiable – collection, reconstruction
Identification labeling, recording serial number etc.
Evidence must be preserved and identifiable
1. Discovery
2. Protection
3. Recording
4. Collection and identification
5. Analysis
6. Storage, preservation, transportation
7. Present in court
8. Return to owner
Evidence Lifecycle
Allows officials to seize evidence before it’s destroyed (police team fall in)
Exigent Circumstances
Most conservative from a security perspective
Fail Closed/Secure
Program execution is terminated and system protected from hardware or software compromise occurs DOORS usually
Fail safe system
Or resilient system: reboot, selected, non-critical processing is terminated
Fail soft
Switches to hot backup
Failover
Backup critical information thus enabling data recovery
Failure Preparation
The event signaling an IDS to produce an alarm when no attack has taken place
False attack stimulus
A failure of an IDS to detect an actual attack
False negative
An alert or alarm that is triggered when no actual attack has taken place
False positive
Mitigation of system or component loss or interruption through use of backup capability.
Fault tolerance
Carried out to unlawfully obtain money or services.
Financial Attacks