Disaster Recovery & Incident Response
- Disaster Recovery & Incident Response - Business Continuity Planning (BCP)
the process of implementing policies, controls, and procedures to counteract the effects of losses, outages, or failures of critical business processes. - Two of the key components of BCP are business impact analysis (BIA) and risk assessment.
- Disaster Recovery & Incident Response - Black Box (Penetration Testing)
tester has no knowledge of the system and is functioning in the same manner as an outside attacker.
- Disaster Recovery & Incident Response - White Box (Penetration Testing)
tester has significant knowledge of the system. This simulates an attack from an insider—a rogue employee.
- Disaster Recovery & Incident Response - Gray Box
tester has some limited knowledge of the target system.
- Disaster Recovery & Incident Response - full backup
A backup that copies all data to the archive medium.
- Disaster Recovery & Incident Response - false positive
A flagged event that isn't really a notable incident and has been falsely triggered.
- Disaster Recovery & Incident Response - hot site aka active backup model
A location that can provide operations within hours of a failure. Many hot sites also provide office facilities and other services so that a business can relocate a small number of employees to sustain operations.
- Disaster Recovery & Incident Response - cold site
A physical site that can be used if the main site is inaccessible (destroyed) but that lacks all of the resources necessary to enable an organization to use it immediately.
- Disaster Recovery & Incident Response - disaster-recovery plan
A plan outlining the procedure by which data is recovered after a disaster.
- Disaster Recovery & Incident Response - credentialed vulnerability scan
A scan that provides credentials (username and password) to the scanner so that tests for additional internal vulnerabilities can be performed. Less system resources.
- Disaster Recovery & Incident Response - warm site
A site that provides some capabilities in the event of a disaster. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that might already exist in the warm site.
- Disaster Recovery & Incident Response - system image
A snapshot of what exists.
- Disaster Recovery & Incident Response - Exam Essentials: Be able to discuss the process of recovering a system in the event of a failure.
A system recovery usually involves restoring the base operating systems, applications, and data files. The operating systems and applications are usually restored either from the original distribution media or from a server that contains images of the system. Data is typically recovered from backups or archives.
- Disaster Recovery & Incident Response - incremental backup
A type of backup that includes only new files or files that have changed since the last full backup and then clears the archive bit upon completion.
- Disaster Recovery & Incident Response - differential backup
A type of backup that includes only new files or files that have changed since the last full backup. Differential backups differ from incremental backups in that they don't clear the archive bit upon their completion.
- Disaster Recovery & Incident Response - According to CERT, which of the following would be a formalized or an ad hoc team you can call upon to respond to an incident after it arises? A. CSIRT B. CIRT C. IRT D. RT
A. A CSIRT is a formalized or an ad hoc team that you can call upon to respond to an incident after it arises.
- Disaster Recovery & Incident Response - Which of the following types of vulnerability scans uses actual network authentication to connect to systems and scan for vulnerabilities? A. Credentialed B. Validated C. Endorsed D. Confirmed
A. A credentialed vulnerability scan uses actual network credentials to connect to systems and scan for vulnerabilities.
- Disaster Recovery & Incident Response - Which of the following types of penetration testing focuses on the system, using techniques such as port scans, traceroute information, and network mapping to find weaknesses? A. Active reconnaissance B. Passive reconnaissance C. Operational reconnaissance D. Constricted reconnaissance
A. Active reconnaissance is a type of penetration testing that focuses on the system, using techniques such as port scans, traceroute information, and network mapping to find weaknesses.
- Disaster Recovery & Incident Response - Your company is about to invest heavily in a new server farm and have made an attractive offer for a parcel of land in another country. A consultant working on another project hears of this and suggests that you get the offer rescinded because the laws in that country are much more stringent than where you currently operate. Which of the following is the concept that data is subject to the laws of where it is stored? A. Data sovereignty B. Data subjugation C. Data dominion D. Data protectorate
A. Data sovereignty is the concept that data is subject to the laws of where it is stored.
- Disaster Recovery & Incident Response - You're a consultant brought in to advise MTS on its backup procedures. One of the first problems you notice is that the company doesn't use a good tape-rotation scheme. Which backup method uses a rotating schedule of backup media to ensure long term information storage? A. Grandfather, Father, Son method B. Full Archival method C. Backup Server method D. Differential Backup method
A. The Grandfather, Father, Son backup method is designed to provide a rotating schedule of backup processes. It allows for a minimum usage of backup media, and it still allows for long-term archiving.
