SY 501 SEC-PLUS DOMAIN 5
A Service Level Agreement (SLA)
An end-to-end traffic performance guarantee made by a service provided to a customer. An ___________ will guarantee a certain amount of system uptime to a client, as well as other service details. It also guarantees the levels of performance for the service provided. Outline penalties in case the provider is unable to supply the guaranteed service levels.
DCFLDD
An open-source tool popularly used for forensics hashing.
Only about 10 volts charge
Can cause damage to sensitive electronic components!!!
Forensics - Recording Time offsets
Can help to initially notify you that something strange is occurring in the system and can help point you to an origin.
DRP Should
Contain a hierarchical list of critical systems.
When getting a UPS
Cost, size, and technology need to be considered.
follow the incident management procedure
If you notice an attack taking place on a server, the first thing you should do is______________.
contain the problem
If you notice an unauthorized user has accessed your network, the first step of your incident response plan is usually to_______________.
Too much heat can cause
Creeping expansion of components and overheating.
Incident Response Process - Recovery
Data and software are restored from clean backup files, ensuring that no vulnerabilities remain. Systems are monitored for any sign of weakness or recurrence. This is the fifth step in the incident response process
HVAC is to ensure
Data and systems availability.
Degaussing
Data can also be destroyed through ___________, which destroys data on magnetic storage tapes and disk drives by changing the magnetic field.
Recovery
In terms of forensics, it may become necessary to ___________ an employee's data in the spirit of investigating an incident. In incidences such as these whoever is compromising the system may have attempted delete data and it then becomes necessary to _________ it. Similarly, using a tool such a key escrow to decrypt a potential suspect's data would be helpful for __________ data.
Threat Assessment - When discussing the potential for a threat
It is important to observe whether the risk is coming from an internal or external source. An internal risk, i.e. a disgruntled employee, is going to have easier access to company assets and should be considered a greater potential risk.
Containment Incident Response Process
Keep it from spreading.
Likelihood of Occurrence
Keeping in mind the __________ of risks will help in determining their threat level and how prepared you should be for them. Example, though the prospect of a meteor striking the building is much more destructive potential, the _________ of flood damage is exponentially higher so it is what is going to need resources dedicated to it.
not be plugged into a UPS
Laser printers and portable heater/cooler should_________.
Response Team Roles - Requirements
Each system custodian must develop and review at least annually a system-level incident response plan that contains: Names and contact information for the local incident response team, including Security Contact and alternate contact(s) who have system admin credentials, technical knowledge of the system, and knowledge of the location of the incident response plan. A local authority/decision-maker for the system who understands the business impact of the system and its unavailability. System details, or reference to the location of such information, including Data Flow Diagrams Network Diagrams System hardware inventory Logging information.
Exercises
Effective incident response requires preparation; this includes not only preventing incidents, by ensuring that systems are secure, but also establishing an incident response capability so that you're confident your organization is ready to respond. Practicing your incident response procedure is as critical as creating the incident response plan in the first place.
Too cold reduces
Expansion and creates friction. Can damage a computer if ________ when starting.
Response Team Roles -Triage Analysts
Filter out false positives and watch for potential intrusions.
Forensic Order of Volatility (OOV) to preserve data
First CPU cache, then RAM, then Swap, then Hard Drive (Remember CRSH!).
Follow-up Incident Response Process
Have a lessons-learned meeting to discuss what happened and how it can be prevented in the future.
Preparation Incident Response Process
Have personnel trained and ready.
Identification Incident Response Process
Have systems in place to detect attacks.
Role-based Training - When receiving training as a Data Owner it is important to highlight
Having the data in question protected and to only give access to those with the proper privileges.
Data Sensitivity Labeling - Confidential Data
Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. Explicit authorization by the Data Steward is required for access because of legal, contractual, privacy, or other constraints. This type of data has a very high level of sensitivity.
Assessment Incident Response Process
How bad is this incident?
