5 CompTIA Security+ (SY0-501) Objective 5
Availability
= MTBF / (MTBF + MTTR) Ex: 6 months / (6 months + 30 mins) = 99.9884%
Memorandum of Understanding - MOU / Memorandum of Agreement - MOA (agreement types)
A __________ & ___________ are legal documents used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal.
Business Partnership Agreement - BPA (agreement types)
A __________ is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between partners.
Risk register (risk assessment)
A __________ is a list of the risks associated with the system. They can also contain additional information associated with the risk element, such as categories to group like risks, probability of occurrence, impact the organization, mitigation factors, and other data. There is no standardized form.
Service Level Agreement - SLA (agreement types)
A __________ is a negotiated agreement between parties detailing the expectations between a customer and a service provider. These essentially set the requisite level of performance of a given contractual service. These are typically included as part of a service contract and set the level of technical expectations. It can defined specific services, the performance level associated with the service, issue management and resolution, and so on.
Privacy impact assessment
A __________ is a structured approach to determining the gap between desired privacy performance and actual privacy performance. This is an analysis of how personally identifiable information (PII) is handled through business processes and an assessment of risks to the PII during storage, use, and communication. This provides a means to assess the effectiveness of a process relative to compliance requirements and identify issues that need to be addressed.
Privacy threshold assessment
A __________ is an analysis of whether PII is collected and maintained by a system. If PII is stored, then the next step in determining privacy risk is a privacy impact assessment (PIA).
Single point of failure
A __________ is any system component whose failure or malfunctioning could result in the failure of the entire system. An example of this would be a single connection to the Internet, find for small business, but not so for a large enterprise with servers serving content to customers. Redundancies have costs, but is the alternative cost is failure, then implementing levels of redundancy is acceptable.
Privileged user (Role-based awareness training)
A ___________ Has more authority than a standard user. Short of full administrative or root access, this user has permissions to do a wider range of tasks, as their job role may require greater responsibilities. For example, a database administrator would need the equivalent of root access to database functions, but not to all servers or other operating system options. Aligning privileges to user responsibilities is good standard policy.
Risk response techniques, transfer (risk assessment)
A common method of __________ risk is to purchase insurance. Insurance allows risk to be ___________ to a third-party that manages specific types of risk for multiple parties, thus reducing the individual cost.
Capture video (Data acquisition)
A convenient method of capturing significant information at the time of collection is __________. videos allow high-bandwidth data collection that can show what was connected to what, how things were laid out, desktops, and so forth. A picture can be worth 1000 words, so take the time to document everything with pictures. Pictures of serial numbers and network and USB connections can prove invaluable later in the forensics process. Another source of this data is the CCTV's that are used for security, both in the industry and, in growing numbers, homes.
Snapshots (backup concepts)
A key element in business continuity/disaster recovery plans is the availability of backups. Data backup is a critical element in the planning, as well as the normal operation. Keep in mind that the purpose of the backup is to provide valid, uncorrupted data in the event of corruption or loss of the original file or the media where the data was stored. Depending on the type of organization, legal requirements for maintaining backups can also affect how it is accomplished. A __________ is a copy of a virtual machine at a specific point in time. It is created by copying the files that store the virtual machine. One of the advantages of a virtual machine over a physical machine is the ease with which the virtual machine can backup and restore--the ability to refer to an earlier __________ is as easy as clicking a button and waiting for the machine to be restored via a change of the files.
Differential (backup concepts)
A key element in business continuity/disaster recovery plans is the availability of backups. Data backup is a critical element in the planning, as well as the normal operation. Keep in mind that the purpose of the backup is to provide valid, uncorrupted data in the event of corruption or loss of the original file or the media where the data was stored. Depending on the type of organization, legal requirements for maintaining backups can also affect how it is accomplished. In a __________ backup, only the files that have changed since the last full backup was completed are backed up. This also implies that periodically a full backup needs to be accomplished. The frequency of the full backup versus the interim differential backups depends on your organization and needs to be part of your defined strategy. Restoration from this backup requires two steps: the last full backup first needs to be loaded, and then the last __________ backup performed can be applied to update the files that have been changed since the full backup was conducted. Again, this is not a difficult process but it does take some time.
