CH12 Disaster and Incidents 1.4 1.5 5.4-5.6
incident response plan (5 items) IRP
1 Guidelines for documenting incident type and category 2 resources to deal 3 defined roles 4. reporting requirements and escalation procedures Was the evidence gathered and the chain of custody maintained? Did the escalation procedures follow the correct path? Given the results of the investigation, would you be able to find and prosecute the culprit? What was done that should not have been done? What could have been done better?
incident response process (6 steps)
1 Preparation 2 Identification 3 Containment 4 Eradication 5 Recovery 6 Lessons learned
full backup
A backup that copies all data to the archive medium. complete, comprehensive backup of all files on a disk or server. current only at the time it's performed system should not be in use time consuming
hot site
A location that can provide operations WITHIN HOURS of a failure. recovery site :FAST, BEST active backup model
cold site
A physical site that can be used if the main site is inaccessible (destroyed) but that lacks all of the resources necessary to enable an organization to use it immediately. recovery site : slow access
warm site
A site that provides some capabilities in the event of a disaster. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that might already exist in the warm site. recovery site : in between hot and cold. mediuum pace more planning and testing LIMITED CAPABILITIES active/active model reciprocal site
capture system image
A snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. SAMPLE
incremental backup
A type of backup that includes only new files or files that have changed since the last full/increm backup and then CLEARS the archive bit upon completion. ONLY CHANGED INFO usually small tapes. FASTEST BACKUP archive BIT ON during back up then turned off
tabletop exercise
An exercise that involves individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them. DISCUSS
Grandfather, Father, Son method
BACKUP method assumes that the most recent backup after the full backup is the son. As newer backups are made, the son becomes the father, and the father, in turn, becomes the grandfather
3 types of Testing
Black box - in the dark white box - see clear gray box - fuzzy
BIA
Business Impact Analysis valuating the processes, impact on busniess
BCP
Busniess Continuity Planning planning for processes, policies, and methods that an organization follows to minimize the impact of a system failure, network failure, or the failure of any key component needed for operation ensure that the business continues and that the show does indeed go on. *exercises/tabletop after action reports failover alternate processing sites alt business practies ***BIA and Risk assessment
CSIRT
Computer Security Incident Response Team ormalized or an ad hoc team. You can toss a team together to respond to an incident after it arises, but investing time in the development process can make an incident more manageable. considers incidents in advance to deal with later high stress situtions gather evidence
After-actioin reports
DEBRIEF disaster sharing by team members of the steps taken, along with an open discussion of what worked and what should be changed in future crises
archive bit
During a full backup, every single file on the system is copied over,____________________ on each file is turned off. essentially a flag associated with every file that is turned on when the file is created or accessed
HSM
Hierarchical storage management newer backup type continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and it can be configured to provide the closest version of an available real-time backup REALTIME/CONTINUOUS .. in crypto it imeans hw security module
vulnerability scanning
Identifying specific vulnerabilities in your network. part of penetrative test or done alongside start here *identify likely targets of an attack * identifying common misconfigurations (Nessus) ********identifying a lack of security controls. - passively tests these. WOST VULNERABILITYBCP credentialed vs non credentialed attempt to exploit vuln
capture snapshot/screenshot
Image of a virtual machine at a moment in time. capture all relevant screenshots for later analysis . One image can often parlay the same information that it would take hundreds of log entries to equal.
Full Archival method
In short, all full backups, all incremental backups, and any other backups are permanently kept somewhere. effectively eliminates the potential for loss of data. forevr stored
forensics
In terms of security, the act of looking at all the data at your disposal to try to figure out who gained unauthorized access and the extent of that access.
IPS
Intrusion prevention system Any set of tools that identify and then actively respond to attacks based on defined rules RESPONDS . Like an IDS (which is the passive counterpart), can be network-based or host-based.
record time offset
It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. 10:04 vs actual 9:04 daylight savings
OOV
Order of volatility use when dealing with multiple issues always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone(POOF-ABLE) ex RAM, hard drive data, CDs/DVDs, and printouts.
intrusive tests
Penetration-type testing that involves trying to break into the network. ACTIVE
nonintrusive tests
Penetration/vulnerability testing that takes a passive approach rather than actually trying to break into the network. PASSIVE
onsite storage
Storing backup data at the same site as the servers on which the original data resides.
offsite storage
Storing data off the premises, usually in a secure location. storage facility should be bonded, insured, and inspected on a regular basis to ensure that all storage procedures are being followed.
disaster recovery
The act of recovering data following a disaster in which it has been destroyed. Disasters may include system failure, network failure, infrastructure failure, and natural disaster.
working copy backup
The copy of the data CURRENTLY IN USE on a network. shadow copies
failover
The process of reconstructing a system or switching over to other systems when a failure is detected.
legal hold
The process that is used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated preserve info when expecting legal action
white box
The tester has significant knowledge of the system. The tester has significant knowledge of the system.
gray box
This is a middle ground between the first two types of testing. , the tester has some limited knowledge of the target system.