UPS Key Parameters - "Clamping Speed"
How fast can UPS react.
Computers run at only
3.3, 5 and 12 volts.
An ISA (Interconnection Security Agreement)
A detailed document that defines the technical details of how two different company IT networks will be connected.
A security policy
A document that outlines the rules, laws, and practices for computer network access. HR should be trained about _____________ guidelines and enforcement. Creating a _______ should be the first step in creating a security baseline.
A privacy policy
A legal document that discloses some or all the ways a party gathers, uses, discloses, and manages a customer's data. The _________ should be referenced if you need to know what type of user information should be collected by your website.
An MOU (Memorandum Of Understanding)
A loose agreement between two parties to work together towards some common goal. It's one step up from a "gentleman's agreement". One thing to be careful of when you have a _____ to share data with another party is that this "loose" agreement may not have strict procedures on exactly how to keep that data secure.
MTBF (Mean Time Between Failures)
A measure of how reliable a product is. Usually given in units of hours; the higher the ______, the more reliable the product is. It is used to describe predictable failure points for equipment or services.
Mean Time To Restore (MTTR)
A metric for determining the effectiveness of a Disaster Recovery Plan.
Single Point of Failure
A part of a system which, if it fails, will stop the entire system from working. Examples: You have a front-end web server that is connected to several distributed database servers and an administrator has been assigned several tasks critical to continuity of operations.
Data Roles - Steward
A person responsible for the management and fitness of data elements - both the content and metadata. They have a specialist role that incorporates processes, policies, guidelines, and responsibilities for administering organizations' entire data in compliance with policy and/or regulatory obligations. Their overall objective is data quality, regarding the key/critical data elements existing within a specific enterprise operating structure, of the elements in their respective domains.
Disaster Recovery Plan (DRP)
A plan for business continuity in the event of a disaster that destroys part or all a business's resources. It is vital to your company so it can recover from a severe disaster. The goal is to resume normal computing capabilities in as little time as possible.
Clean Desk Policy
A policy is implemented to reduce the risk of possible data theft and to force users to organize their work area.
In an office environment good
Air conditioning and heating are always necessary. Things to watch out for to ensure proper airflow are - Air ducts are clear of debris and properly open. Air filters are not clogged with dirt and junk
An NDA (Non-Disclosure Agreement)
Also known as a Confidentiality Agreement, is a legal contract between two parties that outlines confidential material, knowledge, or information that the parties wish to share but wish to restrict access to third parties. Before revealing any secrets to a new party, have him/her sign an _____________first! If you need to outline the consequences of revealing confidential information to outsiders, use an _____________.
Reputation
Also, a crucial factor to keep in mind when doing impact analysis as attacks or incidents that generate negative publicity can very easily damage trust from both consumers and business partners
A hot site
An active duplicate of the original site of the organization with full computer systems as well as near-complete backups of user data.
A power surge
Might occur if you plug a computer directly into a wall outlet and this could damage the computer.
72°F with a relative humidity in the 30-40%
Most computers are designed to work in an environment of about_______________.
Deterrent Control Types - Examples
Operational, Personnel Guards, "This area is under surveillance" sings, or something as, simples a fence or keeping doors locked. Management, openly displaying security policies to help emphasize legal implications, instituting a "whistleblower" policy. Technical, Giving certain important data and systems selective access, auditing, and accountability.
Preventative Control Types - Examples
Operational, having a security guard at the front gate who decides whom to let in, regular maintenance of systems. Management, regularly running a risk assessment analysis, recovery planning and practice, employee training. Technical, having anti-malware software on relevant systems, network traffic monitoring, least privilege implementation.
Response Team Role - Incident Response Manager
Oversees and prioritizes actions during the detection, analysis, and containment of an incident. They are also responsible for conveying the specific requirements of high severity incidents to the rest of the company.