Incremental (backup concepts)
A key element in business continuity/disaster recovery plans is the availability of backups. Data backup is a critical element in the planning, as well as the normal operation. Keep in mind that the purpose of the backup is to provide valid, uncorrupted data in the event of corruption or loss of the original file or the media where the data was stored. Depending on the type of organization, legal requirements for maintaining backups can also affect how it is accomplished. The __________ backup Is a variation on a differential backup, with the difference being that instead of copying all files that have changed since the last full backup, this backup backs up only files that have changed since the last full OR _________ backup occurred, thus requiring fewer files to be backed up. With fees backups, even less information will be stored in each backup. In this backup, the archive bit is cleared.
Full (backup concepts)
A key element in business continuity/disaster recovery plans is the availability of backups. Data backup is a critical element in the planning, as well as the normal operation. Keep in mind that the purpose of the backup is to provide valid, uncorrupted data in the event of corruption or loss of the original file or the media where the data was stored. Depending on the type of organization, legal requirements for maintaining backups can also affect how it is accomplished. The easiest type of backup to understand is the __________ backup. In this backup, all files and software are copied onto the storage media. Restoration from this backup is similarly straightforward--you must copy all the files back on your system. This process can take a considerable amount of time. Consider the size of even the average home PC today, for which storage is measured in tens and hundreds of gigabytes. Copying this amount of data takes time. In this backup, the archive bit is cleared.
On-boarding
A key element when __________ personnel is to ensure that the personnel are aware of and understand their responsibilities with respect to securing company information and assets. This procedure should be well documented to ensure compliance with legal requirements.
Identification of critical systems
A part of identifying mission-essential functions is identifying the systems and data that support functions. __________ enables the security team to properly prioritize defenses to protect the systems and data in a manner commensurate with the associated risk. It also enables the proper sequence and of restoring operations to ensure proper restoration of services.
Environmental (threat assessment)
A threat assessment is a structured analysis of the threats that confronts an enterprise. Threats are important to understand, for you generally cannot change the threat--you can only change how it affects you. One of the largest sources of threats is from this. __________ changes can come from a wide variety of sources, whether, lightning, storms, and even solar flares, and these can cause changes to the system in a manner that disrupts normal operations. These changes can increase risk. Making systems resilient can reduce impacts and mitigate the sources of risk to the enterprise.
1.) Internal vs. 2.) External (threat assessment)
A threat assessment is a structured analysis of the threats that confronts an enterprise. Threats are important to understand, for you generally cannot change the threat--you can only change how it affects you. _____1_____ threats include disgruntled employees, and well-meaning employees who make mistakes or have an accident. These threats tend to be more damaging, as the perpetrator has already been granted some form of access. The risk is related to the level of access and the value of the asset being worked on. For instance, if a system administrator working on the domain controller accessory erases a critical value and crashes the system, it can be just as costly as an unauthorized outsider performing the DoS attack against the enterprise. _____2_____ threats come from outside the organization, and by definition begin without access to the system. Access is reserved to users who have a business need to know and have authorized accounts on the system. Outsiders must first hijacked one of these accounts. These extra steps and the reliance on external connections we make these attackers easier to detect.
Manmade (threat assessment)
A threat assessment is a structured analysis of the threats that confronts an enterprise. Threats are important to understand, for you generally cannot change the threat--you can only change how it affects you. ___________ threats are those that are attributable to the actions of a person. But these threats are limited to hostile actions by attacker; they can include accidents by users. Users can represent one of the greatest risks to an IT system. More files or lost by accidental user deletion then by hackers deleting files, and to the team trying to restore the lost files, the attribution has no bearing on the restoration effort. User actions, such as poor cyber hygiene and reusing passwords, have all been shown to be the starting point for many major cyber security events of the past several years. Proper controls to manage the risk to the system must include controls against both accidental and purposeful acts.
Annual Loss Expectancy - ALE (risk assessment)
After calculating the SLE, the ___________ is then calculated simply by multiplying the SLE by the likelihood or number of times the event is expected to occur in a year, which is called the annualized rate of occurrence (ARO): = SLE x ARO This represents the expected losses over the course of a year based on the __________. if multiple events are considered, the arithmetic sum of all of the SLEs and AROs can be done to provide a summation amount.
