Security Operations

Question 1

¿Qué es un evento?

Answer 1

An observable change in state (en forma positiva). P. ej. cuando un sistema se prende

Question 2

¿Qué es una alerta?

Answer 2

Flagged events that may require further investigation to determine if an incident has taken place (en forma negativa).

Question 3

¿Qué es un incidente?

Answer 3

Adverse impact to the system or network. Primary goal is to really containt the damages and correct the system. Multiple negative events make an incident.

Question 4

Para efectos del examen, ¿cómo se debe pensar en el término Incident Reponse?

Answer 4

Always think as an attack, as malicious intrusion.

Question 5

What’s considered an inappropiate usage?

Answer 5

A violation of the acceptable use of a system.

Question 6

¿Cuáles son los 4 pasos de la respuesta a incidentes?

Answer 6

1. • Preparation
2. • Detection and analysis (what was the nature of the attack)
3. • Containment, erradication and recovery.
4. • Post-incident review.

Question 7

¿Qué es un problema?

Answer 7

An incident with an unknown cause is referred to as a problem.

Question 8

¿Cuáles son los pasos del “problem management”?

Answer 8

1. • Incident notification
2. • Root cause analysis
3. • Solution determination
4. • Request for change
5. • Implement solution
6. • Monitor and report

Question 9

¿Cuál es el objetivo del cómputo forense?

Answer 9

Collect evidences in such manner that it be admissible in court.

Question 10

¿Cuáles son algunos de los principios establecidos por la IOCE y la SWGDE?

Answer 10

• Evidence should not be altered as a result of collection.
• If a person is to access original digital evidence, that person must be trained for such purpose.
• Si la cadena de custodia es rota, puede resultar en que la evidencia sea inadmisible.

Question 11

Digital evidence must (5 concepts):

Answer 11

• Authentic, garantizar su orígen, que no haya sido modificada.
• Accurate, garantizar su exactitud.
• Complete, needs to tell the history complete.
• Convincing, convincente
• Admissible

Question 12

¿Cuáles son los pasos del proceso de investigación forense?

Answer 12

1) Identificación
2) Preservación
3) Collection
4) Examination
5) Analysis
6) Presentation
7) Decision

Question 13

¿Qué dice el principio de Lockard?

Answer 13

When a crime is committed, the attacker takes something and leaves something behind.

Question 14

¿A que se refiere el término Preservation?

Answer 14

Chain of custody must be well documented. A history of how the evidence was, collected, analyzed, transported, preserved.

Question 15

¿A que se refiere el término Collection?

Answer 15

• Minimize handling/corruption of evidence
• Keep detailed logs of your actions
• Capture an accurate image of the system
• Work fast, work from volatile to persistence evidence.

Question 16

¿A que se refiere el término Examination?

Answer 16

• Collecting data
• Look for signatures of known attacks
• Review audit logs
• Hidden Data recovery

Question 17

¿A que se refiere el término Analysis?

Answer 17

• Primary image (original) vs. working copy (copy)
• Working image should be a bit by bit copy of original
• Analizamos sobre la copia, obtenemos el HASH y debe ser igual al que se obtuvo para la copia en un principio.

Question 18

¿A que se refiere el término Presentation?

Answer 18

• Interpreting the results of the investigation and presenting the findings in an appropiate format.

Question 19

¿A que se refiere el término Decision?

Answer 19

• What’s the result of the investigation

Question 20

¿Cuáles son los tipos de evidencia que existen?

Answer 20

• Direct evidence
• Real evidence
• Best evidence
• Secondary evidence
• Corroborative evidence
• Evidencia circunstancial
• Hearsay
• Demonstrative

Question 21

¿Qué es la EVIDENCIA DIRECTA?

Answer 21

Can prove a fact by itself and does not need backup information. P. ej. Testimonio de testigos.

Question 22

¿Qué es la EVIDENCIA REAL?

Answer 22

Physical evidence. Los objetos usados en el crimen.

Question 23

¿Qué es la BEST EVIDENCE?

Answer 23

Most reliable, for instance: a signature contract

Question 24

¿Qué es la SECONDARY EVIDENCE?

Answer 24

Not strong enough to stand alone, but can support other evidence. P.ej. la opinión de un experto.