HVAC (climate control)
Particularly important in the design of computer server rooms where humidity and temperature must be closely regulated.
Operational Control Types - Examples
Personnel Security, Physical and Environmental Protection, Contingency Planning, Configuration Management, Maintenance, System and Information Integrity, Media Protection, Incident Response, Awareness and Training
Forensics - Taking screenshots before and after an incident
Potentially helps to determine potential problems and is useful for keeping a record of any error messages that come up.
UPS Also protects against
Power surge when power is restored after a power failure.
Power Protection- Surge Protector/Suppressor
Protects against spikes and power surges. Redirects surge to the path of least resistance. Rated in Joules, the higher the number, the better. Better ones also protect the phone line
UPS (Uninterruptible Power Supply)
Protects against spikes like a surge protector. It can prevent data loss due to loss of power. Includes line conditioning. It also provides some protection against "brownouts" and "blackouts". Essentially it is a big heavy battery. Protection is measured in Watts, the amount of power supplied in the event of a power outage.
A DRP is a
Reactive plan that gets activated when a disaster strike.
Response Team Roles -Forensic Analysts
Recover key artifacts and maintain the integrity of evidence to ensure a forensically sound investigation.
To securely dispose of computers, you should
Sanitize the computer media. Use a certified wipe application to erase the data.
Disaster Recovery Plan (DRP) Testing
Should be performed per the disaster recovery plan. Trying out the recovery plan is the best practice for your disaster recovery strategy. Learning from any mistakes made during the exercise would make your disaster recovery exercises valuable.
Table-top exercises
Simulations can help you develop your incident response plan.
RS-232 ports
Some UPSs are more intelligent than others and use _____________and advanced software for communication with PCs and servers.
Legal Hold
Sometimes during an incident, it may be required to _________ on to data. It is the mechanism by which parties that must preserve information potentially relevant to a dispute tell "custodians" of that data it must be preserved and ensure compliance until the obligation no longer applies. The initial document outlining the scope of the preservation requirement is called the ________ notification or notice.
Eradication Incident Response Process
Stop/eliminate the attack.
Off-site backups
Stored in a location other than where the actual systems are being used. This keeps the backups safe if something were to happen to the main site, but they are going to be not as easy to access.
Separation of duties
Taking a job and breaking into smaller tasks and assigning more than one person to complete a task. This is done so error checking can happen between the assigned persons. This also helps in preventing fraud. This is when someone can administer file and folder permissions, but not administer auditing functions.
Forensics - Computer forensics
The application of scientifically proven methods to gather, process, interpret, and to use digital evidence to provide a conclusive description of cybercrime activities. If you want to prosecute an attacker that hacked your network, make sure you apply the proper techniques.
multiple offsite locations
The best place you should keep your Disaster Recovery Plan (DRP) is at______________.
ESD (Electrostatic discharge), Static Charge
The difference in electric potential difference. Human senses cannot detect ________ below approximately 2500 volts. _________ of about 3000 volts can create a spark.
Risk Management - SLE = Single Loss Expectancy
The expected monetary loss every time a risk occurs. The ___________, Asset Value (AV), and exposure factor (EF) are related by the formula: _____ = AV * EF.
Risk Management - ALE = Annualized Loss Expectancy
The expected monetary loss that can be expected for an asset due to risk over one year. It is defined as: _____ = SLE * ARO.
If you notice an attack taking place on a server
The first thing you should do is follow the incident management procedure.
Response Team Role - Security Analysts
The manager is supported by a team of _____________- that work directly with the affected network to research the time, location, and details of an incident. There are two types of analysts.
30 volts
The minimum amount of ESD that can damage computer components.
distance and size of the facility
The most important consideration when choosing a disaster recovery site is the___________________.
safety and welfare of personnel
The most important item to consider when executing a DRP is the_______________.
Management buy-in
The most important to consider when developing a DRP.