Chain of custody
After evidence is collected, it must be properly controlled to prevent tampering. The __________ accounts for all persons who handled or had access to the evidence. More specifically, this shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control or possession of the evidence for the entire time the evidence was obtained. The following shows the critical steps in the __________: 1. Record each item collected as evidence. 2. Record who collected the evidence along with the date and time it was collected or recorded. 3. Write a description of the evidence in the documentation. 4. Put the evidence in containers and take the containers with the case number, the name of the person who collected it, and the date and time it was collected or put in the container. 5. Record all message digest (hash) values in the documentation. 6. Securely transport the evidence to a protected storage facility. 7. Obtain a signature from the person who accepts the evidence at this storage facility. 8. Provide controls to prevent access to and compromise of the evidence while it is being stored. 9. Securely transport the evidence to court for proceedings.
Interconnection Security Agreement - ISA (agreement types)
An __________ is a specialized a grievance between organizations that have interconnected IT systems, the purpose of which is to document the security requirements associated with the interconnection. This can be part of an MOU detailing the specific technical security aspects of a data interconnection.
Acceptable use policy - AUP/rules of behavior
An ___________ outlines what the organization considers to be the appropriate use of its resources, such as computer systems, email, Internet, and networks. Organizations should be concerned about any personal use of organizational assets that does not benefit the company.
Location selection (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. FYSA... Taking a storage location for backups has several key elements. First is physical safety of the backup media. Because of the importance to maintain a proper environmental conditions safe from outside harm, this can limit locations. HVAC can be a consideration, as well as issues such as potential flooding and theft. Protecting the backup media is important as damage to it may not be discovered until the media is needed and then the loss becomes potentially catastrophic.
Distance (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. The __________ associated with an off-site backup is a logistics problem. If you need to restore system in the back of the store hours away by car, that increases the recovery time. The delay resulting from physical movement of backup tapes has been alleviated in many systems or networks that move the data at the speed of the network. __________ is also critical when examining the reach of a disaster. It is important that the off-site location is far enough away that it is not affected by the same incident. This includes the physical location of cloud storage provider servers. These are businesses in Puerto Rico and so is your cloud provider servers, for example, Hurricane Maria likely major data unavailable for a long time.
Legal implications (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. With regard to location selection, if you are considering cloud storage for your backups you must take into consideration the __________ of where the data would actually be stored. Different jurisdictions have different laws, rules, and regulations concerning court tools such as encryption. Understanding how these affect data backup storage plans critical to prevent downstream problems. Some countries require storage of data concerning their citizens to be done within their borders, under their legal jurisdiction. Other countries may have different government regulations concerning privacy that would impact the security of the data. In the end, without proper contracting review, one may not have any idea where their data is actually stored, for what might be a cloud in Atlanta this week, could be Albania next week.
Off-site backups (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. _________ are just that, backups that are stored in a separate location from the system being backed up. This can be important in the realm of problems that can affect larger areas that a single room. A building fire, a hurricane, tornado... These are all disasters that occur frequently and typically affect a larger area than a single room or building. Having this type of backup alleviates the risk of losing the backup to the same problem. In today's high-speed network world with cloud services, storing backups in the cloud is an option that can result many of the risk issues associated with backup availability.
Data sovereignty (geographic considerations)
An important element to factor into the cost of the backup strategy the expense of storing the backups. ___________ is a relatively new type of legislation several countries have enacted recently that mandates data stored within their borders is subject to their laws, and in some cases that data originating within their borders must be stored there.
Network traffic logs (Data acquisition)
An important source of information in an investigation can be the network activity associated with the device. There can be a lot of useful information in the _________ associated with network infrastructure. The level and breadth of this information is determined by the scope of the investigation.
Roles and responsibilities (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. A critical step in the incident response planning process define the __________ of the incident response team members. These may vary slightly based on the identified categories of incident, but the finding them before an incident occurs empowers the team to perform the necessary tasks during the time sensitive aspects of an incident. Permissions to cut connections, change servers, and start/stop services are common examples of actions that are best defined in advance to prevent time-consuming approvals during actual incident.
Exercise (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. One really doesn't know how well a plan is crafted until is tested. __________ , in many forms and functions, and doing a tabletop one where planning and preparations are tested is an important final step in the planning process. Having a process in the team is not enough unless the team's practice the process on the systems of the enterprise.
