MIS 4600 Chapter 10 Incident and Disaster Response
What three things should a firm do about disaster recovery planning from office PCs?
Data backup: Have data backup or easy to transfer if needed. New computers: Have prior arrangements with suppliers if disaster hits. Work Environment: To secure rooms in a hotel or location where work can continue if a disaster hits.
Distinguish between detection and analysis?
Detection: The first is to learn quickly an incident has occurred. Analysis: understand the incident to be sure that it is a real event, to determine its damage potential, and to gather information needed to begin planning for containment and recover.
Is an IDS a preventative, detective, or restorative control?
Detective control
Why are business continuity plans more difficult to test then incident response plans?
Disasters have a much broader impact and involve so many people.
What type of witness is allowed to interpret facts for juries?
Expert witness
What are false positives?
False alarms
What are false positives, and why are they bad?
False alarms things that were flagged but aren't bad.
What are the four severity level of incidents?
False alarms, minor incidents, major incidents, and disasters
Distinguish between stand-alone NIDSs and switch-based or router-based NIDSs:
Stand-alone: are boxes located at various points in the network. Switch-based or router: are switches and routers that have IDS software these capture data on all ports.
Who is likely to investigate a cybercrime that takes place within a city?
State
What is escalation?
handle the incident with the on-duty staff or to escalate handling to the CSIRT or business continuity team.
True or false?
incident response is reacting to incidents according to plan. TRUE
What is cyber law?
is any law dealing with information technology.
What is the purpose of a CSIRT? From what parts of firm doe its members come?
(computer security incident response teams) To handle major security issues they call in IT and IT security professionals along with legal, public relations, and senior management.
Name three terms that successful attacks are commonly called?
1. False Alarms 2. False positives 3. minor incidents
List the 4 steps in business process analysis: Explain the importance of each one.
1. Identification of business processes and their interrelationships: To identify the processes and rank them. Have a firm understanding of the processes. 2. Prioritization of business processes: Prioritize the processes and key factor is how sensitive a function is to downtime. Lower processes must go first because higher process require them. 3. Specify resource needs: to determine which process needs which resources and may need to shift resources to other processes during a disaster. 4. Specify actions and sequences: plan specified some very precise actions like getting cleanup or security personnel
What 4 protections can firms provide for people during an emergency?
1. People first 2. Reduced capacity in decision making 3. Avoiding rigidity 4. Communication, communication, communication 54rgtfy
What are three rules for apologies?
1. acknowledge responsibility 2. explain what happened 3. compensate that person
For what two reason is reacting during continuing operation good? Why may it not work?
1. keep services available to users. 2. No backup is needed which means no loss of data.
What section of which title of the U.S. code prohibits hacking?
18. U.S.C & 1030
Who brings lawsuits in civil and criminal cases?
Cases by criminal: prosectors cases by civil: plaintiff is one of the two parties
Name the elements in a distributed IDS:
Agent and Manager
Distinguish between aggregation and event correlation:
Aggregation: Process of creating integrated log files Event correlation: Looks at a examine multi events rather then individual events.
How does having a disk image reduce the problems of total software installation?
Allows for all programs and settings to be restored and only need to be reconfigured.
What are the two types of analysis that IDSs usually do?
Attack signatures and Anomaly Detection
How does this change if a firm uses continuous data protection?
Backup isn't necessary.
Distinguish between batch and real-time transfers for event data:
Batch: agent waits until it has several minutes or hours of data and then sends a blog of log file to the manager. Real-time: data goes to the manager immediately.
What is the advantage of each type?
Batch: is more efficient and takes less time of the Manager Real-time: allows to track and see if hackers have disabled logging.
Why is accounting for all personnel important?
Because it allows the company to know where people are and for loved ones.
Why is a business concern?
Because it must be handled as a business decision to implement earlier on to plan.
Why is analyzing log fils data difficult?
Because it requires high level of experience and analytical abilities
How can a honeypot help companies detect attackers?
Because legitimate users should never try to reach resources on the honeypot. This makes it easier to find the attackers.
Why should a senior manger head the CSIRT?
Because only senior can decide to take down an e-commerce server.
Why does human cognition in crisis calls for extensive pre-planning and rehearsal?
Because people don't make good decisions when they are in a crisis.
For what two reasons is a business continuity staff necessary?
Because requires a small permanent staff for business continuity and staff will act as operational manager during a disaster.
Why do communications tend to break down during crisis?
Because technology can not survive a fallen building a long period of time without electricity.
Why may it only be a temporary containment solution?
Because the attacker can change their IP address and attack again.
Why should you hire a forensic expert rather than doing your own investigation?