A cold site
The most inexpensive type of backup site for an organization to operate. It is simply a lease on an empty building; a place to go in the event of a disaster.
Role-based Training
Training that relates to a function in a company. It includes customized training, task-based training, and collaboration and workflow. This approach takes into account several factors unique to the specific role and organization. It puts the training in the context of the role and what it takes to perform in that role.
Acceptance Control - Risk acceptance
Used in risk management to describe an informed decision to accept the consequences and likelihood of a particular risk. This is considered _________: A software publisher has discovered a design flaw in an application. Management decides to continue manufacturing the software, even though they are aware of the flaw. A company would most likely accept a risk-based on if the cost of mitigation outweighs the risk.
Risk Management - ARO = Annualized Rate of Occurrence
Used to calculate the probability that a risk will occur in a particular year. It can usually get this data from insurance companies.
Risk Management - Qualitative
Uses a scoring system to rank threats and effectiveness of the countermeasures relative to the system and environment. Good judgment is used here.
The admin also needs to be kept up to date on
What users require which permissions and what securities the systems require.
UPS Key Parameters - "Clamping Voltage"
What's the lowest voltage to drop to before the UPS kicks in.
Escalation
When an incident is serious and is not being solved quickly enough, and the CIRT has exhausted the means within its authority to handle and coordinate, the CIRT must have a well-established and maintained mechanism for __________. This ___________ must reach an entity that, by its position and authority, can use other means to achieve a speedy solution to the incident in question, e.g., by applying pressure to the constituent where the incident may apply.
As a first responder
When arriving at a workstation you should record the findings.
Incident Response Process - First responder
When arriving at a workstation you should record the findings.
Geographic Considerations - the distance between the system and where
When considering off-site backups, it is important to consider ________________the backups are store. It becomes a hassle for employees to have to move between sites with enough distance, but it keeps the backups safe from local incidents such as power outages.
Forensic Order of Volatility (OOV)
When dealing with multiple issues, address them in ________, always deal with the most volatile first. Volatility can be thought of as the amount of time you have to collect certain data before that window of opportunity is gone.
Threat Assessment
When determining the scope of a threat it is important to understand where it is coming from to assess the potential as well as kind of damage expected.
Impact Analysis
When doing an ___________ it is important to realize the various aspects of the business that risks can affect. Property impact is a concern when mentioning physical risks such as natural disasters or loss at the hands of employees. Impact on safety is a concern when certain systems get compromised such as a surveillance system or the system attached to an automated door lock system.
Geographical Consideration - physical location
When preparing your back-ups some factors need to be considered that involve the _______________that the backups are being stored.
Identification of Critical Systems
When running an assessment, it is always necessary to identify critical systems to ensure a quick recovery from the incident. Knowing which critical system is compromised will help to guide the proceedings of recovery. It is crucial to ensure that physical assets are operating to assess non-tangible assets such as data systems.
Sensitivity Labeling - Private Data
When the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the owner. By default, all data that is not explicitly classified as Confidential or Public data should be treated as _________. A reasonable level of security controls should be applied to _____________.
Sensitivity Labeling - Public Data
When the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the company and its affiliates. Examples include press releases, course information, and research publications. While little or no controls are required to protect the confidentiality of ____________, some level of control is required to prevent unauthorized modification or destruction of ____________.
Continuing Education
While it is important to get all relevant employees trained and/or certified it is just as important to ensure that they have access to some form of ______________. Especially so in computer-based fields where the subject matter is subject to change very frequently. It also reminds employees of their training and keeps them aware of what aspects of their knowledge have become obsolete.
Forensics - Witness interviews
While not always the most reliable, can be crossed referenced with other methods to piece together the situation.
A System Administrator needs to be aware of
Who, other than themselves has what accesses and permissions to prevent leaks.
Static electricity would be a major issue
With low humidity, while corrosion could happen in high humidity.
Low humidity
Would increase the likelihood of ESD.