Reporting requirements/escalation (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. Planning the desired __________ including escalation steps is an important part of the operational plan for an incident. We'll talk to the incident and to whom, and will they say? How does the information flow? Who needs to be involved? When does the issue escalates higher levels of management? These are all questions that handle the call of a pre-incident planning meeting where the procedures are crafted rather than on the fly as an incident is occurring.
Cyber-incident response teams (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. The __________ is composed of the personnel are designated to respond to the incident. The incident response plan should identify the membership and backup members, prior to incident occurring. Once incidence response begins, trying to find personnel to the tasks only slows down the function, and in many cases would make it manageable. Whether a dedicated team or a group of situational volunteers, the planning aspect of this is to address the topic of who is on and what are their duties.
Documented incident types/category definitions (incident response plan)
An incident response plan describes the steps an organization performs in response to any situation determines to be abnormal in the operation of the computer system. To assist in the planning of incident responses into group the myriad possible incidents into a manageable set of categories, one step of the incident response planning process is the ___________. This provides planners and responders with a set number of preplanned scripts that can be applied quickly, minimizing repetitive approvals and process flows. Examples of how categories are defined include items such as interruption of service, malicious communication, data exfiltration, malware delivery, phishing attack, and so on, although this list will be customized to meet the IT needs of each organization.
Job rotation
Another policy that provides multiple benefits is __________. rotating through jobs provides individuals with a better perspective of how the various parts of the organization can enhance or hinder the business.
Data owner (Role-based awareness training)
Data requires a __________. Data ownership roles for all data elements need to be defined business. Data ownership is a business function, with the requirements for security, privacy, retention, and other business functions should be established. Not all data requires the same handling restrictions, but all data requires these characteristics to be defined. This is the responsibility of the ___________. It is important that these people received training and understand their responsibilities with respect to this important requirement.
Track man-hours
Demonstrating the efforts and tasks performed in the forensics process may become an issue in court and other proceedings. Having the ability to demonstrate who did what, when they get it, and how long it took can provide information to establish that the steps were taken per the processes employed. Having solid accounting data on _________ and other expenses can provide corroborating evidence as to the actions performed.
Preservation
Digital evidence has one huge, glaring issue: it can change, and not leave a record of the change. The fact that the outcome of a case can hinge on information that can be argued as not static leads to the crucial elements of ___________. From the initial step in the forensic process, the most important issue must always be __________ of the data.
System owner (Role-based awareness training)
Every system requires a __________. like data ownership, this is a business function, with the requirements for security, privacy, retention, and other business functions are established for an entire system. Not all systems require the same policies, but the determination of what the policies for a given system are is the responsibility of this person. It is important that these people received training and understand the responsibilities with respect to this important requirement.
Single Loss Expectancy - SLE (risk assessment)
FYSA... A risk assessment is a method to analyze potential risk based on statistical and mathematical models. You can use any one of a variety of models to calculate potential risk assessment values. The __________ is the value of a loss expected from a single event. It is calculated using this formula: = Asset value x exposure factor To calculate the exposure factor, assuming the asset value of a small office building and its contents is $2 million. Also assume that this building houses the call center for business, and the complete loss of the center would take away about half the capability of the company. Therefore, the exposure factor is 50%. The example would look like this: $2 million x 0.5 = $1 million
1.) Recovery Time Objective - RTO / 2.) Recovery Point Objective - RPO
FYSA... Business impact analysis (BIA) is the process used to determine the sources and relative impact values of risk elements in process. Bargains of it is also the main often used to describe document created by addressing questions associated with sources of risk and the steps taken to mitigate and in the enterprise. It also outlines how the loss of any of your critical functions will impact the organization. The term _____1_____ will is used to describe the target time that is set for resumption of operations after an incident. This is a period of time that is defined by the business, based on the needs of the business. A shorter one results in higher costs because it requires greater coordination resources. This term is commonly used in business continuity and disaster recovery operations. _____2______, a totally different from the one above, is the time period representing the maximum period of acceptable data loss. This defines the frequency of backup operations necessary to prevent unacceptable levels of data loss. A simple example of establishing this is the answer the following questions: how much data can you afford to lose? How much rework is tolerable?