- Disaster Recovery & Incident Response - Which plan or policy helps an organization determine how to relocate to an emergency site? A. Disaster-recovery plan B. Backup site plan C. Privilege management policy D. Privacy plan
A. The disaster-recovery plan deals with site relocation in the event of an emergency, natural disaster, or service outage.
- Disaster Recovery & Incident Response - reciprocal agreement
Agreement between two organizations (or two internal business groups) with basically the same equipment/same environment that allows each one to recover at each other's site.
- Disaster Recovery & Incident Response - tabletop exercise
An exercise that involves individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them.
- Disaster Recovery & Incident Response - intrusion detection system (IDS)
Any set of tools that can identify an attack using defined rules or logic. An IDS can be network-based or host-based.
- Disaster Recovery & Incident Response - intrusion prevention system (IPS)
Any set of tools that identify and then actively respond to attacks based on defined rules. Like an IDS (which is the passive counterpart), an IPS can be network-based or host-based.
- Disaster Recovery & Incident Response - You're trying to rearrange your backup procedures to reduce the amount of time they take each evening. You want the backups to finish as quickly as possible during the week. Which backup system backs up only the files that have changed since the last backup? A. Full backup B. Incremental backup C. Differential backup D. Backup server
B. An incremental backup backs up files that have changed since the last full or partial backup.
- Disaster Recovery & Incident Response - Which of the following is a newer backup type that provides continuous online backup by using optical or tape jukeboxes and can be configured to provide the closest version of an available real time backup? A. TPM B. HSM C. SAN D. NAS
B. HSM is a newer backup type that provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and it can be configured to provide the closest version of an available real-time backup.
- Disaster Recovery & Incident Response - Karl is conducting penetration testing on the Pranks Anonymous servers and having difficulty finding a weakness. Suddenly, he discovers that security on a different company's server—a vendor to Pranks Anonymous—can be breached. Once he has compromised the completely different company's server, he can access the Pranks Anonymous servers and then launch an attack. What is this weakness/exploit known as? A. Fulcrum B. Pivot C. Swivel D. Twirl
B. In the realm of penetration testing, using a weakness in another —usually trusted—entity to launch an attack against a site/server is known as a pivot
- Disaster Recovery & Incident Response - Which site best provides limited capabilities for the restoration of services in a disaster? A. Hot site B. Warm site C. Cold site D. Backup site
B. Warm sites provide some capabilities in the event of a recovery. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that may already exist at the warm site.
- Disaster Recovery & Incident Response - Although you're talking to her on the phone, the sound of the administrative assistant's screams of despair can be heard down the hallway. She has inadvertently deleted a file that the boss desperately needs. Which type of backup is used for the immediate recovery of a lost file? A. Onsite storage B. Working copies C. Incremental backup D. Differential backup
B. Working copies are backups that are usually kept in the computer room for immediate use in recovering a system or lost file.
- Disaster Recovery & Incident Response - Which of the following is a reversion from a change that had negative consequences? A. Backup B. ERD C. Backout D. DIS
C. A backout is a reversion from a change that had negative consequences.
- Disaster Recovery & Incident Response - Which of the following would normally not be part of an incident response policy? A. Outside agencies (that require status) B. Outside experts (to resolve the incident) C. Contingency plans D. Evidence collection procedures
C. A contingency plan wouldn't normally be part of an incident response policy. It would be part of a disaster recovery plan.
- Disaster Recovery & Incident Response - Which backup system backs up all the files that have changed since the last full backup? A. Full backup B. Incremental backup C. Differential backup D. Archival backup
C. A differential backup backs up all of the files that have changed since the last full backup.
- Disaster Recovery & Incident Response - The process of automatically switching from a malfunctioning system to another system is called what? A. Fail-safe B. Redundancy C. Failover D. Hot site
C. Failover occurs when a system that is developing a malfunction automatically switches processes to another system to continue operations.
