Terms in this set (102)
IR reaction strategy
What to do once a incident has been detected
If an organization chooses the protect and forget instead of apprehend and prosecute philosophy, what aspect of IR will be most affected?
Data collection tasks
First task of CSIRT leader upon arrival?
Assessment of the situation
Second Task of CSIRT leader
Assert control over situation
Best thing to make CSIRT most effective
First imperative of the CSIRT when there is a confirmed incident
Why might an organization forego trying to identify the attacking host during an incident response?
Can take time away from minimizing impact
Phase after containment during IR
A second attack using the means of the first attack occurs while the first attack is still underway
Phase after eradication in IR
Primary determinant of which containment and eradication strategies are chosen
What is watchful waiting and why is it useful?
A tactic that deliberately permits the attack to continue while the entire event is observed and additional evidence is collected.
Why is delayed containment not recommended for most CSIRTs?
What is a DoS attack and how does it differ from a DDoS attack?
Prevents legitimate users from accessing network by consuming resources, DDoS comes form multiple sources.
What is the first and most important step in preparing for DoS and DDoS attack responses?
Coordinating with service provider
What is malware?
Designed to damage, destroy, or deny service to the targeted system
What is spam? Can it cause an incident?
Unwanted email traffic, can carry malware.
What is unauthorized access?
When actor(s) access the operating system's API and gains access to info without permission
What is inappropriate use?
Use of company system for prohibited actions
What is a hybrid incident?
Begin as one type of event and turns into another
What is an incident damage assessment?
The initial determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets.
What are some reasons a safeguard or control may not have been successful in stopping or limiting an incident?
Malfunctioning secuirty device
What must be done with interrupted services during the recovery process?
They need to be brought back online
What procedures should occur on a regular basis to maintain the IR plan?
Plan review and maintenance
What is digital forensics?
The use of forensic techniques when the source evidence is digital
What guides an organization in setting up a forensic capability?
Cost, response time, data sensitivity
How do organizations often divvy up the practice of digital forensics?
First response, analysis and presentation
What are the common roles and duties of a digital forensic first-response team?
Assessing the scene, identifying the sources of relevant digital information and preserving it for later analysis
What factors determine which digital evidence should be collected and in what order?
-Volatility-Stability of info over time
In forensic analysis, what are the differences between examination and analysis?
examination - don't draw conclusions
analysis - draw conclusions
What type of document is usually required when an organization other than a law enforcement agency obtains authorization for a search?
In what main way does search and seizure differ in the public and private sectors?
In private sector it is more common to authorize the collection of images of digital info, in public searches authorize the collection of relevant items containing the information.
What are the four steps in collecting digital evidence?
Identify sources of evidentiary material, authenticate the evidentiary material, collect the evidentiary material, and maintain a documented chain of custody.
What two hash functions are commonly used as digital fingerprints?
.MD-5 and SHA
What is the purpose of sterile media?
Making sure that the media contains no residue from previous use in order to prevent claims of tainting the evidence
What types of info are missed by a normal copying process but included in a forensic image?
Deleted entries in a directory, remnants of old files, deleted but no yet overwritten files, free space which might contain other files or fragments.
What is anti-forensics?
Anti-forensics is an attempts made by suspects to hide evidence
Why is cryptography a good thing for IT workers but a bad thing for forensic investigators?
Cryptography keeps assets secure for IT and makes evidence harder to uncover for forensics.
Why do some organizations abdicate all responsibility for DR planning to the IT department?
Because they are keenly interested in keeping IT available during and after disasters
How can you classify disasters based on the way they emerge and become an issue for an organization?
Natural disasters, man-made, rapid-onset, slow-onset
What entity is responsible for creating the DR team? What roles should the DR team perform?
The CPMT. Develop DR plans, maintain and update DR plans, test plans, train.
What are the commonly used subteams of the DR team? What role does each play?
hardware team, software team, and a network team
What are some examples of special documentation or equipment that may be needed for DR team members?
Data recovery software, blueprints, keys, water lines, insurance contacts
What are the steps that are generally followed in the DR development process
Develop DR planning policy statement, review BIA, identify preventive controls, create DR contingency strategies, develop the DR plan, ensure DR plan testing, training, and exercises, and ensure DR plan maintenance.
