CH12 Disaster and Incidents 1.4 1.5 5.4-5.6

incident response plan (5 items) IRP

1 Guidelines for documenting incident type and category 2 resources to deal 3 defined roles 4. reporting requirements and escalation procedures Was the evidence gathered and the chain of custody maintained? Did the escalation procedures follow the correct path? Given the results of the investigation, would you be able to find and prosecute the culprit? What was done that should not have been done? What could have been done better?

incident response process (6 steps)

1 Preparation 2 Identification 3 Containment 4 Eradication 5 Recovery 6 Lessons learned

full backup

A backup that copies all data to the archive medium. complete, comprehensive backup of all files on a disk or server. current only at the time it's performed system should not be in use time consuming

hot site

A location that can provide operations WITHIN HOURS of a failure. recovery site :FAST, BEST active backup model

cold site

A physical site that can be used if the main site is inaccessible (destroyed) but that lacks all of the resources necessary to enable an organization to use it immediately. recovery site : slow access

warm site

A site that provides some capabilities in the event of a disaster. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that might already exist in the warm site. recovery site : in between hot and cold. mediuum pace more planning and testing LIMITED CAPABILITIES active/active model reciprocal site

capture system image

A snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. SAMPLE

incremental backup

A type of backup that includes only new files or files that have changed since the last full/increm backup and then CLEARS the archive bit upon completion. ONLY CHANGED INFO usually small tapes. FASTEST BACKUP archive BIT ON during back up then turned off

tabletop exercise

An exercise that involves individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them. DISCUSS

Grandfather, Father, Son method

BACKUP method assumes that the most recent backup after the full backup is the son. As newer backups are made, the son becomes the father, and the father, in turn, becomes the grandfather

3 types of Testing

Black box - in the dark white box - see clear gray box - fuzzy

BIA

Business Impact Analysis valuating the processes, impact on busniess

BCP

Busniess Continuity Planning planning for processes, policies, and methods that an organization follows to minimize the impact of a system failure, network failure, or the failure of any key component needed for operation ensure that the business continues and that the show does indeed go on. *exercises/tabletop after action reports failover alternate processing sites alt business practies ***BIA and Risk assessment

CSIRT

Computer Security Incident Response Team ormalized or an ad hoc team. You can toss a team together to respond to an incident after it arises, but investing time in the development process can make an incident more manageable. considers incidents in advance to deal with later high stress situtions gather evidence

After-actioin reports

DEBRIEF disaster sharing by team members of the steps taken, along with an open discussion of what worked and what should be changed in future crises

archive bit

During a full backup, every single file on the system is copied over,____________________ on each file is turned off. essentially a flag associated with every file that is turned on when the file is created or accessed

HSM

Hierarchical storage management newer backup type continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and it can be configured to provide the closest version of an available real-time backup REALTIME/CONTINUOUS .. in crypto it imeans hw security module

vulnerability scanning

Identifying specific vulnerabilities in your network. part of penetrative test or done alongside start here *identify likely targets of an attack * identifying common misconfigurations (Nessus) ********identifying a lack of security controls. - passively tests these. WOST VULNERABILITYBCP credentialed vs non credentialed attempt to exploit vuln

capture snapshot/screenshot

Image of a virtual machine at a moment in time. capture all relevant screenshots for later analysis . One image can often parlay the same information that it would take hundreds of log entries to equal.

Full Archival method

In short, all full backups, all incremental backups, and any other backups are permanently kept somewhere. effectively eliminates the potential for loss of data. forevr stored

forensics

In terms of security, the act of looking at all the data at your disposal to try to figure out who gained unauthorized access and the extent of that access.

IPS

Intrusion prevention system Any set of tools that identify and then actively respond to attacks based on defined rules RESPONDS . Like an IDS (which is the passive counterpart), can be network-based or host-based.

record time offset

It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. 10:04 vs actual 9:04 daylight savings

OOV

Order of volatility use when dealing with multiple issues always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone(POOF-ABLE) ex RAM, hard drive data, CDs/DVDs, and printouts.

intrusive tests

Penetration-type testing that involves trying to break into the network. ACTIVE

nonintrusive tests

Penetration/vulnerability testing that takes a passive approach rather than actually trying to break into the network. PASSIVE

onsite storage

Storing backup data at the same site as the servers on which the original data resides.

offsite storage

Storing data off the premises, usually in a secure location. storage facility should be bonded, insured, and inspected on a regular basis to ensure that all storage procedures are being followed.

disaster recovery

The act of recovering data following a disaster in which it has been destroyed. Disasters may include system failure, network failure, infrastructure failure, and natural disaster.

working copy backup

The copy of the data CURRENTLY IN USE on a network. shadow copies

failover

The process of reconstructing a system or switching over to other systems when a failure is detected.

legal hold

The process that is used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated preserve info when expecting legal action

white box

The tester has significant knowledge of the system. The tester has significant knowledge of the system.

gray box

This is a middle ground between the first two types of testing. , the tester has some limited knowledge of the target system.

pivot

When it is possible to attack a system using another, compromised system (trusted but infected) island hopping a compromised system is used to attack another system on the same network following the initial exploitation.

