343w midterm
Disk-to-Disk-to-Cloud
An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor, with a ____ backup strategy.
Risk Identification Risk Control Risk assessment
Components of risk management:
Confidentiality
Confidentiality is roughly equivalent to privacy. The right people see it
Availability
Data is available to those who need it in which it is used in information security.
Identification of key pieces of hardware to recover
Effective Contingency Planning should contain all of the following except:
threat-agent
a specific and identifiable instance of a general threat that exploits vulnerabilities set up to protect the asset
Business impact analysis (BIA)
an investigation and assessment of the impact that various attacks can have on the organization.
more vigor
another way to say Fewer words is:
Threat assessment
assessed regarding its potential to endanger the organization.
Standards
ave the same compliance requirements as policies, are more detailed state-ments of what must be done to comply with policy. S
Disaster recovery planning (DRP)
deals with the preparation for and recovery from a disaster,whether natural or man-made
control, safeguard, countermeasure
defender tries to prevent attacks by:
Scope Data gathering process Seek objective Determine needs of higher management validation
hat major objectives should be considered when conducting the BIA?
an organization must establish an entity that will be responsible for contingency policy and plans
how to begin a CP
SIgnature matching
looks for attack patterns
network-based IDPS (NIDPS)
monitors traffic on a segment of an organization's network, looking for indications of ongoing or successful attacks while residing on a computer or appliance connected to that network segment
intrusion detection and prevention system (IDPS)
network burglar alarm. It is designed to be placed in a network to determine whether or not the network is being used in ways that are out of compliance with the policy of the organization.
incremental backup
only archives the files that have been modified since the last backupand thus requires less space and time than the differential to create
risk management
process of identifying vulnerabilities in anorganization's information systems and taking carefully reasoned steps to ensure the confi-dentiality, integrity, and availability of all the components of the organization's informationsystem
Remote journaling (RJ)
reocrding live transactions offsite
bare metal recovery
replace OS when they fail
anomaly-based IDPS
statistical patterns
differential backup
storage of all files that have changed or been added since the lastfull backup.
Risk control
the process of applying controls to reduce the risks to an organization's data and information systems.
Risk identification
the process of examining, documenting, and asses-sing the security posture of an organization's information technology and the risks it faces
information security (InfoSec)
the protection of the confidentiality, integrity,and availability of information, whether in storage, during processing, or in transmission.
possible, probable, and definite.
three broad categories of incident indicators
- presence of unfamiliar files - presence or execution of unknown programs or processes - unusual consumption of computing resources - unusual system crashes
. There are four types of possible incident candidates:
Denial of service
A ____ attack seeks to prevent legitimate users access to services by either tying up a server's available resources or causing it to shut down.
Disaster recovery plan
A ____ deals with the preparation for and recovery from a disaster, whether natural or man-made.
Business continuity Plan
A ____ is a document that describes how, in the event of a disaster, critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site.
Hypervisor
A ____ is a synonym for a virtualization application.
Network-Attached Storage
A ____ is commonly a single device or server that attaches to a network and uses TCP/IP-based protocols and communications methods to provide an online storage environment.
Persistant
A ____ rootkit is one that becomes a part of the system bootstrap process and is loaded every time the system boots.
Business Impact Analysis
A _______ is an investigation and assessment of the impact that various events or incidents can have on the organization.
Moderate
A backup plan using WAN/VLAN replication and a recovery strategy using a warm site is most suitable for information systems that have ____ priority within an organization.
War Gaming
A favorite pastime of information security professionals is ______, which is a simulation of attack and defense activities using realistic networks and information systems, with the exercise of IR plans being an important element.
Business process
A task performed by an organization or organizational subunit in support of the organization's overall mission.
Red teaming
A typical CSIRT needs experience in all of the following except: System administration Red teaming Network administration Cryptography
Realistic chance of success Threatens the confidentiality, integrity, or availability of information resources and assets Directed against information assets owned or operated by the organization
A valid attack is classified as an information security incident when it has all of the following: Realistic chance of success Data exfiltration from the target network Threatens the confidentiality, integrity, or availability of information resources and assets Directed against information assets owned or operated by the organization
Differential
A(n) ____ backup only archives the files that have been modified since the last full backup.
Policy
A(n) ____ is a plan or course of action used by an organization to convey instructions from its senior management to those who make decisions, take actions, and perform other duties on behalf of the organization.
Indication
A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident.
private Cloud
A(n) ____ is an extension of an organization's intranet into cloud computing.
Threat
A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset.
Contingency Planning Management Team
A(n) _____ is the collection of individuals responsible for the overall planning and development of the contingency planning process, including the organization of subordinate teams and oversight of subordinate plans.
Incident Response Plan
A(n) ___________ is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets.
Vulnerability Assessment
According to NIST, ________ is an additional service that an IR team might offer.
Integrity
Accuracy of data, has not been written to.
After action review
At the end of every test, exercise, or assessment function, the group should assume for an ______.
ssessingmission/business processes and recovery criticality, identifying resource requirements,and identifying recovery priorities.
BIA is conducted in three stages:
False
Because CSIRT opportunities are typically ancillary to the CSIRT member's day-to-day job, managers don't need to worry about burnout.
Retention
Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage.
Have Physical Access
If an intruder can ____ a device, then no electronic protection can deter the loss of information.
DNS cache Poisoning
In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network.
Adverse Event
In an organization, unexpected events occur periodically; these are referred to as ___________.
Adverse event; incident
In contingency planning, a(n) _________ that threatens the security of the organization's information is called an _________.
