ITEC 437 FINAL STUDY GUIDE
What is the first task the CSIRT leader will undertake on arrival?
Determine whether an incident occured
List and describe the component parts of the BC policy document
Develop the BC planning policy statement Review the BIA. Identify preventative controls. Create BC contingency strategies. Develop the BC plan Ensure BC Plan testing, training, and exercises. Ensure BC plan maintenance.
Sub teams of DR team
Disaster Management Team, Communications Team, Computer Recovery Team, System Recovery Team, Network Recovery Team
Three General Sections of DR Activities
During Before AFter
What are the ongoing challenges associated with local emergency services, service providers and community related issues that organizations face when confronted with a disaster
Emergency services such as fire, may be delayed under triage so only critical calls would go through. Public services like bus or trash may be significantly delayed and shortages in groceries may happen.
why is cryptography a good thing for IT wirkers but a bad thing for forensic investigators
Encrypted information poses significant challenges to forensic investigators because, by its nature, encryption conceals the content of digital material.
Phases after containment in IR
Eradicate
How do organizations often divvy up the practice of digital forensics?
First response and Analysis and Presentation
What are the four steps in collecting digital evidence?
Identify sources of evidentiary material. Authenticate the evidentiary material. Collect the evidentiary material. Maintain a documented chain of custody..
What are the critical steps in the BC implementation process?
Implementation of the BC plan involves relocation to the alternate site, establishment of operations, and return to the primary site or new permanent alternate site
What is the first imperative of the CSIRT when there is a confirmed incident?
Incident Containment
What are the common roles and duties of a digital forensic first-response team?
Incident Manager, Scribe and Imager.
What are the primary objectives of the resumption phase of the DR plan?
Initiate implementation of secondary functions Finalize implementation of primary functions Identify additional needed resources Continue planning for restoration
What types of forensics is used for practices that continue to operate while being examined?
Live acquisition
Describe the triggers of the DR plan
Management notification Employee notification Emergency management notification Local emergency services Media outlets
What two hash functions are commonly used as digital fingerprints?
Message Digest (MD-5) and Secure Hash Algorithm (SHA-1, SHA-2, and SHA-3)
What are some of the reasons a safeguard or control may not have been successful in stopping or limiting an incident?
Missing, Misconfigured, or Malfunctioning
What should be the primary focus of the training that is provided to the network recovery team?
Much of their DR operations training should focus on establishing ad hoc networks quickly but securely.
What is a DR after action review (AAR), and what are the primary outcomes from it?
Once the incident has been contained and all signs of the incident removed, the "actions after" phase begins. During this phase, lost or damaged data is restored, systems are scrubbed of infection, and everything is restored to its previous state. The IR plan thus must describe the stages necessary to recover from the most likely events of the incident. It should also detail other events necessary to the "actions after" phase, such as possible follow-on incidents, forensic analysis, and the after-action review (AAR).
What is PTSD? Who should be involved in treating members suffering from PTSD after a crisis?
PTSD is a psychotic disorder that can occur following the experience or witnessing of life-threatening events such as military combat, natural disasters, terrorist incidents, serious accidents, or violent personal assaults. Counselors should be involved in treating members suffering from PTSD, through the EAP.
Is it practical to prepare for all possible contingencies? How can this best he handled?
Preparing for all possible contingencies is usually not practical. However, one or several general training programs focused on implementing critical business functions at an alternate site should prepare all involved parties for the implementation of a specific BC operation.
In what main way does search and seizure differ in the public and the private sectors?
Private sector doesn't have broad immunity.
What sections should be included in a CM plan?
Purpose Crisis management planning committee Crisis types Crisis management team structure Responsibility and control Implementation Crisis management protocols Crisis management plan priorities Appendices
Key elements of DR planning policy
Purpose, Scope, Roles and responsibilities, schedules, resource requirements.
What are the primary objectives of the recovery phase of the DR plan?
Recover critical business functions Coordinate recovery efforts Acquire resources to replace damaged or destroyed materials and equipment Evaluate the need to implement the BC plan
Special Documentation
Redundant Hardware, Data recovery software, Insurance contacts, Service providers, Emergency Supplies
What are the primary objectives of the restoration phase of the DR plan?
Repair all damage to primary site or select or build a replacement facility Replace the damaged or destroyed content of the primary site, including supplies, equipment, and material Coordinate the relocation from temporary offices to the primary site or to a suitable new replacement facility Restore normal operations at the primary site, beginning with critical functions and continuing with secondary operations Stand down the DR teams and conduct the after-action review
What is a worst case scenario?
