Disaster Recovery
What are the key features of the DR plan?
- Clear delegation of roles and responsibilities - Execution of alert roster and notification of key personnel - Use of employee check0in systems - Clear establishment and communication of business resumption priorities - Complete and timely documentation of the disaster -Preparations for alternative implementations
What are the primary objectives of the resumption phase of the DR plan?
- Initiate implementation of secondary functions -Finalize implementation of primary functions -Identify additional needed resources -Continue planning for restoration
List and describe the phases of the BC plan
- Prep for BC actions -Relocation to alternative site -Return to primary site
What are the primary objectives of the response phase of the DR plan?
- Protect human life -Attempts to limit and contain the damage to the organization's facilities and equipment -Manage communication with employees and other stakeholders.
List the subteams that support the BC team
-Management team -Operations -Computer (hardware) setup -Systems recovery (OS) -Network Recovery _App recovery -Data management -Logistics
List and describe the component parts of the BC policy document.
-Purpose -Scope -Resource requirements -Training requirements -Exercise and testing schedules -Plan maintenance schedule'-Special considerations
What are the primary objectives of the recovery phase of the DR plan?
-Recover critical business functions -Coordinate recovery efforts -Acquire resources to replace damaged or destroyed materials and equipment -Evaluate the need to implement the BC plan
What are the critical steps in the BC implementation process?
-Relocation to alternative site -establishment of operations -return to primary site
What are the primary objectives of the restoration phase of the DR plan?
-Repair all damage to primary location or select or build replacement facility -Replace the damaged or destroyed contents -Coordinate the relocation from temp offices to primary location or to a suitable new replacement facility -Restore normal operations at the primary location, beginning with critical functions and then secondary - Stand down the DR teams and conduct the after-action review
What parts of the organization should the BC team draw on for its members?
-Senior management -Corporate functional units -IT managers -Information security managers
What factors determine which digital evidence should be collected and in what order?
-Value -Volatility-Stability of info over time E-ffort required
What two hash functions are commonly used as digital fingerprints?
.MD-5 and SHA
What are the major activities planned to occur before the disaster?
.test, train, exercises.
What are the primary goals of business resumption planning?
1) eliminate or reduce the potential for injuries or loss of human life, damage to facilities, and loss of assets and records, 2) stabilize the effects of the disaster; and 3) implement the procedures contained in the DR and business resumption plan
List the general CM recommended practices.
1. Build contingency plans, identify teams, train staff, and rehearse scenarios before a crisis occurs 2. Verify that all staff know that only designated crisis management team members may represent the company 3. Plan to react as fast as possible because the first few hours established the baseline narrative that the media will use for most ongoing reporting 4. Make sure your plans and processes are of the highest quality by employing expert reviews and professional crisis management consultants 5. Make it part of culture to always give the most complete and accurate information possible in a given situation 6. Consider long-term effects as well as the short-term losses that may occur
What are the advantages of combining the DR and BC plans? What are the disadvantages?
A - saves efforts and cost D - They require different teams
Concurrent recurrence
A second attack using the means of the first attack occurs while the first attack is still underway
What is a business crisis?
A significant disruption that stimulates media coverage and has political, legal, financial, or governmental impacts.
What is a worst-case scenario?
A situation that results in service disruptions for weeks or months, requiring a government to declare a state of emergency.
What is watchful waiting and why is it useful?
A tactic that deliberately permits the attack to continue while the entire event is observed and additional evidence is collected.
What are the major activities planned to occur after the disaster?
AAR, forensics.
What is crisis management?
Actions taken by an organization in response to an emergency situation in an effort to minimize injury or loss of life.
What is emergency response?
Actions taken in order to manage the immediate physical, health, and environmental impacts resulting from an incident.
What is humanitarian assistance?
Actions taken to meet the psychological and emotional needs of various stakeholders
WHY ARE THE DR ACTIVITY GROUPS PRESENTED OUT OF SEQUENCE (DURING, AFTER, BEFORE) instead of chronological
Activities during a disaster are most urgently needed in the event of plan activation, it is the important to determine what to do immediately following a disaster, and least important to plan before a disaster.
What is an auxiliary phone alert and reporting system, and what functions can it perform for an organization during DR planning?
An IS with a telephony interface that can be used to automate the alert process. It can distribute info about the disaster and collect info about status of employees. Faster than manual alert system.