Exercises Designing and planning
Your preparations should be based on a real-world scenario, by establishing the exercise objectives and identify participants, defining success criteria to judge your organization's performance. Ensure to brief the facilitator, scribe, and judging panel in advance. Capture recommendations in an After-Action report
ESD causes Two Types of Damage
"Catastrophic Loss" and "Degradation"
Line Conditioner
"Cleans Up" electric signals and smoothes them out
A warm site
A compromise between hot and cold. Warm sites will have backups on hand, but they may not be complete and may be between several days or a week old.
A Retention Policy
A set of guidelines that a company follows to determine how long it should keep certain records, including e-mail and web pages. Important for many reasons including legal requirements that apply to some documents. If you need to make sure that all log files on your secure servers are available for later review: This type of information needs to be noted in the ______________.
An Acceptable Use Policy
A set of rules applied by the owner/manager of a network, website, or large computer system that restricts how the network site or system may be used. Defines how to handle certain types of data. Employees must sign an ___________ that describes the proper methods and use of the network systems.
An Acceptable Use Policy
A set of rules applied by the owner/manager of a network, website, or large computer system that restricts how the network site or system may be used. Defines how to handle certain types of data. Employees must sign an ____________ that describes the proper methods and use of the network systems.
A standard operating procedure, or SOP
A set of step-by-step instructions compiled by an organization to help workers carry out routine operations. ____________ aim to achieve efficiency, quality output and uniformity of performance while reducing miscommunication and failure to comply with industry regulations.
Mitigation Control - Risk Reduction
A systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence.
Avoidance Control - Risk avoidance
A technique of risk management that involves taking steps to remove a hazard, engage in an alternative activity, or otherwise end a specific exposure.
A snapshot
A type of backup copy used to create the entire architectural instance/copy of an application, disk, or system. It is used in backup processes to restore the system or disk of a device at a specific time. A _____________ can also be referred to as image backup. Normally utilized by Virtual Machines.
Incident Response Process - Incident response
An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).
Incident Response Process - Incident response
An organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). Conducting tabletop exercises and simulations can help you develop your incident response plan.
Incident Response Plan - Incident response
An organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
Geographic Considerations -Location selection
Another factor to consider for off-site backups. Preferably a location that is easily accessed, secure, and, if they are being accessed remotely, internet support.
TrackMan Hours
Another practice that may help ongoing investigations is any logs of hours worked. Any discrepancy in officially logged hours can indicate that something is wrong. Combined with video surveillance, you can determine whether an employee should have even been in the building on a given day. It may be as simple as forgetting to clock-in or out, which is why it is important to compare with other methods such as witness interviews.
Impact on finance
Any business is a chief concern when a company login information is compromised as an attacker may assume control over a business's financial account. A lot of high-stakes cybercrime is committed towards this end.
Personally, Identifiable Information (PII)
Any information that can identify an individual and can include: Mailing address, Credit card number, Bank Account Info, Social Security number, Birthdate. Requires special handling and explicit policies for data retention and data distribution. This is commonly called ____________ Handling and abides by the Principles of Data Handling.
Mandatory vacations
Are a tool that organizations use to verify if employees have been involved in malicious activities. Detecting fraud is a security benefit of mandatory vacations.
Hot and cold aisles
Are an accepted best practice for cabinet layout within a data center. The design uses air conditioners, fans, and raised floors as a cooling infrastructure and focuses on the separation of the inlet cold air and the exhaust hot air. When placing servers in a server rack make sure that the servers' air intake toward the _________.
Having alternate business practices
Are good to have in place for a Continuity of Operations Plan as well. For example, having a "safe" business plan to go on while you wait for your main facilities to get back to full working order.
Exit interviews
Are interviews conducted with departing employees, just before they leave. From the employer's perspective, the primary aim of the exit interview is to learn reasons for the person's departure, on the basis that criticism is a helpful driver for organizational improvement. ___________ (and prior) are also an opportunity for the organization to enable the transfer of knowledge and experience from the departing employee to a successor or replacement, or even to brief a team on current projects, issues, and contacts.