Personal email use policy
FYSA... Co-mingling of personal and work-related materials may not appear to be a real problem when viewed from an employee's perspective... What can be the harm? But the reality of modern e-discovery and other processes raises many concerns from a corporate perspective while occasional use of work email for personal use probably doesn't add enough data to be a storage concern, what happens when that email becomes involved in a personal legal dispute? Whether the issue is one inherently personal, as in divorce, or financial, as in a case of suspected fraud, when the lawyers get involved in sent a litigation hold request to a firm for an employee's personal email on a corporate server, the co-mingling becomes a problem. The simplest and easiest policy is to disallow use of corporate resources for personal use, including email, storage, devices, and so forth.
Take hashes (Data acquisition)
FYSA... If files, logs, and other information are going to be captured and used for evidence, you need to ensure that the data isn't modified. In most cases, a tool that implements a hashing algorithm to create message digests is used. A hashing algorithm performs a function similar to the familiar parity bits, checksum, or cyclic redundancy check (CRC). It applies mathematical operations to a data stream to calculate some number that is unique based on the information contained in the data stream. The subsequent hash in the same data stream results in a different hash value, it usually means that the data stream is changed.
Witness interviews (Data acquisition)
FYSA... Remember that witness credibility is extremely important. It is easy to imagine how quickly credibility can be damaged if the witness is asked "did you lock the file system?" And can't answer affirmatively. Or, when asked "when you imaged this disk drive, did you use a new system?" The witness can't answer that the destination disk was needed or had formatted using a low-level format before data was copied to it. Witness preparation can be critical in a case, even for technical experts.
Capture system image (Data acquisition)
FYSA....Imaging for dumping the physical memory of a computer system can help identify evidence not available on a hard drive. This is especially appropriate for root kits, where evidence on the hard drive is hard to find. Once the memories image, you can use a hex editors analyze the image off-line on another system. Note that dumping memory is more applicable for investigative work where court proceedings will not be pursued. If the case is likely to end up in court, do not dump memory without first seeking legal advice to confirm that live analysis of the memories that the bull; otherwise, the defendant will be able to dispute easily the claim that evidence was not tampered with.
Legal hold
In the United States legal system, legal precedent requires that potentially relevant information must be preserved at the instant a party "reasonably anticipates" litigation or another type of formal dispute. Although this sounds technical, it is fairly easy to grasp: once an organization is aware that it needs to preserve evidence for a court case, it must do it. The mechanism is fairly simple as well: once you realize your organization needs to preserve evidence, you must use a __________, for litigation hold, the process by which you properly preserve any and all digital evidence related to a potential case.
Users (Role-based awareness training)
Normal _________ need limited access based on their job role and tasks assigned. This is where the principle of least privilege comes into play. Limiting and objects privileges limits the amount of harm that can be caused, thus limiting organizations exposure to damage.
Testing, Vulnerability testing authorization (risk assessment)
Obtaining __________ from management before commencing the test is the step designed to prevent avoidable misunderstandings, such as triggering an IR response. Just as it is important to obtain authorization for penetration tests, is important to obtain permission for vulnerability tests of productions machines.
Testing, Penetration testing authorization (risk assessment)
Obtaining ___________ is the first step in penetration testing. The testing team, in advance, obtains permission, in writing with specifics, from the system owner to perform the penetration test. The authorization should explain the full scope of the penetration testing. This penetration testing authorization is used as a communication plan for the test.
Order of restoration
Part of the planning for a disaster is to decide the __________, which systems should be restored first, second, and ultimately last. There are a couple of distinct factors to consider. First are dependencies. Any system that is dependent upon another for proper operation might as well wait in line to be restored until the prerequisite services are up and running. The second factor is criticality to the enterprise. The most critical service should be brought back up first.
Screenshots (Data acquisition)
Pay particular attention to the state of what is on the screen at the time of evidence collection. The information on a video screen is lost once the system changes or power is removed. Take __________, using a digital camera or video camera, to provide documentation as to what was on the screen at the time of collection. Because you cannot trust the system internals themselves to be free of tampering, do not use internal __________ capture methods.
Background checks
Personnel are key to security in the enterprise. Hiring good personnel has always been a challenge in the technical field, but it is equally important to hire trustworthy people, especially in key roles that have greater system access. Performing routine __________ provides the human resources team the necessary information needed to make the correct decisions. These can validate previous employment, criminal backgrounds, and financial background. Depending upon the industry, firm, and position, different elements from these areas may be included.