pivot
When it is possible to attack a system using another, compromised system (trusted but infected) island hopping a compromised system is used to attack another system on the same network following the initial exploitation.
escalation of privelege
a hole created when code is executed with higher privileges than those of the user running it . By breaking out of the executing code, users are left with higher privileges than they should have.
reciprocal agreement
agreement between two companies to provide services in the event of an emergency
general purpose storage safes
aren't usually suitable for storing electronic media. The fire ratings are inadequate. use onsite storage containers. notfireproof but fire rated
Backout vs backup
backout is a reversion from a change that had negative consequences istead of backing up changes revert the system to the state it was in before the service pack was applied.
data acquisition
collecting data for legal basis.. legal hold.. chain of custody
take hashes
collection of data for forensices collect "known, traceable software applications" through their hash values and store them in a Reference Data Set (RDS).
chain of custody
covers how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.
CBF's
critical business functions processes or systems that must be made operational immediately when an outage occurs. The business can't function without them, information-intensive and require access to both technology and data.
active reconnissance
directly focuses on the system (port scans, traceroute information, network mapping, and so forth) to identify weaknesses that could be used to launch an attack.
DRP
disaster recovery plan A plan outlining the procedure by which data is recovered after a disaster. ********reestablishing services and minimizing losses. **CONTINGENCY PLAN major component involves the access and storage of information. Your backup plan for data is an integral part of this process. **follow an ORDER OF RESTORATION
Tabletop exercises
doc review walkthrough parallel test cutover test - shuts down main systems and has all failover to backup
noncredentialed vuln scanning
doesnt use actual network credentials to connect to systems and scan prpepare for false posiitives
restore/recover from a backup
due to : Accidental deletion Application errors Natural disasters Physical attacks Server failure Virus infection Workstation failure - restore from: working copies, onsite storage, offiste storage *Security+ exams till considers TAPE the ideal medium for data.. wipeable
bakcup server method
establishes a server with large amounts of disk space whose sole purpose is to back up data. a dedicated server can examine and copy all the files that have been altered every day.
exercise
fire drill for incident response plans Include the members of the team, and walk through mock incidences on a regular basis to identify weaknesses in your response and solutions for them.
Foresnics (8)
for incident response 1 act in OOV 2 Capture System Image 3 Document Network Traffic and Logs 4 Capture Video 5 Capture Video 6 capture screenshots 7 tlk to witnesses 8 track man hours/ expneses 9 after-action reports
intrusion
he act of entering a system without authorization to do so.
black box
he tester has absolutely no knowledge of the system is functioning in the same manner as an outside attacker.
incident response policy
incident response procedures define how an organization should respond to an incident. These policies may involve third parties, and they need to be comprehensive. **outside agencies or response teams **procedure plan **evidence gathering procedures NO CONTINGENCY PLAN incident is ANY ATTEMPT to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. **who needs to be informed in the company, what they need to be told, and how to respond to the situation.
IDS
intrusion detection system Any set of tools that can identify an attack using defined rules or logic. An IDS can be network-based or host-based.
Recovery
know the order in which to proceed. If a server is completely destroyed and must be re-created, ascertain which applications are the most important and should be restored before the others. disaster planning
data sovereignty
laws of country in which data is STORED are the ones that APPLY
passive reconnissance
means other than directly accessing the system, such as collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering.
alternate business practices
minimum one per critical business tasks planned out should be documented in such a way that someone unfamiliar with them could perform them with minimal training.
NSRL
nat software ref lib
alternative sites
recovery sites,=or backup sites. alternate site lease or purchase a facility that is available on short notice for the purpose of restoring network or systems operations. cold hot warm most important aspects of using___________ ________________ is documentation.
credentialed vuln scanning
scan uses actual network credentials to connect to systems and scan for vulnerabilities Not Disrupting Operations or Consuming Too Many Resources Definitive List of Missing Patches Client-Side Software Vulnerabilities Are Uncovered Several Other "Vulnerabilities" Nessus can read password policies, obtain a list of USB devices, check antivirus software configurations, and even enumerate Bluetooth devices attached to scanned hosts. prpepare for false posiitives
order of restoration
should always be followed after a disaster to ensure that dependent services are not restored before the ones they are dependent on. It is highly recommended that network maps or diagrams be used to illustrate dependencies. DEPENDENCIES, DONT OVERWRITE
differential backup
type of backup that includes **only new files or files that have changed since the last FULL backup. it makes duplicate copies of files that haven't changed since the last differential backup. _____________ backups differ from incremental backups in that they DONT CLEAR the archive bit upon their completion. becomes almost as large as full backup first fast and becomes slow
penetration testing
use the same techniques that a hacker would use to find any flaws in a system's security active/passive recon need: scope and permission for testing
RIsk assessmenet
valuating the risk or likelihood of a loss. risk calculations
peristsence
when the compromise is introduced at a different time than the attack ex an employee having his or her laptop infected at a hotel while traveling for business and the company's network not being compromised until the employee is back in the office a week later and connected to the company's network.
shadow copies
working copies