escalation of privelege

a hole created when code is executed with higher privileges than those of the user running it . By breaking out of the executing code, users are left with higher privileges than they should have.

reciprocal agreement

agreement between two companies to provide services in the event of an emergency

general purpose storage safes

aren't usually suitable for storing electronic media. The fire ratings are inadequate. use onsite storage containers. notfireproof but fire rated

Backout vs backup

backout is a reversion from a change that had negative consequences istead of backing up changes revert the system to the state it was in before the service pack was applied.

data acquisition

collecting data for legal basis.. legal hold.. chain of custody

take hashes

collection of data for forensices collect "known, traceable software applications" through their hash values and store them in a Reference Data Set (RDS).

chain of custody

covers how evidence is secured, where it is stored, and who has access to it. When you begin to collect evidence, you must keep track of that evidence at all times and show who has it, who has seen it, and where it has been.

CBF's

critical business functions processes or systems that must be made operational immediately when an outage occurs. The business can't function without them, information-intensive and require access to both technology and data.

active reconnissance

directly focuses on the system (port scans, traceroute information, network mapping, and so forth) to identify weaknesses that could be used to launch an attack.

DRP

disaster recovery plan A plan outlining the procedure by which data is recovered after a disaster. ********reestablishing services and minimizing losses. **CONTINGENCY PLAN major component involves the access and storage of information. Your backup plan for data is an integral part of this process. **follow an ORDER OF RESTORATION

Tabletop exercises

doc review walkthrough parallel test cutover test - shuts down main systems and has all failover to backup

noncredentialed vuln scanning

doesnt use actual network credentials to connect to systems and scan prpepare for false posiitives

restore/recover from a backup

due to : Accidental deletion Application errors Natural disasters Physical attacks Server failure Virus infection Workstation failure - restore from: working copies, onsite storage, offiste storage *Security+ exams till considers TAPE the ideal medium for data.. wipeable

bakcup server method

establishes a server with large amounts of disk space whose sole purpose is to back up data. a dedicated server can examine and copy all the files that have been altered every day.

exercise

fire drill for incident response plans Include the members of the team, and walk through mock incidences on a regular basis to identify weaknesses in your response and solutions for them.

Foresnics (8)

for incident response 1 act in OOV 2 Capture System Image 3 Document Network Traffic and Logs 4 Capture Video 5 Capture Video 6 capture screenshots 7 tlk to witnesses 8 track man hours/ expneses 9 after-action reports

intrusion

he act of entering a system without authorization to do so.

black box

he tester has absolutely no knowledge of the system is functioning in the same manner as an outside attacker.

incident response policy

incident response procedures define how an organization should respond to an incident. These policies may involve third parties, and they need to be comprehensive. **outside agencies or response teams **procedure plan **evidence gathering procedures NO CONTINGENCY PLAN incident is ANY ATTEMPT to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. **who needs to be informed in the company, what they need to be told, and how to respond to the situation.

IDS

intrusion detection system Any set of tools that can identify an attack using defined rules or logic. An IDS can be network-based or host-based.

Recovery

know the order in which to proceed. If a server is completely destroyed and must be re-created, ascertain which applications are the most important and should be restored before the others. disaster planning

data sovereignty

laws of country in which data is STORED are the ones that APPLY

passive reconnissance

means other than directly accessing the system, such as collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering.

alternate business practices

minimum one per critical business tasks planned out should be documented in such a way that someone unfamiliar with them could perform them with minimal training.

NSRL

nat software ref lib

alternative sites

recovery sites,=or backup sites. alternate site lease or purchase a facility that is available on short notice for the purpose of restoring network or systems operations. cold hot warm most important aspects of using___________ ________________ is documentation.

credentialed vuln scanning

scan uses actual network credentials to connect to systems and scan for vulnerabilities Not Disrupting Operations or Consuming Too Many Resources Definitive List of Missing Patches Client-Side Software Vulnerabilities Are Uncovered Several Other "Vulnerabilities" Nessus can read password policies, obtain a list of USB devices, check antivirus software configurations, and even enumerate Bluetooth devices attached to scanned hosts. prpepare for false posiitives

order of restoration

should always be followed after a disaster to ensure that dependent services are not restored before the ones they are dependent on. It is highly recommended that network maps or diagrams be used to illustrate dependencies. DEPENDENCIES, DONT OVERWRITE

differential backup

type of backup that includes **only new files or files that have changed since the last FULL backup. it makes duplicate copies of files that haven't changed since the last differential backup. _____________ backups differ from incremental backups in that they DONT CLEAR the archive bit upon their completion. becomes almost as large as full backup first fast and becomes slow

penetration testing

use the same techniques that a hacker would use to find any flaws in a system's security active/passive recon need: scope and permission for testing

RIsk assessmenet

valuating the risk or likelihood of a loss. risk calculations

peristsence

when the compromise is introduced at a different time than the attack ex an employee having his or her laptop infected at a hotel while traveling for business and the company's network not being compromised until the employee is back in the office a week later and connected to the company's network.

shadow copies

working copies