Service disruptions that may last for weeks or months and the govt could declare a state of emergency. And organizations should educated their staff what is expected of them.
Why may all the needed equipment not be pre-positioned at the alternate site?
Some equipment is either too expensive or too unique to allow pre-purchasing, pre-positioning, or purchasing locally.
What parts of the organization should the BC team draw on for its members?
The BC team should consist of representatives from every major organizational unit. Unlike the DR team, the need for specialized technology-focused members is significantly reduced, and the emphasis should be placed in generalized business and technology skills instead of highly specialized technical skills.
who should be on the CM planning committee? Who should be on the CM team?
The CM planning team should include a broad representation from the various parts of the organization that will be most impacted by the plans when they are put into effect. It should also include sufficient management representation so there is a champion who is able to accomplish the necessary tasks and marshal the proper level of support from senior ranks of management. The CM team will typically include the following members: Team leader Communications coordinator Emergency services coordinator Other members as needed
What entity is responsible for creating the DR team? What roles should the DR team perform?
The CPMT. They aim to reestablish business processes.
If an organization choose the protect and forget instead of the apprehend and prosecute philosophy, what aspect of IR will be most affected?
The aspect of IR that will be most affected is the data collection tasks.
For most DR-related teams, what is the best basic preparation?
The best preparation for a crisis is to be well trained and comfortable in completing their normal tasks.
How are crises related to incidents and disasters
The critical difference between crises and incidents/disasters is that a crisis includes potential impact to employees' lives
What federal agencies may be involved during a crisis? What role does each play?
The federal agencies that may be involved during a crisis are DHS, FEMA, the Secret Service, FBI, and HAZMAT. DHS is specifically organized to handle crises, especially those involving threats to the safety of U.S. citizens and potential damage to this country's infrastructure. FEMA aims to support citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. The Secret Service protects high-level politicians and is also responsible for investigating crimes related to financial securities. The FBI deals with many crimes that are potential crises. HAZMAT agencies are trained to deal with radiological, biological, or chemical threats.
what is incident damage assessment
The initial determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets
limitations on the number and type of CP teams to which any individual should be assigned
The membership of the DR team should be distinctly separate from that of any other contingency-related team, as each team has differing responsibilities when activated in a real disaster, and it is very possible that more than one team will be active at the same time. Therefore, it is important that DR team members do not serve with either the IR team or the business continuity team, as the duties of eachteam may overlap if an incident escalates into a disaster that requires the implementation of the BC plan.
how can you classifiy disasters based on the way they emerge and become an issue for an organization
The most common way is to separate natural disasters from man-made disasters. Another way of classifying disasters is by speed of development. Rapid-onset disasters are those that occur suddenly, with little warning, taking the lives of people and destroying the means of production. They may be caused by earthquakes, floods, storm winds, tornadoes, mud flows, and so on. Slow-onset disasters occur over time and slowly deteriorate the organization's capacity to withstand their effects. These disasters include droughts, famines, environmental degradation, desertification, deforestation, and pest infestation.
What are RTO and RPO, and why is it essential to define them early in the BC planning process?
The recovery time objective (RTO) is the amount of time that the business can tolerate until the alternate capabilities are available. The recovery point objective (RPO) is the point in the past to which the recovered applications and data at the alternate infrastructure will be restored
What is job rotation? Why is it a useful practice from a DR plan perspective?
The routine training of all employees for at least one other job, either vertically or horizontally prepares the organization to handle normal personnel shortages or outages
When dealing with the loss of staff, what strategies can be employed?
There are a number of techniques to deal with the loss of staff, including: cross-training, job and task rotation, and redundancy.
Why should DR planning documents be classified as confidential?
These plans can contain a wealth of sensitive data that would be a significant loss to the organization if the data fell into the wrong hands. Planners need to make arrangements for the ways that planning documents are copied and stored, to accommodate the availability requirement while making sure the necessary confidentiality is maintained.
why do some organizations abdicate all responsibility for DR planning to the IT department
They are keenly interested in keeping IT systems available during and immediately following disasters.
What is an auxiliary phone alert and reporting system, and what functions can it perform for an organization during DR planning?