CSIRT
In some organizations, the ______ may simply be a loose or informal association of IT and InfoSec staffers who are called up if an attack on the organization's information assets is detected.
Protect and Forget
In the ____ approach, the focus is on the defense of the data and the systems that house, use, and transmit it. protect and forget, or apprehend and prosecute
Passive Voice
In traditional grammar, a verb form (or voice) in which the grammatical subject receives the verb's action.
Active Voice
In traditional grammar, the verb form (or voice) in which the subject of the sentence performs or causes the action expressed by the verb. For example:
Integrity
Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states.
Raid 2 (Disk stripping with parity)
hammon code to store sptrips oof data on differant drives
False Positive
Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.
Raid 0
Provides 1 large volume across multiple hard disks
Maximum tolerable downtime
Represents the total amount of time the system owner/authorizing official is willing to accept for a mission/business process outage or disruption and includes all impact considerations.
risk assessment
Risk assessment assigns a risk ratingor score to each information asset
Likelihood X value - %risk mitigated + Uncertainty
Risk assessment equation
CSIRT
The CISO should select members from each community of interest to form the _______ that will execute the IR plan.
clear and formal commitment of senior executive management.
The CP process will fail without what critical element?
CIA Triangle
The ____ illustrates the most critical characteristics of information and has been the industry standard for computer security since the development of the mainframe.
Pen/Trap Statute
The ____ is a federal law that creates a general prohibition on the real-time monitoring of traffic data relating to communications.
Trigger
The ____ is/are the circumstances that cause the IR team to be activated and the IR plan to be initiated.
Monitoring Port
The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.
Apprehend and Prosecute
The _____ approach focuses on the identification and apprehension of the intruder with additional attention given to the collection and preservation of evidentiary materials that might support administrative or criminal prosecution. protect and forget, or apprehend and prosecute
IR Duty Officer
The ______ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization's information infrastructure for signs of an incident.
Incident response planning (IRP)
The actions an organization can, and perhaps should, take while an incident is in progress
Recovery time objective
The period of time within which systems, applications, or functions must be recovered after an outage.
recovery point objective
The point in time to which lost systems and data can be recovered after an outage as determined by the business unit.
Trespass
The term ____ refers to a broad category of electronic and human activities in which an unauthorized individual gains access to the information an organization is trying to protect.
IR plan tests and CSIRT performance measures
The two ways to evaluate CSIRT effectiveness are:
Snort
The use of IDPS sensors and analysis systems can be quite complex. One very common application is an open source software program called ____, which runs on a UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.
- use of dormant accounts - changes to logs - presence of hacker tools - notifications by partner or peer - notification by hacker.
There are five types of definite incident candidates:
- activities at unexpected times - presence of unexpected new accounts - reported attacks - notification from IDPS.
There are four types of probable incident candidates:
Protect and Forget; Apprehend and Prosecute
There are multiple philosophies for incident response. On either end of the spectrum are:
Obtaining commitment and support from senior management Managing and conducting the overall CP process Writing the master CP document Conducting the business impact analysis (BIA), which includes
What are the primary responsibilities of the contingency planning management team (CPMT)?
Raid 1 (disk Miroring)
Uses twin drives, copies on each
Business manager - familiar with operations information tech-nology manager - familiar with systems information security manager - have an oversee of security planning
What are the three communities of interest, and why are they important to CP?
Incident response Disaster recovery Business continuity Crisis management
What four teams may be subordinate to the CPMT in a typical organization?
insurance
What is the number one budgetary expense for disaster recovery?
An organization should keep three levels of computer systems available
What is the rule of three?
Clipping level
When the measured activity is outside the previously-known-good parameters in a behavior-based IDPS, it is said to exceed the ____ (the level at which the IDPS triggers an alert to notify the administrator).
Hypervisor
When using virtualization, it is commonplace to use the term ____ to refer to the system that provides a virtualized environment in or on a host platform.
Penn testing
Which of the following is not part of IR Plan Testing? Parallel Testing Walk Throughs Penetration Testing Desk Checking
Employee schedule
Which of the following is not part of the BIA? Production Schedules Financial Reports IT Application Logs Employee schedule
Defense
____ __ sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability.
Honey Pots
____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation.
Data Archives
____ are used for recovery from disasters that threaten on-site backups.
Mitigation
____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
RAID
____ uses a number of hard drives to store information across multiple drive units.
Incident Response
_______ is a set of procedures that commence when an incident is detected.
CSIRT
_________ is a a set of people, policies, procedures, technologies, and information necessary detect, react, and recover from an incident that could potentially result in unwanted modification, damage, destruction, or disclosure of the organization's information.
vulnerability
a flaw or weakness in system security procedures, design,implementation, or internal controls that could be exercised (accidentally triggered orintentionally exploited) and result in a security breach or violation of the system's secu-rity policy.
issue-specific security policy (ISSP)
addresses specific areas of tech-nology and contains a statement on the organization's position on a specific issue.
enterprise information security policy (EISP)
based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope,and tone for all security efforts.
intrusion detection systems (IDSs
burglar alram detects violation
Business continuity planning (BCP
document that describes how, in the event of a disaster, critical business functions will continue at an alternate location while the organization recovers its ability to function at the primary site—as supported by the DR plan.
signature-based IDPS
examines data traffic in search of patterns that match known signatures
systems-specific security policies (SysSPs)
frequently codified as standards and procedures to be used when configuring or maintaining systems.
Disaster Recov Plan business continuity plan
two components ofbusiness resumption planning(BRP)
Data backup
typically a snap-shot of the data from a specific point in time.