What key elements should be included in the DR policy?
Purpose, scope, roles & responsibilities resource requirements, training requirements, exercise and testing schedules, plan maintenance schedule, special considerations.
How does a general contractor affect the DR plan?
What are the 3 general sections of planning for DR activities?
Client/server, data communications, mainframe
WHY ARE THE DR ACTIVITY GROUPS PRESENTED OUT OF SEQUENCE (DURING, AFTER, BEFORE) instead of chronological
Activities during a disaster are most urgently needed in the event of plan activation, it is the important to determine what to do immediately following a disaster, and least important to plan before a disaster.
What are the major activities planned to occur during the disaster?
Identify trigger, escalate. Identify what must be done to react.
What are the major activities planned to occur after the disaster?
What are the major activities planned to occur before the disaster?
.test, train, exercises.
What is a DR after-action review (AAR), and what are the primRY OUTCOMES FROM IT?
What worked and what didn't, improvements.
According to NIST SP 800-34, what 2 perspectives should be used to plan a system recovery strategy?
Contingency planning from DR and BC
What are the advantages of combining the DR and BC plans? What are the disadvantages?
A - saves efforts and cost D - They require different teams
What are the ongoing challenges associated with local emergency services, service providers, and community-related issues that organizations face when confronted with a disaster?
Delay under triage of requirements so that most critical get answered first. Public services such as transportation and garbage collection will be delayed. Utilities will be disrupted.
What is a worst-case scenario?
A situation that results in service disruptions for weeks or months, requiring a government to declare a state of emergency.
What are the primary goals of business resumption planning?
1) eliminate or reduce the potential for injuries or loss of human life, damage to facilities, and loss of assets and records, 2) stabilize the effects of the disaster; and 3) implement the procedures contained in the DR and business resumption plan
What are the key features of the DR plan?
- Clear delegation of roles and responsibilities
- Execution of alert roster and notification of key personnel
- Use of employee check0in systems
- Clear establishment and communication of business resumption priorities
- Complete and timely documentation of the disaster
-Preparations for alternative implementations
Describe the phases in a DR plan
Preparation - Planning and rehearsal
Response - Identification of disaster, notifications, and immediate response
Recovery - Recovery of necessary business information and systems
Resumption - The restoration of critical business functions
Restoration - The reestablishment of operations are the primary site as it was before the disaster
What is job rotation? Why is it a useful practice from a DR plan perspective?
Prepares staff for personnel shortages or outages.
What does it mean when operations are in degraded mode? Should organizations prepare to operate in this mode?
Degraded mode is when operations are under adverse conditions. Organizations should prepare for this in order to learn how to adapt to these situations.
What should be the primary focus of the training that is provided to the network recovery team?
Reestablishing ad hoc networks quickly but securely.
What are the primary duties of the business interface team?
This team is responsible for working with the remainder of the organization to assist in the recovery of non technology functions.
How should the business interface team be trained?
Should combine technical and non technical functions to ensure that the technology needs of the business groups are met. Training involves interfacing with the various business groups to determine their routine needs.
Describe the various rehearsal and testing strategies that an organization can employ.
desk check - provide copies of DR plan, simulation - stop short of actual physical activity, parallel testing, full-interruption, war gaming. Sequential roster for small organization, hierarchical structure for large organizations.
Why must the alert roster and the notification procedures that use it be tested more frequently than other components of the DR plan?
It is subject to continual change because of employee turnover.
What is an auxiliary phone alert and reporting system, and what functions can it perform for an organization during DR planning?
An IS with a telephony interface that can be used to automate the alert process. It can distribute info about the disaster and collect info about status of employees. Faster than manual alert system.
Describe the use of an "I'm okay" line. When and how might an organization make use of this technology?
This service allows employees when notified of a disaster either by alert system or through public media to call a predetermined number. Employees report status by entering employee number.
What are the primary objectives of the response phase of the DR plan?
- Protect human life
-Attempts to limit and contain the damage to the organization's facilities and equipment
-Manage communication with employees and other stakeholders.
What are the primary objectives of the recovery phase of the DR plan?
-Recover critical business functions
-Coordinate recovery efforts
-Acquire resources to replace damaged or destroyed materials and equipment
-Evaluate the need to implement the BC plan
What are the primary objectives of the resumption phase of the DR plan?