Cyber-incident response teams (CIRT)
Are responsible for responding to security breaches, viruses and other potentially catastrophic incidents in enterprises that face significant security risks. In addition to technical specialists capable of dealing with specific threats, it should include experts who can guide enterprise executives on appropriate communication in the wake of such incidents. The _____ normally operates in conjunction with other enterprise groups, such as site security, public-relations, and disaster recovery teams.
Data Roles - Custodian
Are responsible for the safe custody, transport, storage of the data and implementation of business rules. They ensure, access to the data is authorized and controlled, technical processes sustain data integrity, technical controls safeguard data, Change management practices are applied in maintenance of the database, data content and changes can be audited.
When doing a forensics analysis on a hard disk
Attach a read-only drive connector. Hash the hard disk. Capture an image (a copy) onto a new disk for analysis. Hash the image you just made and compare to the original. Hash the original drive again to be sure you didn't alter it.
Risk Management - Quantitative
Attempts to assign a dollar value to the risk for analyzing the cost of the potential effectiveness of the countermeasure.
Privileged users need to be
Aware of all the same protocols as regular users, but must also be made aware of what their privilege entails
Role-based Training - Users need to be
Aware of more basic security protocols such as never sharing their password or other login credentials.
Incremental Backup Techniques
Backup of all data that has changed since the last Normal or Incremental back- up. Clears the archive bit. Faster backups per night.
Normal or Full Backup Techniques
Backup of all selected data. Clears the archive bit or marker, telling Windows they have been backed up.
Differential Backup Techniques
Backup of data that has changed since the last Normal or Incremental back-up. DOES NOT clear the archive bit. The fewest amount of tapes to restore (two).
Privacy Threshold Analysis (PTA)
Before and after an incident, it may be required to conduct a ____________which determines whether a company is capable to maintain personally identifiable information (PII).
Response Team Roles -Threat Researchers
Complement security analysts by providing threat intelligence and context for an incident. They are constantly combing the internet and identifying intelligence that may have been reported externally. Combining this information with company records of previous incidents, they build and maintain a database of internal intelligence.
Data preservation
Defined as the processes that must occur to ensure that information potentially relevant to anticipated, pending or active litigation, investigations or other legal disputes retains its evidentiary integrity. In U.S. courts, legal precedent requires that potentially relevant information must be preserved at the instant a party "reasonably anticipates" litigation or another type of formal dispute.
Business Continuity Plan (BCP) Aspects - Recovery Point Objectives (RPO)
Defines a business goal for system restoration and acceptable data loss.
Business Continuity Plan (BCP) Aspects - Recovery Time Objectives (RTO)
Defines an organization's goal for acceptable downtime during a disaster or other contingency.
Storage and retention policy
Defines the document destruction requirements.
Business Continuity Plan (BCP) Aspects - Business Impact Analysis
Determines Maximum Tolerable Downtime (MTD).
Mean Time to Restore is a metric for
Determining the effectiveness of the Continuity of Operations Plan or a Disaster Recovery Plan.
Backup - Differential
Differential Backups backup all changes since the last Normal Backup, Monday Tuesday, Changes made since Monday, Wednesday, Changes made since Monday, Thursday, Changes, made since Monday, Friday, Changes made since Monday. You would need Monday and Fridays Backups to do a full restore.
Privacy Impact Assessment
For high-profile information and data it is important to run a ____________. It can be hard to assess until a leak becomes public, but conducting an impact assessment can help minimize the potential impact on safety, finance, and reputation.
data sovereignty
For legal purposes, it is important to keep track of any contracts that mention some sort of____________. Whenever possible you want to make sure you aren't signing over the rights to your data, especially when it is especially sensitive.
