Disaster Recovery

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

What are the key features of the DR plan?

- Clear delegation of roles and responsibilities - Execution of alert roster and notification of key personnel - Use of employee check0in systems - Clear establishment and communication of business resumption priorities - Complete and timely documentation of the disaster -Preparations for alternative implementations

What are the primary objectives of the resumption phase of the DR plan?

- Initiate implementation of secondary functions -Finalize implementation of primary functions -Identify additional needed resources -Continue planning for restoration

List and describe the phases of the BC plan

- Prep for BC actions -Relocation to alternative site -Return to primary site

What are the primary objectives of the response phase of the DR plan?

- Protect human life -Attempts to limit and contain the damage to the organization's facilities and equipment -Manage communication with employees and other stakeholders.

List the subteams that support the BC team

-Management team -Operations -Computer (hardware) setup -Systems recovery (OS) -Network Recovery _App recovery -Data management -Logistics

List and describe the component parts of the BC policy document.

-Purpose -Scope -Resource requirements -Training requirements -Exercise and testing schedules -Plan maintenance schedule'-Special considerations

What are the primary objectives of the recovery phase of the DR plan?

-Recover critical business functions -Coordinate recovery efforts -Acquire resources to replace damaged or destroyed materials and equipment -Evaluate the need to implement the BC plan

What are the critical steps in the BC implementation process?

-Relocation to alternative site -establishment of operations -return to primary site

What are the primary objectives of the restoration phase of the DR plan?

-Repair all damage to primary location or select or build replacement facility -Replace the damaged or destroyed contents -Coordinate the relocation from temp offices to primary location or to a suitable new replacement facility -Restore normal operations at the primary location, beginning with critical functions and then secondary - Stand down the DR teams and conduct the after-action review

What parts of the organization should the BC team draw on for its members?

-Senior management -Corporate functional units -IT managers -Information security managers

What factors determine which digital evidence should be collected and in what order?

-Value -Volatility-Stability of info over time E-ffort required

What two hash functions are commonly used as digital fingerprints?

.MD-5 and SHA

What are the major activities planned to occur before the disaster?

.test, train, exercises.

What are the primary goals of business resumption planning?

1) eliminate or reduce the potential for injuries or loss of human life, damage to facilities, and loss of assets and records, 2) stabilize the effects of the disaster; and 3) implement the procedures contained in the DR and business resumption plan

List the general CM recommended practices.

1. Build contingency plans, identify teams, train staff, and rehearse scenarios before a crisis occurs 2. Verify that all staff know that only designated crisis management team members may represent the company 3. Plan to react as fast as possible because the first few hours established the baseline narrative that the media will use for most ongoing reporting 4. Make sure your plans and processes are of the highest quality by employing expert reviews and professional crisis management consultants 5. Make it part of culture to always give the most complete and accurate information possible in a given situation 6. Consider long-term effects as well as the short-term losses that may occur

What are the advantages of combining the DR and BC plans? What are the disadvantages?

A - saves efforts and cost D - They require different teams

Concurrent recurrence

A second attack using the means of the first attack occurs while the first attack is still underway

What is a business crisis?

A significant disruption that stimulates media coverage and has political, legal, financial, or governmental impacts.

What is a worst-case scenario?

A situation that results in service disruptions for weeks or months, requiring a government to declare a state of emergency.

What is watchful waiting and why is it useful?

A tactic that deliberately permits the attack to continue while the entire event is observed and additional evidence is collected.

What are the major activities planned to occur after the disaster?

AAR, forensics.

What is crisis management?

Actions taken by an organization in response to an emergency situation in an effort to minimize injury or loss of life.

What is emergency response?

Actions taken in order to manage the immediate physical, health, and environmental impacts resulting from an incident.

What is humanitarian assistance?

Actions taken to meet the psychological and emotional needs of various stakeholders

WHY ARE THE DR ACTIVITY GROUPS PRESENTED OUT OF SEQUENCE (DURING, AFTER, BEFORE) instead of chronological

Activities during a disaster are most urgently needed in the event of plan activation, it is the important to determine what to do immediately following a disaster, and least important to plan before a disaster.

What is an auxiliary phone alert and reporting system, and what functions can it perform for an organization during DR planning?

An IS with a telephony interface that can be used to automate the alert process. It can distribute info about the disaster and collect info about status of employees. Faster than manual alert system.

What is an assembly area? When and how is it used in CM?