Because the evidence probably will not be permissible in court.
Why is good analysis important for the later stages of holding an attack?
Because the right information is gathered to further understand the issue and to be able to fix it.
Why should companies that do business only within a country be concerned about international cyber law?
Because their suppliers could be located outside the U.S. and that can affect business.
Why must companies update contact information even more frequently?
Because they change even more frequently.
Why will courts not admit unreliable evidence?
Because they don't want the jury to hear it.
Why was walmart able to respond quickly?
Because they were prepared to with trucks ready before the hurricane hit.
What is black holing?
Black holing is when a firm drops all IP packets from an attacker.
Why is frequent plan updating important?
Business conditions change constantly and businesses reorganize constantly.
Distinguish between business continuity plans and IT disaster recovery plans
Business continuity plans to restore core operations NOT just IT and IT recovery plans is restoring IT functions after a disaster.
What are the strengths and weaknesses of NIDSs?
Can see all packets passing through some locations in the network. These packets are highly diagnostic of attacks Weaknesses: Can afford to have at all switches and causes blind spots. Cannot scan encrypted data.
What are the potential problems with total software reinstallation?
Configuration must be documented and firm must take periodic images of the entire disk to restore where and when needed.
Why is CDP necessary?
Continuous data Protection They company needs a way to update systems and data to other sites if necessary.
Which levels can create precedents?
Courts of appeal
How do punishments differ in civil and criminal law?
Criminal law: Jail time and fines Civil law: monetary penalties and order to parties to take or not take certain actions.
What different actions do criminal and civil law deal with?
Criminal law: Violations of criminal statutes Civil law: Interpretations of rights and duties that companies or individuals have relative to each other.
What is the major attraction of a HIDS?
Host IDS: Provide highly specific information about what happened on a particular host.
What are the main alternatives for backup sites? What are the strengths of each one? What problem or problems does each rise?
Hot sites: full building with HVAC and systems updated and ready to go on demand. Operations can being early but is expensive. Cold Sites: They have HVAC but are empty buildings that require computers and systems to be set up. They aren't as expensive as hot sites but require a lot of time before basic operations can begin.
What do business continuity plans specify?
How a company plans to maintain a or restore core business operations when disasters occur.
What is the advantage of a distributed IDS?
IDS that can collect data from many devices at a central manager console.
Why are false positives problems for IDSs?
IDSs tend to be ignored if they generate many false positive.
What does an IDS do if cannot process all the packets it receives?
It will skip some packets
What is an IDS?
Intrusion Detection System: is software and hardware that captures suspicious network and host activity stat in event logs.
What is a honeypot?
Is a fake server or entire network segment with multiple clients and servers
What are the two weakness of host IDSs?
Limited view point and Host IDScan be compromised.
Why is a live test better?
Live tests are better than walkthroughs because live tests reveal subtleties that walkthroughs may miss or may not be able to address
What information should alarms contain?
Log summary reports
What are four functions of IDSs?
Loging, automated analysis by the IDS, admin actions, and management.
What is IT disaster recovery?
Looks specifically at the technical aspects of how a company can get IT back into operations using backup facilities.
What is IT disaster recovery? Why is it a business concern?
Looks specifically at the technical aspects of how a company can get IT back into operations using backup facilities.
Distinguish between the manager and agents:
Manager is responsible for integration the information from multiple agents that run on multiple monitoring devices. Agent collects the information.
What two types of communication must be secure?
Manager-agent and Vendor to manager.
Why are they difficult to create?
Many vendors use different logging format and could use host logging, stand-alone network logging and switch logging.
What is a false positive?
Marking legitimate activities as suspicious.
What are damage thresholds?
Minimum amounts damage
List some things at which host operating system monitors look:
Multiple failed logins Creating new accounts Adding new executable programs User accessing unusual files
what must be done to restore data at a backup site via tapes?
Must have proper equipment to the do the restoration and have the tapes transported to new location.
At what information do NIDSs look?
Network IDS: capture packets as they travel through a network.
Are international laws regarding cybercrime uniform?
No
Does it protect all computers?
No
What is a computer forensics expert?
Professional who is trained to collect and evaluate computer evidence in ways that are likely to be admissible in court.
What other attacks does it prohibit?
Prohibits access to protected computers without authorization or exceeding authorization. Government computers, financial institutions, and any other used in interstate or foreign commerce or communications. Also prohibits the transmission of a program, information, code, or command that intentionally causes damage without authorization.
What type of acts does 18. U.S.C 2511 prohibit?
Prohibits the interception of electronic messages, both en route and after the message is received and stored.
Why do companies often not prosecute attackers?