Geographic Considerations -Legal implications
Going to be a crucial factor to consider especially when using a third-party site/service to store your backups. When using third-party sites for backups be sure to know the details about any contracts you would be agreeing to.
An FM-200 deployment should be connected to your HVAC system
In the event of a fire, when the Co2 is released, you don't want your HVAC system blowing fresh air into the room.
Threat Assessment - Manmade threats
Include risks such as viruses, scams, confidentiality leaks, etc. and can mostly be handled by appropriate employee training.
A forensics toolkit
Includes caution tape, a digital camera, a read-only drive connector, spare hard drive, and a laptop loaded with forensics software.
Incident Types - Network and Resource Abuse
Includes: Network scanning activity. Denial of Service attacks
Incident Types - Compromised Computing Resources
Includes: System (OS) account compromises. User account compromises. Email-based abuse, such as Unsolicited commercial email, more commonly known as "spam". Phishing Emails, which seek the recipient to respond with either user credentials or personal information. Copyright Infringement Reports
You would need all Backups to do a full restore
Incremental Backup Technique example Monday Tuesday, Changes made since Monday, Wednesday, Changes made since Tuesday, Thursday, Changes made since Wednesday, Friday, Changes made since Thursday, what kind of back would be needed on Friday?
Protected Health Information (PHI)
Information, including demographic data, that relates to the individual's past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, the individual's identity or for which there is a reasonable basis to believe it can be used to identify the individual.
Sensitivity Labeling - Proprietary Data
Internally generated data or documents that contain technical or other types of information controlled by a firm to safeguard its competitive edge. __________ may be protected under copyright, patent, or trade secret. To stay competitive, organizations take serious measures to protect their sensitive data. Typically, organizations require anyone working with them to sign a contract that includes a non-disclosure agreement.
A business partnership agreement (BPA)
Is a contract between partners in, a partnership that sets out the terms and conditions of the relationship between the partners, including Percentages of ownership and distribution of profits and losses, description of management powers and duties of each partner.
Having an alternate processing site
Is important for continuity as it allows for operations to continue at a location that should be independent of the issues that hit the primary site while it recovers.
Technical Control Types - Examples
Least privilege implementation, Identification, and Authentication, Access Control, Audit and Accountability, System and Communications Protection.
Incident Types - Resource misconfiguration and abuses
Like Open proxy servers and anonymous ftp servers
static problems
Low humidity and too dry causes ____________
Incident Types - Vulnerable software configurations
May result in a future compromise. Abuse via web forms and blog sites. Misuse of licensed resources
MOA (A memorandum of agreement)
Not a legal document and is not enforceable in court. In most cases, by calling a document a memorandum of agreement, the signers are showing that they don't intend to try to enforce its terms. In health and community work, memoranda of an agreement are usually used to clarify and/or specify the terms of a cooperative or collaborative arrangement involving two or more organizations.
Forensics - When doing forensics for data acquisition
Obtain and review network traffic logs. These will help point in what direct suspicious activity is going and where it may have potentially come from. Capture video from surveillance footage. Crucial in identifying and confirming persons that are present during the time of occurrence.
Detective Control Types - Examples
Operational, Giving personnel guards monitoring surveillance and recording video, setting alarms during non-business hours. Management, Personnel review, and screenings. Technical, Having intrusion prevention and detection in place for relevant systems, ensuring firewalls are in place and correctly configured.
Corrective Control Types - Examples
Operational, Making sure aspects of any contingency planning are maintained such as emergency power, physical backups, and order of restoration. Management, Updating personnel on the attack and retraining to deal with what they missed, reviewing contingency planning with employees. Technical, Having backup protected and accessible to ensure quick recovery, assessing system logs to quickly identify compromises.
Continuity of Operations Plan (COOP)
Refers to the US government's Disaster Recovery Plan. Described as restoring mission essential functions at an alternate site and performing those functions for up to 30 days.