What is an assembly area? When and how is it used in CM?
An area where people should gather in the event of a specific type of emergency and facilitate a head count.
What is anti-forensics?
Anti-forensics is an attempts made by suspects to hide evidence
Second Task of CSIRT leader
Assert control over situation
What are the common roles and duties of a digital forensic first-response team?
Assessing the scene, identifying the sources of relevant digital information and preserving it for later analysis -Incident manager -scribe -imager
First task of CSIRT leader upon arrival?
Assessment of the situation
Why do some organizations abdicate all responsibility for DR planning to the IT department?
Because they are keenly interested in keeping IT available during and after disasters
What is a hybrid incident?
Begin as one type of event and turns into another
What is the CM planning committee, and how does it differ from the CM team?
CM planning - Representatives offer advice and guidance CM Team - Trained individuals responsible for responding to incident
Why might an organization forego trying to identify the attacking host during an incident response?
Can take time away from minimizing impact
What are the 3 general sections of planning for DR activities?
Client/server, data communications, mainframe
First imperative of the CSIRT when there is a confirmed incident
Containment
According to NIST SP 800-34, what 2 perspectives should be used to plan a system recovery strategy?
Contingency planning from DR and BC
What is the first and most important step in preparing for DoS and DDoS attack responses?
Coordinating with service provider
What guides an organization in setting up a forensic capability?
Cost, response time, data sensitivity
When dealing with the loss of staff, what strategies can be employed?
Cross-training, job and task rotation, and redundancy
Why is cryptography a good thing for IT workers but a bad thing for forensic investigators?
Cryptography keeps assets secure for IT and makes evidence harder to uncover for forensics.
What is the difference between disaster recovery and business continuity?
DR - normal functions at primary site BC - normal functions alternative site
If an organization chooses the protect and forget instead of apprehend and prosecute philosophy, what aspect of IR will be most affected?
Data collection tasks
What are some examples of special documentation or equipment that may be needed for DR team members?
Data recovery software, blueprints, keys, water lines, insurance contacts
What does it mean when operations are in degraded mode? Should organizations prepare to operate in this mode?
Degraded mode is when operations are under adverse conditions. Organizations should prepare for this in order to learn how to adapt to these situations.
What are the ongoing challenges associated with local emergency services, service providers, and community-related issues that organizations face when confronted with a disaster?
Delay under triage of requirements so that most critical get answered first. Public services such as transportation and garbage collection will be delayed. Utilities will be disrupted.
What types of info are missed by a normal copying process but included in a forensic image?
Deleted entries in a directory, remnants of old files, deleted but no yet overwritten files, free space which might contain other files or fragments.
What federal agencies may be involved during a crisis?
Department of Homeland Security, the Federal Emergency Management Agency, the Secret Service, the Federal Bureau of Investigation, and the federal hazardous material agencies
What is malware?
Designed to damage, destroy, or deny service to the targeted system
What are the steps that are generally followed in the DR development process
Develop DR planning policy statement, review BIA, identify preventive controls, create DR contingency strategies, develop the DR plan, ensure DR plan testing, training, and exercises, and ensure DR plan maintenance.
What are EAPs? How are they used in CM?
Employee assistance program - can provide a variety of counseling services to assist employees in coping with surviving a crisis, PTSD
Phase after containment during IR
Eradication
How do organizations often divvy up the practice of digital forensics?
First response, analysis and presentation
What are the four steps in collecting digital evidence?
Identify sources of evidentiary material, authenticate the evidentiary material, collect the evidentiary material, and maintain a documented chain of custody.
What are the major activities planned to occur during the disaster?
Identify trigger, escalate. Identify what must be done to react.
What are the advantages of including an AAR process in the BC plan?
Improvements
In what main way does search and seizure differ in the public and private sectors?
In private sector it is more common to authorize the collection of images of digital info, in public searches authorize the collection of relevant items containing the information.
Phase after eradication in IR
Incident Recovery
What is an advance party?
Includes members or representatives of each major BC team
Why must the alert roster and the notification procedures that use it be tested more frequently than other components of the DR plan?
It is subject to continual change because of employee turnover.
What are the critical success factors for CM planning?
Leadership, speed of response, a robust plan, adequate resources, funding, caring and compassionate response, and excellent communications.