Clean desk policy
Preventing access to information is also important in the work area. Firms with sensitive information should have a __________ policy specifying that sensitive information must not be left unsecured in the work area when the worker is not present to act as a custodian. Even leaving the desk area and going to the bathroom can leave information exposed and subject compromised. This policy should identify and prohibit things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads or in unsecured desk drawers.
Adverse actions
Punishing employees when they violate policies is always a difficult subject. There are two schools of thought regarding when to take __________: 1. Zero tolerance: one strike and you're out is the norm. 2. Discretionary action: the flexibility that this offers makes handling cases more challenging because management must determine the correct level of adverse action, but it also gives the flexibility to salvage. Employees was made an uncharacteristic mistake.
Warm site (recovery sites)
Related to the location of backup storage is where the restoration services will be located. If the organization has suffered physical damage to its facility, having off-site data storage is only part of the solution. This data will need to be processed somewhere, which means that computing facilities similar to those used in normal operations are required. The sites are referred to as recovery sites. The recovery problem can be approached in a number of ways. A _________ is partially configured, usually having the peripherals and software but perhaps not the more expensive main processing computer. It is designed to be operational within a few days.
Hot site (recovery sites)
Related to the location of backup storage is where the restoration services will be located. If the organization has suffered physical damage to its facility, having off-site data storage is only part of the solution. This data will need to be processed somewhere, which means that computing facilities similar to those used in normal operations are required. The sites are referred to as recovery sites. The recovery problem can be approached in a number of ways. A __________ is a fully configured environment, similar to the normal operating environments that can be operational immediately or within a few hours depending on its configuration and the needs of the organization.
Cold site (recovery sites)
Related to the location of backup storage is where the restoration services will be located. If the organization has suffered physical damage to its facility, having off-site data storage is only part of the solution. This data will need to be processed somewhere, which means that computing facilities similar to those used in normal operations are required. The sites are referred to as recovery sites. The recovery problem can be approached in a number of ways. A ___________ will have the basic environmental controls necessary to operate but few of the computing components necessary for processing. Getting this site operational may take weeks.
Mandatory vacations
Requiring employees to use their vacation time through policy of __________ can be a security protection mechanism. Using vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. Having a second person familiar with security procedures is also a good policy in case something happens to the primary.
Risk response techniques, mitigate (risk assessment)
Risk can also be _________ through the application of controls that reduce the impact of an attack. Controls can alert operators that level of exposure is reduced process intervention. When an action occurs that is outside the accepted risk profile, a second set of rules can be applied, such as calling the customer for verification before committing the transaction. Control such as these can act to reduce the risks associated with potential virus operations.
Reputation (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. Corporate ___________ is important in marketing. Would you do with the bank with a shoddy record of accounting or losing personal information? How about online retailing? Which or customer base and twice before entering their credit card information after a data breach?
Life (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. Many IT systems are involved in healthcare, and failures of some of the systems can and have resulted in injury and death to patients. IT systems are also frequently integral to the operation of machines in industrial settings, and their failure can have similar impacts. Injury and loss of __________ are outcomes that backups cannot address and can result in consequences beyond others. As part of a business impact analysis, you would identify the systems and ensure that they are highly redundant, to avoid impact to this.
Property (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. __________ damage can be the result of unmitigated risk. This type of damage can be company owned, damage to other peoples, and even environmental damage from toxic releases in industrial settings. These are all examples of damage that can be caused by IT security failures.
Safety (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. __________ is the condition of being protected from or unlikely to cause danger, risk, or injury. This makes sense from both a business risk perspective and when you consider the level of concern one places for the well-being of people. In a manufacturing environment, with moving equipment and machines that can present a danger to workers, government regulations trust specific actions to mitigate risk and make the workplace as safe as possible. Computers are increasingly becoming involved in all aspects of businesses, and they can impact this.
Finance (impact)
Risk is the chance of something not working as planned and causing an adverse impact. Impact is the cost associated with a realized risk. ___________ is in many ways the final arbiter of all activities, for it is how we keep score. We can measure the games through sales and profits, and the losses through unmitigated risks.
Continuing education
Technology and security practices are far from static environments. They advance every year, and relevant skills can become outdated in as little as a couple of years. Maintaining a skilled workforce in security necessitates ongoing training and education. A __________ program can assist greatly in helping employees keep their skills up-to-date.