This is an information system with a telephony interface that can be used to automate the alert process. Such a system can use predefined notification strategies updated with specific details at the time of use to perform rapid and effective notification.
why must the staff at the alternate site continue to observe backup strategies that are in place at the primary site
This is because good backup practices can safeguard losses that occur while operating in the suboptimum conditions of the contingency deployment, when errors or faults can cause additional disruptions, and because there will eventually be a need to relocate to the primary site.
Describe the use of an "I'm okay" line. When and how might an organization make use of this technology?
This service allows employees, when notified of a disaster either by the alert system or through the public media, to call a predetermined number.
What steps should be followed in a return to the primary site?
This task involves the scheduling of the employee move and the clearing of the BC site. Finally, an AAR is conducted
What are the primary duties of the business interface team?
This team is responsible for working with the remainder of the organization to assist in the recovery of nontechnology functions.
How should the business interface team be trained?
This team's training could also combine technical and nontechnical functions to ensure that the technology needs of the business groups are met. Training involves interfacing with the various business groups to determine their routine needs.
Why might an organization forego trying to identify the attacking host during an incident response?
To prevent concurrent recurrence and protect assets.
Describe the various rehearsal and testing strategies that an organization can employ.
Use of an alert roster. Some organizations can make use of an auxiliary phone alert and reporting system. The use of the "I'm okay" automated emergency response line
What factors determine which digital evidence should be collected and in what order?
Value, Volatility, and Effort Required
What type of document is usually required when an organization other than a law enforcement agency obtains authorization for a search?
Warrant
What is watchful waiting and why might we use it?
a tactic that deliberately permits the attack to continue while the entire event is observed and additional evidence is collected. The use of this type of delayed containment may need to be previewed with legal counsel to see if it is feasible.
What should be the first step in the business continuity planning process? Which NIST document is used to inform this process?
a.Develop the BC planning policy statement. Which is a formal organizational policy provides the authority and guidance necessary to develop an effective continuity plan. b.The NIST document used is SP 800-34, Rev. 1
What are the elements used in the sample DR plan
a.Name of organization or department b.Date of completion or update of the plan and test date c.Staff to be called in the event of a disaster d.Emergency services to be called (if needed) in event of a disaster e.Locations of in-house emergency equipment and supplies f.Sources of off-site equipment and supplies g.Salvage priority list h.Agency DR procedures i.Follow-up assessment
List and describe the phases of the BC plan
a.Preparation for BC actions - In this phase of the BC plan, the organization specifies what type of relocation services are desired and what type of data management strategies are deployed to support relocation. b.Relocation to the alternate site - This phase of the BC plan specifies under what conditions and how the organization relocates from the primary to the alternate site. c.Return to the primary site - This phase of the BC plan should have documented procedures for "clearing" the BC site and redirecting employees back to their normal work offices
Describe the phases in a DR plan.
a.Preparation — The planning and rehearsal necessary to respond to a disaster b.Response — The identification of a disaster, notification of appropriate individuals, and immediate reaction to the disaster c.Recovery — The recovery of necessary business information and systems d.Resumption — The restoration of critical business functions e.Restoration — The reestablishment of operations at the primary site, as they were before the disaster
Name and describe two BC-related training providers and their BC-related certifications.
a.The Business Continuity Institute (BCI) offers one certification: i.The BCI Professional Recognition Program - Which includes a professional and a non-professional membership. b.Disaster Recovery Institute International (DRII) offers a number of certification options: i.Associate Business Continuity Professional — For those with less than two years of industry experience in business continuity management. ii.Certified Functional Continuity Professional — For those with a specific skill or focus. iii.Certified Business Continuity Professional — For those with a broader experience base than is covered by the previous certification. iv.Master Business Continuity Professional — For those with extensive experience in BC.
What is emergency response?
actions taken in order to manage the immediate physical, health, and environmental impacts resulting from an incident.
What is humanitarian assistance?
actions taken to meet the psychological and emotional needs of various stakeholders
Concurrent Reccurence
an incident happening while trying to solve another incident
what is a hybrid incident
begins as an IU incident, then may quickly change into a malware incident.
What are the primary objectives of the response phase of the DR plan?
designed to: Protect human life an dwell-being Attempt to limit and contain the damage to the organization's facilities and equipment Manage communications with employees and other stakeholders
What are EAPs? How are they used in CM?
employee assistance programs which provide a variety of counseling services to assist employees in coping with the changes in life resulting from surviving a crisis.
