Combo with "Quiz 12" and 3 others
Terms in this set (101)
Does extensive preprocessing of the evidence items and organizes the various items into a tabbed display.
A technique in which a term is extended via links to subsidiary terms.
Recovering files, images, and so forth from fragments in free space.
Has a set of all the portable equipment and tools needed for an investigation.
Device that allow you to acquire the information on a drive without accidentally damaging the drives contents.
Drying agents to absorb any moisture.
Presents an extensible forensic platform that makes it easy for trained investigators to carry out their tasks.
Must be disclosed.
An enclosure that ensures what electromagnetic waves are blocked so that a device cannot transmit or receive radio waves while in custody.
The _____ handles computer crimes that are categorized as felonies.
Who is responsible for maintaining control of the field evidence log and locker.
In large organizations, _____ are skilled in the operations of particular tools used to gather the analysis information.
A disadvantage to hardware imaging platforms is that they are ____.
If an organization routinely searches every employee's computer or if it conducts truly random searches and uncovers potential evidentiary material, then the findings are admissible in any legal proceeding.
An organization's _____ policy must spell out the procedures for initiating the investigative process, including management approvals.
In a live acquisition, the investigator concludes that the volatile information is important enough to sacrifice the durable information that might be obtained by powering down the system.
One way to authenticate a particular digital item ( which is represented as a collection of bits ) is by means of a cryptographic ____.
fighting cyber crime
According to Gordon snow, the assistant director of the FBI's Cyber Division, 1) countering efforts by foreign countries to steal our nation's secrets (2) evaluating the capabilities of terrorists in a digital age, and 3) ________ _____ ____ are the FBI's highest priorities.
Forensic investigators use ____ (also know as sector-by-sector) copying when making a forensic image of a device.
Since analysis reports must clearly communicate highly technical matters to varying audience, critical details can be sacrificed.
A ____ is a clearly identified attack on the organization's information assets that would threaten the assets' confidentiality, integrity, or availability.
CP Management Team (CPMT)
The team responsible for conducting the business impact analysis (BIA)
A _______ backup is the storage of all files that have changed or have been added since the last full backup.
Active / Active
____ clustering is a more complex model in which all members of a cluster simultaneously provide application services.
Time required to store and retrieve information
What is the drawback of tape backups?
In some organizations, which two plans are considered to be one plan, known as the business resumption plan?
An _____ is a detailed description of the activities that occur during an attack, including the preliminary indications of the attack as well as the actions taken and the outcome.
The identification of an incident begins with the ______ - that is, the circumstances that cause the IR team to be activated and the IR plan to be initiated.
Computer Security Incident Response Team (CSIRT)
The _____, which is also known as the Security Incident Response Team (SIRT), is the group of individuals who would be expected to respond to a detected incident.
_______ is the transfer of live transactions to an off-site facility.
____ are the representative collection of individuals with a stake in the successful and uninterrupted operation of the organization's information infrastructure.
Incident ______ is the process of evaluating organizational events, determining which events are possible incidents, also called incident candidates, and then determining whether or not the incident candidate is an actual incident or a nonevent, also called a false positive incident candidate.
According to D. L. Pipkin, the use of ___ ____ is a definite indicator of an actual incident.
_______ techniques are generally used by organizations needing immediate data recovery after an incident or disaster.
The _____ review entails a detailed examination of the events that occurred from the first detection to final recovery.
______ planning ensures that critical business functions can continue if a disaster occurs.
Which cloud type acts as a collaboration between a few entities for the sole benefit of those entities.
Incident response focuses on immediate response to small-scale events.
NAS works well with real-time applications because of the latency of the communication methods.
The final step of the IR planning according to NIST is plan maintenance.
The date associated with a particular version or build.
A hardware or software item that is to be modified and revised throughout its life cycle.
A significant revision from its previous state.
A collection of components that make up a configuration item.
A minor revision of the version from its previous state.
A collection of configuration items that is usually controlled and that developers use to construct revisions and to issue new configurations items.
A list of the versions of components that make up a build.
The recorded state of a particular revision of a software or hardware configuration item.
A snapshot of a particular version of a software assembled (or linked) from its various component modules.
On most current versions of Microsoft windows-based systems, logging is managed by the ______, which is accessible from the system control panel.
Acquire and implement
Which COBIT domain focuses on ongoing maintenance and change requirements to extend the usability of the system?
In security management, _________ is what authorizes an IT system to process, store, or transmit information.
In the Windows OS, services are usually initiated (loaded or started) at boot-up as ______which consist of software code, data and/or other resources necessary to provide the service.
______ technology provides a layer of correlation that groups similar events from various technologies, locations, and environments.
What is logged in the system log is predetermined by Windows
The primary purpose of ________ is to enable organization to obtain certification; it serves more as an assessment tool than an implementation framework.
For logon events, audit systems will usually makes a log entry when a user does ____ ___.
A _____ is an instance of a computer program or application that is being executed.
A ____ is a measurement of activity that represents the normal state or routine condition.