Annualized Rate of Occurrence - ARO (risk assessment)
The __________ Is a representation of the frequency of the event, measured in a standard year. If the event is expected to occur once in 20 years, then the this is 1/20. Typically, this is defined by historical data, either from a company's own experience or from industry surveys. Continuing our example, assume that a fire at businesses location is expected to occur about once in 20 years given this information, the ALE is: $1 million x 1/20 = $50,000 The ALE determines a threshold for evaluating the cost/benefit ratio of a given countermeasure. Therefore, countermeasure to protect this business adequately should cost no more than be calculated ALE of $50,000 per year.
Asset value - AV (risk assessment)
The __________ is the amount of money it would take to replace an asset. This term is used with the exposure factor, a measure of how much an asset is at risk, to determine the single loss expectancy.
Impact (risk assessment)
The __________ of an event is a measure of the actual loss when a threat exploits a vulnerability. The common method is to define the impact levels in terms of important business criteria. Impacts can be in terms of cost, performance, schedule, or any other important item.
Likelihood of occurrence (risk assessment)
The ___________ is the chance that a particular risk will occur. This measure can be qualitative or quantitative. For qualitative measures, the likelihood of occurrence is typically defined on an annual basis so that it can be compared to other and utilized measures. It defined quantitatively, is used to create rank-order outcomes.
Supply chain assessment (risk assessment)
The analysis of risk in a supply chain has become an important issue in our connected society. Organizations need to consider not just the risk associated with system but the risk embedded in the system as a result of its components that the vendor has obtained supply chain, which could span the globe. For instance, if the system has critical components that are not replaceable except from a single source, what happens if that source quits making the component? The term __________ describes the process of exploring and identifying these risks.
Lessons learned (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. A post-mortem session should collect __________ and assign action items to correct weaknesses and to suggest ways to improve. To paraphrase a famous quote, those who fail to learn from history are destined to repeat it.
Recovery (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. After the issue has been eradicated, this process begins. At this point the investigation is complete and documented. __________ is the process of returning the asset into the business function and restoration of normal business operations. Eradication, the previous step, remove the problem, but in most cases the eradicated system will be isolated. This process includes the steps necessary to return the systems and applications operational status.
Eradication (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. Once the incident response team has contained a problem to a set footprint, the next step is to ___________ the problem. This involves removing the problem, and in today's complex system environment, this may mean rebuilding a clean machine. A key part of this is the prevention of reinfection.
Containment (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. Once the incident response team has determined that an incident has in fact occurred and requires a response, their first step is to contain the incident and prevent its spread. ___________ is the set of actions taken to constrain the incident to the minimal number of machines. This preserves as much of production as possible and ultimately makes handling the incident easier.
Preparation (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. __________ is the phase of incident response that occurs before a specific incident. This includes all the tasks needed to be organized and ready to respond to an incident. Without doing this properly, this task can quickly become impossible or intractably expensive.
Identification (incident response process)
The incident response process is the set of actions security personnel perform in response to a wide range of triggering events. These actions are wide and varied, as they have to deal with a wide range of causes and consequences. __________ is the process where team member suspects that a problem is bigger than an isolated incidents and notifies the incident response team for further investigation. An incident is defined as a situation that the parts from normal, routine operations. Whether incident is important or not is the first point of decision as part of incident response process.
After-action reports (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. Just as identifying and documenting lessons learned is a key element of the incident response process, __________ should be prepared after invoking the continuity of operations LAN. Similar to lessons learned, these serve to functions. First, they document the level of operations upon transfer to the backup system. Is all of the capability necessary to continue operations up and running? The second question set addresses how the actual change from normal operations to those supported by continuity systems occurred, including documenting what went right and what went wrong.
Alternate processing sites (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. Of the key aspects of planning a solid, cost-effective continuity of operations plan is to consider _________. in the worst case, the action that triggered the shifts to the continuity systems that also have rendered the physical location of the original business system unusable. If you choose a ___________ that is 500 miles away in another major city and you do not have staffer personnel there, you need to have a plan to temporarily move the required personnel, including temporary lodging, etc.
Exercises/tabletop (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. Once a continuity of operations plan is in place, a __________ should be performed to walk through all of the steps and ensure all elements are covered and that the plan does not forget a key dataset or person. This is a critical final step, for it is this step that validates the planning covered the needed elements.
