Risk Management, Forensics and Backup Flashcards
Data Owner
Data owners are in charge of data ownership.
System administrator
System administrators are administrative users who are responsible for maintaining a system within its defined requirements.
System owner
System owners are in charge of data ownership.
User
Users refer to normal users who have limited access and privileges, based on their job role and tasks.
Privileged user
Privileged users have more permissions than normal users. An example is a database administrator.
Executive user
Executive user is a special subset of user.
MTBF
MTBF is reliability of a system. It’s mean time between failures. It’s the sum of (start of downtime – start of uptime), divided by the total number of failures.
RTO/RPO
RTO is the recovery time objective. This is the target time for the resumption of operations after an incident.
Recovery point objective, RPO, is the time period representing the maximum period of acceptable data loss. The data loss part is the differentiator. This relates to backup frequency.
MTTR
Mean time to repair (MTTR) is a measure of how long it takes to repair a failure. This is total downtime divided by total breakdowns.
Mission-essential functions
Mission-essential functions are those that MUST occur.
Single point of failure
If a single component can cause the failure of the entire system.
Annual Loss Expectancy (ALE)
SLE multiplied by ARO.
Single Loss Expectancy (SLE)
It’s the value of a loss expected from a single event. It’s calculated by asset value (how much it will take to replace an asset) multiplied by the exposure factor (i.e. 50% loss of functionality -> factor of 0.5).
Annualized Rate of Occurrence (ARO)
Annualized rate of occurrence (ARO) is how many times per year you think something will happen. This is usually based off of historical data.
Order of volatility (Forensics)
If you want to figure out what happened on a system, you need a copy of the data. What do you collect first? The digital information that is most volatile. This ensures that you don’t lose important information.
Chain of custody (Forensics)
This shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control of the evidence during the process.
Legal hold (Forensics)
This is a term that means once an organization is aware that it needs to preserve evidence for a court case.
Data acquisition (Forensics)
Evidence is a set of documents, verbal statements, and material objects that are considered admissible in a court of law.
Network traffic and logs (Forensics)
Network activity of a given device can be useful data.
Capture system image (Forensics)
Imaging or dumping the physical memory of a computer can help identify evidence not available on the hard drive. This is especially useful for identifying rootkits.
Record time offset (Forensics)
Make sure that you are aware of, and record any time offsets. The computers in question might not be synced up to “real” time, so calculating the offset is important to establish timelines.
Recovery (Forensics)
In the realm of digital forensics, this is determining the relevant information and then recovering it.
Preservation (Forensics)
Evidence needs to be properly acquired, identified, protected from tampering, transported and stored.
Active logging (Forensics)
If you know what events to log for, you can minimize logging scope by setting up a system that actively logs relevant info when it happens.
Hot Site (Backup)
Hot sites are fully configured environments that are ready almost immediately. Has backups that are ready or nearly ready to use.
Warm Site (Backup)
Warm sites are partially configured. Might take a few days to get up and running. Likely have older backups.
Cold Site (Backup)
Cold sites have the basics, but not much more. You likely won’t have any backups, or most of the equipment you need.
Differential (Backup)
Save only files that have changed since the last full backup.
Incremental (Backup)
Save files that have changed since the last full backup, or the last incremental backup.
Snapshots (Backup)
A copy of a VM.
Full (Backup)
A complete copy of a machine’s data.