Prosecuting an attacker is much more complex.
Why are integrated log files good?
Provides more more information and contains data from many places around the network for any given moment.
Why are rehearsals important?
Rehearsals allow responses to be fast and well practiced for minimal impact on the company.
What is precision is an IDS?
That the IDS should report all attack events and as few false alarms as possible.
What is event correlation?
The analysis of multi event patterns
Under what conditions will you need to hired a forensics expert?
The company must use a certified forensic expert to collect data and interpret it in court.
Why might a company allow an attacker to continue working on the system for a brief period of time? Why is this dangerous?
The company observe what the attacker does. The info can be used to collect evidence to prosecute.
Why may happen if a system runs out of storage space?
Transfers the log file to backup and starts and starts a new log file.
Why is limiting the size of log files necessary but unfortunate?
The will span out the time and make it difficult to analyze
Explain the time synchronization issue for interacted log files:
They must be perfectly inline or it is impossible to see what is going on in real time.
How do companies achieve time synchronization?
They use NTP or Network time protocol all devices must be synchronized to a single internal NTP server.
Why should members of affected line departments be on CSIRT?
To anticipate changes and to be able to prepare for them. Ex: closing an e-commerce site the e-commerce team needs to be aware.
Why should companies work with forensic professionals before they have a need for them?
To anticipate what will be needed. Also to contact a forensic expert for advice.
Why is it necessary not to make the processes for crisis recovery too rigid?
To not loose flexibility during a crisis.
What is the purpose of log summary reports?
To see various types of suspicious activity and indicate threat priority.
Why should companies undertake a postmodern evaluation after an attack?
To see what went right and wrong after an attack and to implement any improvements needed in the response process.
Describe interactive log file analysis?
Tools that look through the log files. Better understand the attacks.
How can tuning reduce the number of false positives?
Turning of unnecessary rules and deducing eh severity level in the alarms generated by other rules.
What are the three levels of U.S. federal courts?
U.S. District, U.S. Circuit courts of appeal, and U.S. Supreme Court
Does federal jurisdictions typically extend to computer crimes that are committed entirely within at state and that do not have a bearing on interstate commerce?
Yes
Would a honeypot attract unwanted attention from attackers?
Yes
What is a minor incident?
are breaches that the on-duty staff can handle and that do not have broader implications for the firm.
What are jurisdictions?
areas of responsibility within which they can make and enforce laws but beyond which they cannot.
In what type of trial is mens rea important?
criminal cases
What is the normal standard for deciding a case in civil and criminal trials?
criminal: prove guilt beyond a reasonable doubt Civil: plaintiff prove preponderance of the evidence (50%) that the defendant is responsible for damages.
Why is the restoration of data files from back tapes undesirable?
data after last backup will be lost. If the attacker began the attack earlier than believed, the trusted backup will restore the attacker.
What is forensic evidence? Contrast with cybercimres the FBI and local police investigate. Why should both be called?
is evidence that is acceptable for court proceedings. The FBI will look for interstate commerce issues and the police will will look for state or local issues.
What is the chain of evidence, and why is documenting it important?
is the history of the evidence between people and of all actions taken to protect evidence while in each person's possession.
What is business continuity? Who should head the business continuity team?
is the maintenance of the day-to-day revenue-generating operations of the firm.
What is case law?
judicial decisions in individual cases set precedents for how laws will be interpreted in subsequent trials.
What is the problem with live tests?
live tests are expensive
Why should a firm's Human Resources department be on the CSIRT?
offer guidance on labor issues.
Why should the firm's legal counsel be on the CSIRT?
place everything in the proper legal framework.
Why is disconnection undesirable?
prevents the server from serving its legitimate users and helps the attacker achieve their goal.
Who is the only person who should speak on behave of the firm?
public relation director
Why is speed and accuracy of response important?
rapid recovery is critical for reducing damage.
What are the three major recovery options?
repair during continuing server operation restoration from backup tape total software re-installation
Who should make decisions about letting an attack continue or disconnecting an important system?
senior business executive
what is a false alarm?
situations that seem to be incidents or at least potential incidents but turn out to be innocent activities.
What is containment?
stopping the damage
What is mens rea?
the defendant was in a certain mental state, such as having the intention to commit the act.
What is a walkthrough or table-top exercise?
the simplest type of rehearsal, which managers and other key personnel get together and discuss, step by step, what each will do during an incident.
Is it easier to punish employees or to prosecute outside attackers?
to prosecute an employee
Can good planning and protection eliminate security incidents?
yes
Can a person be tried separately in a criminal trial and later in a civil trial?
yes they can