An area where people should gather in the event of a specific type of emergency and facilitate a head count.

What is anti-forensics?

Anti-forensics is an attempts made by suspects to hide evidence

Second Task of CSIRT leader

Assert control over situation

What are the common roles and duties of a digital forensic first-response team?

Assessing the scene, identifying the sources of relevant digital information and preserving it for later analysis -Incident manager -scribe -imager

First task of CSIRT leader upon arrival?

Assessment of the situation

Why do some organizations abdicate all responsibility for DR planning to the IT department?

Because they are keenly interested in keeping IT available during and after disasters

What is a hybrid incident?

Begin as one type of event and turns into another

What is the CM planning committee, and how does it differ from the CM team?

CM planning - Representatives offer advice and guidance CM Team - Trained individuals responsible for responding to incident

Why might an organization forego trying to identify the attacking host during an incident response?

Can take time away from minimizing impact

What are the 3 general sections of planning for DR activities?

Client/server, data communications, mainframe

First imperative of the CSIRT when there is a confirmed incident

Containment

According to NIST SP 800-34, what 2 perspectives should be used to plan a system recovery strategy?

Contingency planning from DR and BC

What is the first and most important step in preparing for DoS and DDoS attack responses?

Coordinating with service provider

What guides an organization in setting up a forensic capability?

Cost, response time, data sensitivity

When dealing with the loss of staff, what strategies can be employed?

Cross-training, job and task rotation, and redundancy

Why is cryptography a good thing for IT workers but a bad thing for forensic investigators?

Cryptography keeps assets secure for IT and makes evidence harder to uncover for forensics.

What is the difference between disaster recovery and business continuity?

DR - normal functions at primary site BC - normal functions alternative site

If an organization chooses the protect and forget instead of apprehend and prosecute philosophy, what aspect of IR will be most affected?

Data collection tasks

What are some examples of special documentation or equipment that may be needed for DR team members?

Data recovery software, blueprints, keys, water lines, insurance contacts

What does it mean when operations are in degraded mode? Should organizations prepare to operate in this mode?

Degraded mode is when operations are under adverse conditions. Organizations should prepare for this in order to learn how to adapt to these situations.

What are the ongoing challenges associated with local emergency services, service providers, and community-related issues that organizations face when confronted with a disaster?

Delay under triage of requirements so that most critical get answered first. Public services such as transportation and garbage collection will be delayed. Utilities will be disrupted.

What types of info are missed by a normal copying process but included in a forensic image?

Deleted entries in a directory, remnants of old files, deleted but no yet overwritten files, free space which might contain other files or fragments.

What federal agencies may be involved during a crisis?

Department of Homeland Security, the Federal Emergency Management Agency, the Secret Service, the Federal Bureau of Investigation, and the federal hazardous material agencies

What is malware?

Designed to damage, destroy, or deny service to the targeted system

What are the steps that are generally followed in the DR development process

Develop DR planning policy statement, review BIA, identify preventive controls, create DR contingency strategies, develop the DR plan, ensure DR plan testing, training, and exercises, and ensure DR plan maintenance.

What are EAPs? How are they used in CM?

Employee assistance program - can provide a variety of counseling services to assist employees in coping with surviving a crisis, PTSD

Phase after containment during IR

Eradication

How do organizations often divvy up the practice of digital forensics?

First response, analysis and presentation

What are the four steps in collecting digital evidence?

Identify sources of evidentiary material, authenticate the evidentiary material, collect the evidentiary material, and maintain a documented chain of custody.

What are the major activities planned to occur during the disaster?

Identify trigger, escalate. Identify what must be done to react.

What are the advantages of including an AAR process in the BC plan?

Improvements

In what main way does search and seizure differ in the public and private sectors?

In private sector it is more common to authorize the collection of images of digital info, in public searches authorize the collection of relevant items containing the information.

Phase after eradication in IR

Incident Recovery

What is an advance party?

Includes members or representatives of each major BC team

Why must the alert roster and the notification procedures that use it be tested more frequently than other components of the DR plan?

It is subject to continual change because of employee turnover.

What are the critical success factors for CM planning?

Leadership, speed of response, a robust plan, adequate resources, funding, caring and compassionate response, and excellent communications.

Why is delayed containment not recommended for most CSIRTs?

Liability issues

What should be the first step in the business continuity planning process? Which NIST document is used to inform this process?

Make policy. SP 800-34

What is the purpose of sterile media?