- Initiate implementation of secondary functions
-Finalize implementation of primary functions
-Identify additional needed resources
-Continue planning for restoration
What are the primary objectives of the restoration phase of the DR plan?
-Repair all damage to primary location or select or build replacement facility
-Replace the damaged or destroyed contents
-Coordinate the relocation from temp offices to primary location or to a suitable new replacement facility
-Restore normal operations at the primary location, beginning with critical functions and then secondary
Stand down the DR teams and conduct the after-action review
What is a BCP?
The final response of the organization when faced with any interruption of its critical operations.
What is the difference between disaster recovery and business continuity?
DR - normal functions at primary site
BC - normal functions alternative site
What are RTO and RPO?
RTO- amount of time business can tolerate until the alternate capabilities are available
RPO - Point in the past to which the recovered application and data at the alternative infrastructure will be restored
What parts of the organization should the BC team draw on for its members?
-Corporate functional units
-Information security managers
List the subteams that support the BC team
-Computer (hardware) setup
-Systems recovery (OS)
What should be the first step in the business continuity planning process? Which NIST document is used to inform this process?
Make policy. SP 800-34
List and describe the component parts of the BC policy document.
-Exercise and testing schedules
-Plan maintenance schedule'-Special considerations
List and describe the phases of the BC plan
- Prep for BC actions
-Relocation to alternative site
-Return to primary site
What are the advantages of including an AAR process in the BC plan?
What are the critical steps in the BC implementation process?
-Relocation to alternative site
-establishment of operations
-return to primary site
Is it practical to prepare for all possible contingencies? How can this best be handled?
No, general training programs, specific training programs off site.
What is an advance party?
Includes members or representatives of each major BC team
Why may all needed equipment not be pre-positioned at the alternate site?
Some equipment is too expensive or unique for pre-purchasing
What steps should be followed in a return to the primary site?
Scheduling move, clearing BC site, and conducting an AAR
What is a business crisis?
A significant disruption that stimulates media coverage and has political, legal, financial, or governmental impacts.
What is crisis management?
Actions taken by an organization in response to an emergency situation in an effort to minimize injury or loss of life.
What is a sudden crisis? How is it different from a smoldering crisis?
sudden crisis: A disruption that occurs without warning
smoldering crisis: Not generally known within or without the company
What is emergency response?
Actions taken in order to manage the immediate physical, health, and environmental impacts resulting from an incident.
What is crisis communications?
Those steps taken to communicate what is happening or has happened to internal and external audiences.
What is humanitarian assistance?
Actions taken to meet the psychological and emotional needs of various stakeholders
List the general CM recommended practices.
1. Build contingency plans, identify teams, train staff, and rehearse scenarios before a crisis occurs
2. Verify that all staff know that only designated crisis management team members may represent the company
3. Plan to react as fast as possible because the first few hours established the baseline narrative that the media will use for most ongoing reporting
4. Make sure your plans and processes are of the highest quality by employing expert reviews and professional crisis management consultants
5. Make it part of culture to always give the most complete and accurate information possible in a given situation
6. Consider long-term effects as well as the short-term losses that may occur
What is the CM planning committee, and how does it differ from the CM team?
CM planning - Representatives offer advice and guidance
CM Team - Trained individuals responsible for responding to incident
What are the critical success factors for CM planning?
Leadership, speed of response, a robust plan, adequate resources, funding, caring and compassionate response, and excellent communications.
What sections should be included in a CM plan?
What is the chain of command?
What is an assembly area? When and how is it used in CM?
An area where people should gather in the event of a specific type of emergency and facilitate a head count.
What are EAPs? How are they used in CM?
Employee assistance program - can provide a variety of counseling services to assist employees in coping with surviving a crisis, PTSD
When dealing with the loss of staff, what strategies can be employed?
Cross-training, job and task rotation, and redundancy
What federal agencies may be involved during a crisis?
Department of Homeland Security, the Federal Emergency Management Agency, the Secret Service, the Federal Bureau of Investigation, and the federal hazardous material agencies
What is succession planning (SP)?
The process used to enable an organization to cope with the loss of key personnel with a minimum of disruption.