The following represent what?
- Administrative
- Criminal
- Civil
- Regulatory - Gov Agency Investigation
- Industry Standards - Electronic Discovery
Investigation types
The following is what in regards to Forensics Techniques / evidence?
- must be relevant to determining fact
- the fact must be material relevant to the case
- must be competent, must have obtained legally
admissible evidence
What are the three types of evidence that can be used in a court of law?
- Real Evidence - Physical items that are brought into court and can be seen/examined
- Documentary Evidence - Written items brought into court to prove a face about the case
Best Evidence Rule
Parol Evidence Rule - Testimonial Evidence - Testimony of a witness
Direct
Expert
Hearsay
Documents the evidence lift cycle from discovery and collection through analysis and storage to reporting and presentation.
Chain of Evidence
a. general description
b. time and date
c. exact location
d. name of the person collecting evidence
e. relevant circumstances surrounding collection
What do the following steps represent in regards to Investigations?
- Call in Law Enforcement
- Gather evidence
- Conduct Investigation
- Interview Individuals
- Report on and document Investigation
Investigative Process
TRUE / FALSE
IDS = PASSIVE IPS = ACTIVE
TRUE
IPS has the ability to take action such as re configuring a firewall to block a threat. IDS can only send alerts which doesn’t qualify as taking action.
Ensures no single person has total control
Separation of duties
Applies concept of least privilege to applications and processes
Separation of privileges
Separation of duties + least privilege
Designated to guard against excessive system access to prevent conflicts of interest
Segregation of Duties
Activity requires the approval of two people to be carried out
Two Person Control (Rule)
Separation of Duties + Two Person Rule
Split-Knowledge
Move people through various jobs / tasks to spread knowledge & responsibility
a. mandatory vacations
Job Rotation
Mandatory Vacations classified as a form of Job Rotation
What do the following represent?
a. Create of Capture
b. Classification
c. Storage
d. usage
e. archive
f. Destruction or purging
Information Lifecycle Phases
Document describing the level of service expected by a customer
SLA - Service Level Agreement
OLA - Internal facing SLAs. (Example: IT and Sales)
Examples:
MOU - Memorandum of Understanding
ISA - Interconnection Security Agreement
What do the following steps represent?
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons Learned
Incident Response Process
Mantra of the CSIRT (Computer Incident Response Team) is what?
Isolation is good. Powering off is bad.
Smurf vs Fraggle Attacks
Which uses ICMP and Which uses UDP?
SMURF = ICMP
FRAGGLE = UDP
Firewalls:
Stateful = \_\_\_\_\_\_\_ Stateless = \_\_\_\_\_\_\_
Stateful = Dynamic (Looks at packets as they come through and keeps record of them so it can get the bigger picture)
Stateless = Static
What do these steps represent in regards to patching?
Evaluate Test Approve Deploy Verify deployment
Patch Management Process Flow
Helps reduce unanticipated outcomes due to unauthorized activity
Change Management
Evaluation of proposed changes to identify potential security issues PRIOR to implementation
Security Impact Analysis
What does the following process represent?
- Request for Change (RFC)
- Review of the change by the Change Advisory Board (CAB)
- Approval / Rejection of Change
- Test Approved Change (s)
- Schedule and Release (Implement | Deploy)
- Document the change
Change Management Process
Match the Term to the correct definition:
Mirror Backup
Full Backup
Incremental Backup
Differential Backup
_______: Captures your entire system and all the data you want to protect. If done frequently, these result in easier recovery operations.
_______: Creates a Mirror copy of the source data. when a source file is deleted it is also deleted from the mirror backup automatically.
_______: Captures only the changes made since the last FULL or incremental backup. Saves both time and storage space. Files with their archive bit set to 1 (enabled) are backed up. Once complete, the archive bit on ALL files is reset and turned off
_______: Captures only the changes made since the last FULL backup, not since the last differential backup. All files with their archive bit enabled are backed up but the archive bit IS NOT reset once files are backed up.
FULL : Captures your entire system and all the data you want to protect. If done frequently, these result in easier recovery operations.
MIRROR : Creates a Mirror copy of the source data. when a source file is deleted it is also deleted from the mirror backup automatically.
Incremental : Captures only the changes made since the last FULL or incremental backup. Saves both time and storage space. Files with their archive bit set to 1 (enabled) are backed up. Once complete, the archive bit on ALL files is reset and turned off
Differential : Captures only the changes made since the last FULL backup, not since the last differential backup. All files with their archive bit enabled are backed up but the archive bit IS NOT reset once files are backed up.
Employed for applications that cannot accept any downtime without negatively impacting the organization.
Redundant Center
!!NO TIME SPENT OFFLINE !!!
Advantages:
Little or no downtime
ease of maintenance
No recovery required
Disadvantages
Most expensive
Requires redundant hardware
distance limitations
Standby ready with ALL the technology and equipment necessary to run the applications positioned there.
Quickest Recovery
Most Expensive
Operational within hours
Hot Site
No more than 1 business day offline
A Facility that is PARTIALLY configured with some data center support infrastructure, such as HVAC, computers, etc.
Warm Site
a few days offline
A shell or EMPTY data center space with no technology on the floor.
Cold Site
weeks to months offline
Database backups are moved to a remote site using a bulk transfer capability.
Electronic Vaulting
Quicker version of electronic vaulting using bulk transfers of data, but more frequently
Remote Journaling
The ability of a system to suffer a fault but continue to operate
Fault Tolerance
Not powered up but is a duplicate of the primary component that can be inserted into a system if needed
Cold Spare
Already inserted in the system but do not receive power unless s they are required. These components need to be configured.
Warm Spare
Inserted into the system and powered on. These components are ready to go
Hot Spare
Includes two or more servers, allowing a failure of one to be “taken on” by the surviving members of the cluster via a failover process.
Failover Cluster
Spike Surge Transients Brownout Sag
- a quick instance of an increase in voltage
- a quick instance of a decrease in voltage
- an increase in power that is prolonged
- a decrease in power that is prolonged
- noise on the power lines
Spike - a quick instance of an increase in voltage
Sag - a quick instance of a decrease in voltage
Surge - an increase in power that is prolonged
Brownout - a decrease in power that is prolonged
Transients - noise on the power lines
What level of RAID is defined below:
Writes files in stripes across multiple disks without the use of parity information. NOT FAULT TOLERANT
RAID 0
What level of RAID is defined below:
Duplicates all disk writes from one disk to another to create two identical drives.
Very costly from a drive space perspective since half of the available disk is given to mirroring.
RAID 1
What level of RAID is defined below:
Requires three or more drives to implement. Striping or data like in RAID 0, with redundancy in the form of a dedicated parity drive.
RAID 3
What level of RAID is defined below:
Also requires three or more drives to implement. The big difference is how parity information is stored.
Rather than using a dedicated parity drive, data and parity information is striped together across all drives.
This level is most popular and can tolerate the loss of any one drive since the parity information on the other drives can be used to reconstruct the lost one.
RAID 5
What level of RAID is defined below:
Configured as two or more mirros in a stripe.
Also known as RAID 10
RAID 1+0
Bringing operations back to a working state
Recovery
Bringing a facility back to a working state
Restoration