What does it mean when operations are in degraded mode? Should organizations prepare to operate in this mode?
employees are operating under adverse conditions. When training, an organization should periodically try this variation, including the loss of power or lighting, the loss of communications,and so on, to see how employees can adapt to these conditions. During a disaster, it is very likely that some utilities will be unavailable.
What is the purpose of sterile media?
for evidence collection purpose. The evidence must not be tainted.
What is the relationship between forensic and anti-forensics, and why is it important to the forensic investigators?
involves an attempt made by those who may become subject to digital forensic techniques to obfuscate or hide items of evidentiary value. It's recovery can pose significant threat
In forensic analysis, what are the differences between examination and analysis?
involves the use of forensic tools to recover the content of files that were deleted, operating system artifacts (such as event data and logging of user actions), and other relevant facts. uses those materials to answer the question(s) that gave rise to the investigation.
what is inappropriate use
is characterized as a violation of policy rather than an effort to abuse existing systems
Why must the alert roster and the notification procedures that use it be tested more frequently than other components of the DR plan?
it is subject to continual change because of employee turnover
What is the chain of command?
list of officials, ranging from an individual's immediate supervisor to the top executive of the organization.
Why is delayed containment not recommended for most CSIRTs?
may increase attack intensity
DR Addendum
must be updated and revisited annually
What is a sudden crisis? How is it different from a smoldering crisis?
occurs when an organization's operations are disrupted without warning. It is an event that has a high probability of drawing news coverage and could cause problems for stakeholders, including employees, investors, customers, and suppliers. is a problem or situation that is not generally known inside or outside the organization. If or when it is revealed, it may generate unfavorable news coverage and cause unanticipated expenses or penalties.
When does an organization implement the BC plan, and what is this referred to as?
occurs when the organization experiences a circumstance in which it cannot reasonably expect to return to normal operations at the primary site. trigger point or set point.
Major activities planned to occur during the disaster
planning for the triggers, determining what must be done
Major activities planned to occur before the disaster
preparing by practicing proper security
IR Reaction Strategy
procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT's operations.
What procedures should occur on a regular basis to maintain the IR plan?
procedures to complete effective after-action review meetings, a process to complete comprehensive periodic plan review and maintenance
Purpose of general contractors
rebuild facilities in the case of disaster
What is BCP
represents the final response of the organization when faced with any interruption of its critical operations. In general, business continuity is the rapid relocation of an organization's critical business functions to an alternate location until such time as the organization is able to return to the primary site or relocate to anew permanent facility
What is the CM planning committee, and how does it differ from the CM team?
responsible for some critical tasks when preparing to plan. Among these are the gathering of information about existing vulnerabilities, analyzing the current state of systems and network vulnerabilities, collecting current plans, and assessing those plans as to how they impact the anticipated crisis plans. In addition, they must lay out the comprehensive future plans that are intended to supplant what is now in place.
What is an advance party and what does it accomplish?
should include members or representatives of each of the major BC teams
What is a business crisis
significant business disruption with a direct impact on the lives, health, and welfare of an organization and its employees
what is malware
software designed to damage, destroy, or deny service to target systems
What is crisis communications?
steps taken to communicate what is happening or has happened to internal and external audiences.
What are the advantages of including an AAR process in the BC plan?
stored to serve as a training case for future staff.
NIST SP 800-34 perspectivties
technology requirements that must be met
What is a head count? How and when is it used in crisis management?
the process of accounting for all personnel- that is, determining each individual's whereabouts- during and emergency
What is succession planning (SP)? Why is it an important part of CM planning?
the process that enables an organization to cope with any loss of personnel with a minimum degree of disruption to the functionality of the organization, by predefining the promotion of internal personnel usually by position. In a CM plan, there is a possibility for personnel loss when a crisis occurs, so it is important to have SP to ensure business continuity following a crisis
What is crisis management
the set of actions taken by an organization in response to an emergency situation in an effort to minimize injury or loss of life
Digital Forensics
the use of forensic techniques when the source of evidence is a digital electronic device, which includes computer systems, mobile phones, smartphones, tablets, portable music players, and all other electronic devices capable of storing digital information.
what is spam
unwanted e-mail traffic and is a common carrier of malware and a source of phishing attacks.
what is unauthorized access
when an individual, an applications, or another program,through access to the operation system's application programming interface (API), attempts to and/or gains access to an information asset without explicit permission or authorization to do so.