- Disaster Recovery & Incident Response - Which of the following is the process used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated? A. Chain of custody B. Order of volatility C. Legal hold D. Strategic intelligence gathering
C. The process that is used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated is known as legal hold.
- Disaster Recovery & Incident Response - You're the head of information technology for MTS and have a brother in a similar position for ABC. The companies are approximately the same size and are located several hundred miles apart. As a benefit to both companies, you want to implement an agreement that would allow either company to use resources at the other site should a disaster make a building unusable. What type of agreement between two organizations provides mutual use of their sites in the event of an emergency? A. Backup-site agreement B. Warm-site agreement C. Hot-site agreement D. Reciprocal agreement
D. A reciprocal agreement is between two organizations and allows one to use the other's site in an emergency.
- Disaster Recovery & Incident Response - Which of the following is a concept that works on the assumption that any information created on any system is stored forever? A. Cloud computing B. Warm site C. Big data D. Full archival
D. Full archival is a concept that works on the assumption that any information created on any system is stored forever.
- Disaster Recovery & Incident Response - Which type of penetration-style testing involves actually trying to break into the network? A. Discreet B. Indiscreet C. Nonintrusive D. Intrusive
D. Intrusive testing involves actually trying to break into the network. Non-intrusive testing takes more of a passive approach.
- Disaster Recovery & Incident Response - What is another name for working copies? A. Functional copies B. Running copies C. Operating copies D. Shadow copies
D. Working copies are also known as shadow copies.
- Disaster Recovery & Incident Response - Exam Essentials: Understand the aspects of disaster recovery
Disaster recovery is concerned with the recovery of critical systems in the event of a loss. One of the primary issues is the effectiveness of backup policies and procedures. Offsite storage is one of the most secure methods of protecting information from loss.
- Disaster Recovery & Incident Response - Exam Essentials: Understand the basics of forensics.
Forensics is the process of identifying what has occurred on a system by examining the data trail. It involves an analysis of evidence found in computers and on digital storage media. When dealing with multiple issues, address them in order of volatility: capture system images as a snapshot of what exists, look at network traffic and logs, capture any relevant video/screenshots/hashes, record time offset on the systems, talk to witnesses, and track total man hours and expenses associated with the investigation.
- Disaster Recovery & Incident Response - vulnerability scanning
Identifying specific vulnerabilities in your network.
- Disaster Recovery & Incident Response - snapshot
Image of a virtual machine at a moment in time.
- Disaster Recovery & Incident Response - forensics
In terms of security, the act of looking at all the data at your disposal to try to figure out who gained unauthorized access and the extent of that access.
- Disaster Recovery & Incident Response - FYI: When doing penetration testing, it is important to have a scope document outlining the extent of the testing that is to be done. It is equally important to have permission from an administrator who can authorize such testing—in writing—to be conducted.
Intentionally Left Blank
- Disaster Recovery & Incident Response - NOTE: As time goes on, tape is losing its popularity as a medium for backups to other technologies. The Security+ exam, however, is a bit dated, and it still considers tape the ideal medium.
Intentionally Left Blank
- Disaster Recovery & Incident Response - Full Archival method
a concept that works on the assumption that any information created on any system is stored FOREVER
- Disaster Recovery & Incident Response - NOTE: The acronym HSM is used for more than one security related entity. Not only does it stand for hierarchical storage management, as discussed here, but it's commonly used for hardware security module as well—a method of transient cryptographic key exchange.
Intentionally Left Blank
- Disaster Recovery & Incident Response - NOTE: Working copies aren't usually intended to serve as longterm copies. In a busy environment, they may be created every few hours.
Intentionally Left Blank
- Disaster Recovery & Incident Response - NOTE: An order of restoration should always be followed after a disaster to ensure that dependent services are not restored before the ones they are dependent on. It is highly recommended that network maps or diagrams be used to illustrate dependencies. These maps can be invaluable in executing the order of restoration after the crisis.
Intentionally Left Blank
- Disaster Recovery & Incident Response - NOTE: If you work for a multinational corporation, it is important to have a legal department that proactively offers advice on geographic matters such as data sovereignty.
Intentionally Left Blank
- Disaster Recovery & Incident Response - NOTE: Law enforcement personnel are governed by the rules of evidence, and their response to an incident will be largely out of your control. You need to consider involving law enforcement carefully before you decide that you do not want to handle the situation without them.
Intentionally Left Blank
- Disaster Recovery & Incident Response - NOTE: Make sure that you obtain input from all who are dealing with governmental or regulatory agencies. Each agency may have different archival requirements, and compliance violations can be expensive. Both HIPAA and Sarbanes-Oxley are affecting—and driving—archival and disposal policies around the nation.
Intentionally Left Blank
- Disaster Recovery & Incident Response - TIP: One of the most important aspects of using alternative sites is documentation. To create an effective site, you must have solid documentation of what you have, what you're using, and what you need in order to get by.
