Security+ 3 Flashcards
When conducting any forensic data capture investigators should take note of current time from reliable source and compare it to time of device (recording the time offset).
Write Blockers : prevent accidental modification of disk during imaging.
NetFlow : captures high level info about all communications on network. includes : IP addresses and ports, timestamp. amount of data transferred, but not payload of actual packets; routers and firewalls capture NetFlow data.
info …
Operational Investigations : look into technology issues, resolve normal operations as quickly as possible, use very low standards of evidence, involve root cause analysis.
Digital Forensics : techniques that collect, preserve, analyze and interpret digital evidence.
Order of Volatility : network traffic, memory contents, system and process data, files, logs, and archived records.
info …
Eradication and Recovery : remove effects of incident and return to normal operations. Technical Recovery ex : rebuild compromised systems, remove malware, disable breached accounts, restore corrupted or deleted data.
Incident Reconstitution : identify and remediate vulnerabilities, ex : applying security patches, updating firewall rules, implementing intrusion prevention, strengthening access controls.
info …
Triaging Incidents : low impact : minimal potential to affect security, normally handled by 1st responders, dont require after hours response, Moderate impact : significant potential to affect security, trigger incident response team activation, require prompt notification to management, High impact : may cause critical damage to info or systems, gets immediate full response, requires immediate notification to senior management, demand full mobilization to incident response team.
Incident Mitigation : control damage and loss to org. through containment, consider : damage potential, evidence preservation, service availability, resource requirements, expected effectiveness, solution timeframe.
info …
Incident Data Sources : IDS/IPS, firewalls, authentication systems, integrity monitors, vulnerability scanners, system event logs, NetFlow records, anti-malware packages, etc …
Escalation and Notification Objectives : escalate incident severity based on impact, escalate response to appropriate level, notify management and other stakeholders.
info …
Incident Response Procedures : contains detail of the plan and tactical guidance to incident responders. ex : notification, escalation, reporting, system isolation, forensic analysis, and evidence handling.
Communications with : senior executives, legal counsel, public relations, regulatory agencies, law enforcement. Components of IR team : management, info security, subject matter experts, legal counsel, public affairs, HR, physical security staff. Also have test scenarios to test staff capabilities etc …
info …
Supply Chain Assessment : Security professionals should pay careful attention to managing vendor relationships that protects confidentiality, integrity, and availability of their org.’s info and IT systems.
info …