What are the primary and alternate sites in the context of contingency planning?
where the organization is currently located in normal operation settings. sites that are set up in the case of a disaster and the primary site can no longer be used
What are the key features of the DR plan?
● Clear delegation of roles and responsibilities ● Execution of the alert roster and notification of key personnel ● Use of employee check-in systems ● Clear establishment and communication of business resumption priorities ● Complete and timely documentation of the disaster ● Preparations for alternative implementations
What is the primary determinant of which containment and eradication strategies are chosen for a specific incident?
●Type ●Method of incursion ●Current level of success ●Expected or projected level of success ●Current level of loss ●Expected or projected level of loss ●Target ●Target's level of classification and/or sensitivity ●Any legal or regulatory impacts mandating a specific response
What are the critical success factors for CM planning?
"those few things that must go well to ensure success for a manager or an organization, and, therefore, they represent those managerial or enterprise areas that must be given special and continual attention to bring about high performance."
What are the primary goals of business resumption planning
-Initiate implementation of secondary functions. ● Finalize implementation of primary functions. ● Identify additional needed resources. ● Continue planning for restoration
Steps Followed for DR Development
1. Develop DR planning Policy Statement 2. Review BIA 3. Identify preventive controls 4. Create DR contingency strategies 5. Develop the DR plan 6. Ensure DR testing and training 7. DR plain maintenance
Why are the DR activity groups presented out of sequence (during, after, before) instead of in chronological order?
Activities that are during are the most urgent. After are the ones that have been resolved
Major activities planned to occur after the disaster
After action review, forensic analysis
What is similar about the DR and BC planning processes with respect to special documentation and equipment needs
All members of the BC team should have multiple copies of the BC plan readily available in all locations from which they may be asked to respond in the event of mobilization
What is an assembly area? When and how is it used in CM?
An assembly area is an area where people should gather in the event of a specific type of emergency, to facilitate a quick headcount.
What is the second task the CSIRT leader will undertake?
Analyze precursors and indicators.
when is involvement of law enforcement optional in a forensics investigation? who should make this determination
As long as the incident does not violate a civil or criminal law, it is optional. The CSIRT should make the ultimate decision.
List the subteams that support the BC team
BC management team Operations team Computer setup (hardware team Systems recovery (OS) team Network recovery team Application recovery team Data management team Logistics team
What is the best thing an organization can do to make its CSIRT most effective?
Be prepared by having a risk assessment and good security measures.
What are the advantages of combining the DR and BC plans? Disadvantages
Because the DR plan and the BC plan are closely related, many organizations prepare the two at the same time and may combine them into a single planning document to reduce the effort and cost needed to prepare separate plans. Such a comprehensive plan, often referred to as a business resumption plan (BR plan) or simply a contingency plan, must support the immediate reestablishment of operations at an alternate site and eventual reestablishment of operations back at the primary site. Therefore, although a single planning team can develop the DR/BR plan, execution of the plan requires separate teams.
List the general CM recommended practices.
Build contingency plans, identify teams, train staff, and rehearse scenarios before a crisis occurs. Verify that all staff members throughout the organization know that only designated crisis management team members may represent the company. Plan to react as fast as possible because the first few hours establish the baseline narrative that the media will use for most ongoing reporting. Make sure your plan processes are of the highest quality by employing expert reviews and professional crisis management consultants. Make it part of your organizational culture to always give the most complete and accurate information possible in a given situations, because manipulating the factsoften has negative consequences-far worse than the embarrassment or whatever the reason was for a cover-up. As choices are considered, adopt the long view and consider long-term effects as well as the short-term losses that may occur.
What must be done with interrupted services during the recovery process?
Compromised services and processes must be examined, verified, and then restored. If services or processes were interrupted in the course of regaining control of the systems, they need to be brought back online.
Phase after eradication during IR
Contain and Mitigate vulnerabilities
What is continuous improvement, and why does it apply to BC processes?
Continuous improvement is the idea that nothing is ever perfect and can always be made better. Even the best of BC planning projects will produce plans that leave room for improvement and need to be maintained.
What is the first and most important step in preparing for DoS and DDoS attack response?
Coordinating with the ISP
What guides an organization in setting up a forensic capability?
Cost Response time, and Data Sensitivity
What is the difference between disaster recovery and business continuity
DR focuses on resuming operations at the normal operating facility known as the primary site. BC concentrates on resuming critical functions at another, alternate site
What types of information are missed by a normal copying process but included in a forensic image?
Deleted entries