Why is delayed containment not recommended for most CSIRTs?
Liability issues
What should be the first step in the business continuity planning process? Which NIST document is used to inform this process?
Make policy. SP 800-34
What is the purpose of sterile media?
Making sure that the media contains no residue from previous use in order to prevent claims of tainting the evidence
What are some reasons a safeguard or control may not have been successful in stopping or limiting an incident?
Malfunctioning secuirty device
How can you classify disasters based on the way they emerge and become an issue for an organization?
Natural disasters, man-made, rapid-onset, slow-onset
Is it practical to prepare for all possible contingencies? How can this best be handled?
No, general training programs, specific training programs off site.
What procedures should occur on a regular basis to maintain the IR plan?
Plan review and maintenance
Best thing to make CSIRT most effective
Preparation
Describe the phases in a DR plan
Preparation - Planning and rehearsal Response - Identification of disaster, notifications, and immediate response Recovery - Recovery of necessary business information and systems Resumption - The restoration of critical business functions Restoration - The reestablishment of operations are the primary site as it was before the disaster
What is job rotation? Why is it a useful practice from a DR plan perspective?
Prepares staff for personnel shortages or outages.
What is a DoS attack and how does it differ from a DDoS attack?
Prevents legitimate users from accessing network by consuming resources, DDoS comes form multiple sources.
What key elements should be included in the DR policy?
Purpose, scope, roles & responsibilities resource requirements, training requirements, exercise and testing schedules, plan maintenance schedule, special considerations.
What are RTO and RPO?
RTO- amount of time business can tolerate until the alternate capabilities are available RPO - Point in the past to which the recovered application and data at the alternative infrastructure will be restored
What should be the primary focus of the training that is provided to the network recovery team?
Reestablishing ad hoc networks quickly but securely.
Primary determinant of which containment and eradication strategies are chosen
Risk Assesment
What steps should be followed in a return to the primary site?
Scheduling move, clearing BC site, and conducting an AAR
How should the business interface team be trained?
Should combine technical and non technical functions to ensure that the technology needs of the business groups are met. Training involves interfacing with the various business groups to determine their routine needs.
Why may all needed equipment not be pre-positioned at the alternate site?
Some equipment is too expensive or unique for pre-purchasing
What entity is responsible for creating the DR team? What roles should the DR team perform?
The CPMT. Develop DR plans, maintain and update DR plans, test plans, train.
What is a BCP?
The final response of the organization when faced with any interruption of its critical operations.
What is an incident damage assessment?
The initial determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets.
What is succession planning (SP)?
The process used to enable an organization to cope with the loss of key personnel with a minimum of disruption.
What is digital forensics?
The use of forensic techniques when the source evidence is digital
What must be done with interrupted services during the recovery process?
They need to be brought back online
Describe the use of an "I'm okay" line. When and how might an organization make use of this technology?
This service allows employees when notified of a disaster either by alert system or through public media to call a predetermined number. Employees report status by entering employee number.
What are the primary duties of the business interface team?
This team is responsible for working with the remainder of the organization to assist in the recovery of non technology functions.
What is crisis communications?
Those steps taken to communicate what is happening or has happened to internal and external audiences.
What is spam? Can it cause an incident?
Unwanted email traffic, can carry malware.
What is inappropriate use?
Use of company system for prohibited actions
IR reaction strategy
What to do once a incident has been detected
What is a DR after-action review (AAR), and what are the primRY OUTCOMES FROM IT?
What worked and what didn't, improvements.
What is unauthorized access?
When actor(s) access the operating system's API and gains access to info without permission
What type of document is usually required when an organization other than a law enforcement agency obtains authorization for a search?
affidavit
Describe the various rehearsal and testing strategies that an organization can employ.
desk check - provide copies of DR plan, simulation - stop short of actual physical activity, parallel testing, full-interruption, war gaming. Sequential roster for small organization, hierarchical structure for large organizations.
In forensic analysis, what are the differences between examination and analysis?
examination - don't draw conclusions analysis - draw conclusions
What are the commonly used subteams of the DR team? What role does each play?
hardware team, software team, and a network team
What is a sudden crisis? How is it different from a smoldering crisis?
sudden crisis: A disruption that occurs without warning smoldering crisis: Not generally known within or without the company