Making sure that the media contains no residue from previous use in order to prevent claims of tainting the evidence

What are some reasons a safeguard or control may not have been successful in stopping or limiting an incident?

Malfunctioning secuirty device

How can you classify disasters based on the way they emerge and become an issue for an organization?

Natural disasters, man-made, rapid-onset, slow-onset

Is it practical to prepare for all possible contingencies? How can this best be handled?

No, general training programs, specific training programs off site.

What procedures should occur on a regular basis to maintain the IR plan?

Plan review and maintenance

Best thing to make CSIRT most effective

Preparation

Describe the phases in a DR plan

Preparation - Planning and rehearsal Response - Identification of disaster, notifications, and immediate response Recovery - Recovery of necessary business information and systems Resumption - The restoration of critical business functions Restoration - The reestablishment of operations are the primary site as it was before the disaster

What is job rotation? Why is it a useful practice from a DR plan perspective?

Prepares staff for personnel shortages or outages.

What is a DoS attack and how does it differ from a DDoS attack?

Prevents legitimate users from accessing network by consuming resources, DDoS comes form multiple sources.

What key elements should be included in the DR policy?

Purpose, scope, roles & responsibilities resource requirements, training requirements, exercise and testing schedules, plan maintenance schedule, special considerations.

What are RTO and RPO?

RTO- amount of time business can tolerate until the alternate capabilities are available RPO - Point in the past to which the recovered application and data at the alternative infrastructure will be restored

What should be the primary focus of the training that is provided to the network recovery team?

Reestablishing ad hoc networks quickly but securely.

Primary determinant of which containment and eradication strategies are chosen

Risk Assesment

What steps should be followed in a return to the primary site?

Scheduling move, clearing BC site, and conducting an AAR

How should the business interface team be trained?

Should combine technical and non technical functions to ensure that the technology needs of the business groups are met. Training involves interfacing with the various business groups to determine their routine needs.

Why may all needed equipment not be pre-positioned at the alternate site?

Some equipment is too expensive or unique for pre-purchasing

What entity is responsible for creating the DR team? What roles should the DR team perform?

The CPMT. Develop DR plans, maintain and update DR plans, test plans, train.

What is a BCP?

The final response of the organization when faced with any interruption of its critical operations.

What is an incident damage assessment?

The initial determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets.

What is succession planning (SP)?

The process used to enable an organization to cope with the loss of key personnel with a minimum of disruption.

What is digital forensics?

The use of forensic techniques when the source evidence is digital

What must be done with interrupted services during the recovery process?

They need to be brought back online

Describe the use of an "I'm okay" line. When and how might an organization make use of this technology?

This service allows employees when notified of a disaster either by alert system or through public media to call a predetermined number. Employees report status by entering employee number.

What are the primary duties of the business interface team?

This team is responsible for working with the remainder of the organization to assist in the recovery of non technology functions.

What is crisis communications?

Those steps taken to communicate what is happening or has happened to internal and external audiences.

What is spam? Can it cause an incident?

Unwanted email traffic, can carry malware.

What is inappropriate use?

Use of company system for prohibited actions

IR reaction strategy

What to do once a incident has been detected

What is a DR after-action review (AAR), and what are the primRY OUTCOMES FROM IT?

What worked and what didn't, improvements.

What is unauthorized access?

When actor(s) access the operating system's API and gains access to info without permission

What type of document is usually required when an organization other than a law enforcement agency obtains authorization for a search?

affidavit

Describe the various rehearsal and testing strategies that an organization can employ.

desk check - provide copies of DR plan, simulation - stop short of actual physical activity, parallel testing, full-interruption, war gaming. Sequential roster for small organization, hierarchical structure for large organizations.

In forensic analysis, what are the differences between examination and analysis?

examination - don't draw conclusions analysis - draw conclusions

What are the commonly used subteams of the DR team? What role does each play?

hardware team, software team, and a network team

What is a sudden crisis? How is it different from a smoldering crisis?

sudden crisis: A disruption that occurs without warning smoldering crisis: Not generally known within or without the company


Kaugnay na mga set ng pag-aaral

ch. 5 Organizing Principles: Lipids, Membranes, and Cell Compartments book notes

View Set

KIN223: Ch. 16 Nervous System: Senses

View Set

M04 Quiz - Managerial Accounting

View Set

Chp. 3 Medical Expense Insurance

View Set

Ch. 26 Pharm EAQ: Antibacterials

View Set