Intentionally Left Blank
- Disaster Recovery & Incident Response - intrusive tests
Penetration-type testing that involves trying to break into the network.
- Disaster Recovery & Incident Response - nonintrusive tests
Penetration/vulnerability testing that takes a passive approach rather than actually trying to break into the network.
- Disaster Recovery & Incident Response - six steps of any incident response process
Preparation Identification Containment Eradication Recovery Lessons learned
- Disaster Recovery & Incident Response - onsite storage
Storing backup data at the same site as the servers on which the original data resides.
- Disaster Recovery & Incident Response - offsite storage
Storing data off the premises, usually in a secure location.
- Disaster Recovery & Incident Response - intrusion
The act of entering a system without authorization to do so.
- Disaster Recovery & Incident Response - disaster recovery
The act of recovering data following a disaster in which it has been destroyed
- Disaster Recovery & Incident Response - Exam Essentials: Be able to describe the needed components of an incident response policy
The incident response policy explains how incidents will be handled, including notification, resources, and escalation. This policy drives the incident response process, and it provides advance planning to the incident response team.
- Disaster Recovery & Incident Response - failover
The process of reconstructing a system or switching over to other systems when a failure is detected.
- Disaster Recovery & Incident Response - Exam Essentials: Know the types of backups that are typically performed in an organization.
The three backup methods are full, incremental, and differential. A full backup involves the total archiving of all information on a system. An incremental backup involves archiving only information that has changed since the last backup. Differential backups save all information that has changed since the last full backup.
- Disaster Recovery & Incident Response - Exam Essentials: Be able to discuss the types of alternative sites available for disaster recovery.
The three types of sites available for disaster recovery are hot sites, warm sites, and cold sites. Hot sites typically provide high levels of capability, including networking. Warm sites may provide some capabilities, but they're generally less prepared than a hot site. A cold site requires the organization to replicate critical systems and all services to restore operations.
- Disaster Recovery & Incident Response - Noncredentialed vulnerability scan
Vulnerability scan ran without any user credentials. Works over IP, much more resource hungry and could bring down a system.
- Disaster Recovery & Incident Response - backout
a reversion or roll back to a previous state from a change that had negative consequences
- Disaster Recovery & Incident Response - order of volatility (OOV)
always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone. ie; RAM, hard drive data, CDs/DVDs, and printouts.
- Disaster Recovery & Incident Response - pivot aka island hopping (Penetration Testing)
attempt to attack a system using another, compromised system.
- Disaster Recovery & Incident Response - active reconnaissance (Penetration Testing)
directly focuses on the system (port scans, traceroute information, network mapping, and so forth) to identify weaknesses that could be used to launch an attack.
- Disaster Recovery & Incident Response - passive reconnaissance (Penetration Testing)
flaws may be discovered by means other than directly accessing the system, such as collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering
- Disaster Recovery & Incident Response - vulnerability scanners, such as Nessus
help identify common misconfigurations. http://www.tenable.com/products/nessus
- Disaster Recovery & Incident Response - Intrusive tests
involve actually trying to break into the network.
- Disaster Recovery & Incident Response - Grandfather, Father, Son Method
one of the most popular methods of backup tape rotation. Three sets of tapes are rotated in this method. The most recent backup after the full backup is the Son. As newer backups are made, the Son becomes the Father, and the Father, in turn, becomes the Grandfather. At the end of each month, a full backup is performed on all systems. This backup is stored in an offsite facility for a period of one year. Each monthly backup replaces the monthly backup from the previous year. Weekly or daily incremental backups are performed and stored until the next full backup occurs. This full backup is then stored offsite, and the weekly or daily backup tapes are reused
- Disaster Recovery & Incident Response - working copy backup aka shadow copies
partial or full backups that are kept at the computer center for immediate recovery purposes. They are usually updated on a frequent basis and are generally the most recent backups that have been made. - The copy of the data currently in use on a network.
- Disaster Recovery & Incident Response - Nonintrusive tests
passively testing of security controls—performing vulnerability scans and probing for weaknesses but not exploiting them
- Disaster Recovery & Incident Response - Critical Business Functions (CBFs)
processes or systems that must be made operational immediately when an outage occurs.
- Disaster Recovery & Incident Response - Hierarchical storage management (HSM)
provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and it can be configured to provide the closest version of an available real-time backup.