Chain of custody
Refers to the chronological documentation and/or paper trail showing the seizure, custody, control, transfer, analysis, and disposition of evidence (physical or electronic). It needs to be documented to preserve evidence for future use in court. Should be established immediately upon evidence seizure.
Transference Control - Risk Transference
Refers to the shifting of the burden of loss for a risk to another party through legislation, contract, insurance, or other means. When you buy insurance to mitigate a risk, this is considered _____________.
The UPS will
Repetitively beep if it gets disconnected from the wall outlet.
Data Roles - Privacy Officer Chief Privacy Officer (CPO)
Responsible for all the privacy of the data in an organization, one major part of their job is to avoid data breaches, especially if the organization is a large corporation. Being able to use business strategies and procedures and apply them to the business. Being able to organize plans and lastly looking at privacy program reviews by checking and analyzing the information to ensure it is correct.
Recovery Incident Response Process
Restore damaged systems or data.
Management Control Types - Examples
Security policy, Risk Assessment, Planning, System and Services Acquisition, Certification, Accreditation, and Security Assessment.
ensure system abuse by administrators
Separation of duties can be implemented to __________________does not go undetected in the log files.
Incident Response Process - Preparation
The organization educates users and IT staff of the importance of updated security measures and trains them to respond to computer and network security incidents quickly and correctly, this is the first step in the incident response process.
Data destruction
The process of destroying data stored on tapes, hard disks, and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes. These types of software must be used to overwrite the available space/blocks with random data until it is considered irretrievable.
Personnel Management - A background check or background investigation
The process of looking up an individual's criminal, commercial, and financial history. This should outline the potential risks associated with hiring this employee. ________________ are common for many types of professions but are especially important when a new employee is entering a position of trust.
Change Management
The process of requesting, determining attainability, planning, implementing, and evaluating changes to a system. Before implementing a change in coding for an application on your production servers, your __________ procedures should be followed. When changing/updating a system or application, be sure to include system roll-back procedures in case the change causes the system to crash or become unstable.
Incident Response Process - Identification
The response team is activated to decide whether an event is, in fact, a security incident. This is the second step in the incident response process
Incident Response Process - Lessons learned
The team analyzes the incident and how it was handled, making recommendations for better future response and for preventing a recurrence. This is the last step in the incident response process
Incident Response Process - Containment
The team determines how far the problem has spread and contains the problem by disconnecting all affected systems and devices to prevent further damage. This is the third step in the incident response process
Incident Response Process - Eradication
The team investigates to discover the origin of the incident. The root cause of the problem and all traces of malicious code are removed. This is the fourth step in the incident response process
Supply Chain Assessment
The trustworthiness of any supply chain that your business is utilizing is important to keep in mind when discussing the risk. On a larger, you would need to make all the Microsoft products you are getting are traveling from and between trusted sources to prevent loss or faulty products. This is also relatable on a smaller scale, for example, you wouldn't order a novel from blankbooks.com
Control Type - Operational Classification
These are day-to-day procedures, mechanisms that include physical and environmental protection, privileged entry commands, change control management, hardware controls, and input and output controls.
Control Type - Management Classification
These control personnel screening, separation of duties, rotation of duties, and least privilege.
Control Type - Technical (logical) Classification
These controls audit and journal integrity validations (e.g. checksums, authentication, and file system permissions.)
Control Type - Detective
These controls detect an attack and may activate corrective controls or preventative controls.
Control Type - Preventative
These controls protect vulnerabilities, reduce the impact of attacks, or prevent an attack's success.
Control Type - Corrective
These controls reduce the impact of an attack.
Control Type - Deterrent
These controls reduce the likelihood of an attack.
Rotation of Duty/Job Rotation
This would be when you must change roles with another administrator every few months. According to industry best practices, you would institute a mandatory ______ of activities policy, to detect an insider threat. Continuity of operations in the event of absence or accident.