______ is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technicals issues, and business ricks.
A _____ (sometimes called a network protocol analyzer) is a network tool that collects copies of packets from the network and analyzes them or stores the packets for later analysis.
A ____ vulnerability scanner listens in on the network and identifies vulnerable versions of both server and client software.
The _____ stage of the attack methodology is a systematic survey of the target organization's internet addresses, conducted to identify the network services offered by the hosts in that range.
One of the preparatory parts of the attack methodology is the collection of publicly available information about a potential target, a process known as _____.
____ verify that an organization's security policies are prudent (cover the right issues) and are being implemented correctly.
directory traversal attack
If web software can access parts of the underlying operation system's file system through normal URL mappings, a ______ ___ _____ may occur.
Requirements for a complex password system include using a _____ value, implementing strong encryption, requiring periodic password changes, and generally implementing a system where guessing a password or its hash is very difficult.
The process of exploring the internet presence of a target is sometimes called _______.
The most realistic type of penetration test is a _____ box test. (374)
An __________ vulnerability scanner initiates traffic on the network in order to identify security holes.
trusted network name resolution
Implementing applications that can verify the true communication destination during execution help prevent vulnerabilities associated with ______.
Passive scanners are advantageous in that they are unlikely being detected by IDPS.
802.11 wireless network exists as a separate _____ on nearly all large networks.
Probably the most popular network scanner is ______ which runs on both UNIX and Windows systems.
Most web browsers will not allow users to the see the HTML code of the Web page.
A ___ is a transport layer address that serves as a communication endpoint through which a specific application/process exchange data.
A ____ uses techniques and tools available to an attacker to evaluate the organization's defense mechanisms and processes.
_____ is a testing technique that looks for vulnerabilities in a program or protocol by feeding random input into the program or the network running the protocol.
Organization's are safe from sniffer attacks when their computing environment is primarily a packet-switched network.
Command / SQL Injection
_______ vulnerability can occur if a programmer does not properly validate user input and allows an attacker to include unintended SQL inputs that can be passed to a database?
Refers to the tools and techniques for breaking into more systems, gaining further network access, or gaining access to more resources.
Is a centralized collection and reporting facility that focuses on the tracking and dissemination of information about current computer security threats.
Seeks to prevent changes that could detrimentally affect the security of a system.
This records events generated by specific applications or programs. A spreadsheet program might record an error for access to a file in the application log.
(IR) Incident Response Plan
The actions an organization should take while an incident is in progress are defined in a document referred to as a ___ ___ ___.
The bulk transfer of data in batches to an off-site facility is called.
Creates one larger logical volume across several available physical hard disk drives and stores the data in segments, called stripes, across all the desk drives in the array. This is often called disk striping without parity and is frequently used to combine smaller drive volumes into fewer, larger volumes to gain the advantages that larger volumes offer as well as increased I/O throughput.
Commonly called disk mirroring, RAID 1 uses two drives in which data is written to both drives simultaneously, providing a backup if the primary device fails.
Most commonly used in organizations that balance safety and redundancy against costs of acquiring and operating the systems. Segments of data are interleaved with parity data and are written across all the drives in the set.
Also referred to as RAID 1+0, this combines the benefits of RAID 0 and RAID 1. The data is striped like RAID 0, but the striped set is mirrored, as in RAID 1. This hybrid system is really a mirror of a striped set.
RAID IS NOT A REPLACEMENT FOR A BACKUP AND RECOVERY.
Contingency Planning (CP)
Is the process by which the information technology and information security teams position their organizations for, detect, react to, and recover from man-made or natural events that threaten the security of information resources and assets.
An investigator seeks to obtain a forensic image of the disk or device.
Collecting evidence from a currently running system.
Media that is used to collect digital evidence must be forensically sterile, meaning that it contains no residue from previous use.
UNIX or linux systems support a tool called "wget" that allows a remote individual to "mirror" entire websites.
The metasploit framework is a collection of exploits coupled with an interface that allows you to customize exploitation of vulnerable systems.
A free, client-based network protocol analyzer that happens to be free. Allows the administrator to examine data from both live network traffic and captured traffic.
Tool that can be used to analyze firewalls. Written by noted author and network security expert Mike Schiffman and David Goldsmith, firewalk uses incrementing TTL packets to determine path into a network as well as the default firewall policy.
Once the remote system has been subverted, many attackers use FTP, TFTP, and similar types of file transfer utilities to store the necessary attack tools in a data cache. Netcat is a full client server environment that allows the transfer of data between netcat installations. (Pg371)
Uses ICMP to determine the remote OS. XProbe2 sends a lot of different ICMP queries against the target host. (363)
YOU MIGHT ALSO LIKE...
Introduction to Business | Gaspar, Bierman, Kolari, Hise, Smith, Arreola-Risa
Managing and Troubleshooting Networks Chapter 18 (4th Edition)
Info Security Test 1
OTHER SETS BY THIS CREATOR
AWS Well Architected Framework PDF
CISSP LL Domain 8: Software Development Security
CISSP LL Domain 7: Security Operations