Question 25

¿Qué es la CORROBORATIVE EVIDENCE?

Answer 25

Support evidence. Backs up other information presented. Can’t stand on it’s own.

Question 26

¿Qué es la EVIDENCIA CIRCUNSTANCIAL?

Answer 26

Por ejemplo, que alguien diga que va a robar un banco y al otro día circunstancialmente dicho banco es robado.

Question 27

¿Qué es la evidencia HEARSAY?

Answer 27

Second hand oral or written. P. ej. “Jhon heard that Bill heard that…”, copies of a document.

Question 28

¿Qué es la EVIDENCIA DEMOSTRATIVA?

Answer 28

Presentation based. P. ej. Photos of a crime scene, x-rays, etc.

Question 29

¿A que se refiere el término “enticement”?

Answer 29

Tempting a potential criminal.

• Legal and ethical
• Honey pot

Question 30

¿A que se refiere el término “entrapment”?

Answer 30

Tricking a person into commiting a crime.

- Ilegal and unethical

Question 31

What’s a hot spare?

Answer 31

Son refacciones listas e instaladas para funcionar.

Question 32

What’s a cold spare?

Answer 32

Son refacciones almacenadas en el closet, sin instalar aún.

Question 33

¿Qué significan las siglas MTBF?

Answer 33

Mean Time Before Failure.

Métrica que se toma en cuenta para las refacciones.

Question 34

¿Qué significa RAID?

Answer 34

Redundant Array of Inexpensive Disk (Devices)

Question 35

Características del RAID 0:

Answer 35

• No redundant
• No fault tolerance
• Disk stripping
• Data is strip into the two discs.
• SPEED AND PERFORMACE

Question 36

Características del RAID 1:

Answer 36

• Fault tolerance

- Disk mirroring (two replicas) exactly identical disks

Question 37

Características del RAID 5:

Answer 37

• Disk stripping with parity

- Fault Tolerance + speed

Question 38

¿Qué son los servidores redundantes?

Answer 38

Primary server mirrors data to secondary server:

• If primary fails it rolls over to secondary
• Server fault tolerance

Question 39

¿A qué se refiere el término “clustering”?

Answer 39

• Multiple server acting as a single logic unit.

- Group of servers that are managed as a single system.

Question 40

Ventajas de los cluster:

Answer 40

• Higher availability
• Greater scalability
• Easier to manage instead of individual systems

Question 41

Características de los cluster:

Answer 41

• Looks like a single server to the user (server farm)

- May provide redundancy, load balancing, or both.

Question 42

¿Cuáles son los tipos de backups (respaldos)?

Answer 42

• Full backup
• Incremental Backup
• Differential Backup

Question 43

Características de un Full backup:

Answer 43

• Backup everything
• Archive bit is reset.
• Server crash –> restore last backup

Question 44

Características de un Incremental Backup:

Answer 44

• Backs up all files that have been modified since last backup.
• Archive bit is reset.
• Everything is change since last back up.
• Server crash –> restore last full back up + all incremental backup

Question 45

Características de un Differential Backup:

Answer 45

• Backs up all files that have been modified since last full backup.
• Archive bit is not reset.
• Server crash –> restore last full backup + last differential backup

Question 46

¿Cuál es el respaldo más rápido de restaurar?

Answer 46

Full Backup

Question 47

¿Cuál es el respaldo más lento en restaurar?

Answer 47

Incremental.

Question 48

¿Qué es un archive bit?

Answer 48

It’s like a flag, que indica que un archivo cambió. Bandera alzada.

Question 49

¿Qué es un “Copy Backup”?

Answer 49

• Same as a full backup, but archive bit is not reset.

- Use before upgrades, or system maintenance.

Question 50

¿A qué se refiere el término “Disk Shadowing”?

Answer 50

• Mirror technology
• Updating one or more copies of data at the same time
• Data saved to two media types for redundancy
  BACKUP BACKUP

Question 51

What’s Electroning Vaulting?

Answer 51

• Copy of modified file is sent to a remote location where an original backup is stored.
• Transfers bulk backup information
• Batch process of moving data, P.ej. batch every hour

Question 52

What’s remote journaling?

Answer 52

• Moves the journal or transaction log to a remote location, not the actual files.
  TRANSACTIONAL LOGS.