Failover (continuity of operations planning)
The overall goal of continuity of operations planning is to determine which subset of normal operations to be continued during periods of disruption. Continuity of operations planning involves developing a comprehensive plan to enact during the situation where normal operations are interrupted. This includes identify critical assets, critical systems, and interdependencies, and ensuring their availability during the disruption. _________is the process for moving from a normal operational capability to the continuity-of-operations version of the business. The required speed and flexibility of this depends on the business type, from seamless for most financial sites, to a slightly delayed process where A is turned off in someone goes and turns B on with some period of no service between.
Social media networks/applications
The rise of __________ has changed many aspects of business. Whether used for marketing, communications, customer relations, or some other purpose, these can be considered a form of third-party. One of the challenges in working with these and/or applications is there terms of use. While a relationship with the typical third-party involves a negotiated settlement agreements with respect to requirements, there is no negotiation with these. The only option is to adopt their terms of service, so it is important to understand the implications of these terms with respect to the business use of it.
Order of volatility
There are many sources of data in a computer system, and if the machine is running, some of these sources are volatile. Things such as the state of the CPU and its registers, RAM, and even storage are always changing, which can make the collection of electronic data difficult and delicate task. These elements tend to change at different rates, and you should pay attention to the __________, for lifetime of the data, so that you can prioritize your collection efforts after a security incident to ensure that you don't lose valuable forensic evidence. Following is the __________ of digital information in a system: 1. CPU, cache, and register contents (collect first) 2. Routing tables, ARP cache, process tables, kernel statistics 3. Live network connections and data flows 4. Memory (RAM) 5. Temporary file system/swap space 6. Data on hard disk 7. Remotely logged data 8. Data stored on archival media/backups (collect last)
Risk response techniques, accept (risk assessment)
When analyzing the specific risk, after weighing the costs to avoid, transfer, or mitigate the risk against the probability of its occurrence and its potential impact, the best response is to __________ the risk.
Mission-essential functions
When examining risk an index to business, it is important to identify mission essential functions from other business functions. In most businesses, the vast majority of daily functions, although important, are not mission essential. __________ are those that should they not occur, or be performed in properly, the mission of the organization will be directly affected. In other terms, these are functions that must be restored first after business impact to enable the organization to restore its operations.
1.) Strategic intelligence / 2.) Counterintelligence gathering, 3.) Active logging
_____1_____ Is the use of all resources to make determinations. This can make a large difference in whether a firm is prepared for threats or not. The same idea fits into digital forensics. This can provide information that limits the scope of an investigation into a manageable level. If we have an idea of specific acts for which we would like to have demonstrable evidence of either occurrence or nonoccurrence, we can build a _____1_____ set on the information. Where is it, what is it, and what is allowed/not allowed are all pieces of information, that when arranged in analyze, can lead to a data-logging plan to help support forensic event capture. ______2______ Is the gathering of information specifically targeting the strategic intelligence effort of another entity. Knowing what people are looking at and what information they are obtaining can provide information into their motives and potential future actions. Making and using the tool so that it does not leave specific traces of where, when, or on what it was used is a form of _____2_____ in action. Ideally, you should minimize the scope of logging so that when you have to search logs, event you are interested in stands out without being hidden in a sea of irrelevant log items. When you have an idea of what information you will want to be able to examine, you can make an ____3______ plan that assures the information is logged when it occurs, and if at all possible in a location that prevents alteration.
System Administrator (Role-based awareness training)
__________ are administrative users with the responsibility of maintaining a system with in its defined requirements. The system owner defined requirements, such as frequency of backups, whereas the ___________ configures the system to operationally meet these requirements. These people have virtually unlimited power over the system, for they can control all functions, but they should not have the power, or the responsibility, to set policies for the system. That falls to the system owner. It is important that these people received training and understand their responsibilities with respect to this important requirement, and the delineation of their responsibilities.
Standard operating procedure
__________ are mandatory step-by-step instructions set by the organization so that in the performance of their duties, employees will meet the stated security objectives of the firm.
Non-disclosure Agreements - NDA
__________ are standard corporate documents used to explain the boundaries of company secret material, information which control over should be exercised to prevent disclosure to unauthorized parties. These are frequently used to delineate the level and type of information, and with whom it can be shared. These can be executed between any two parties where one party wishes that the material being shared is not further share, forcing confidentiality via contract.
Recovery
__________ in a digital forensic sense is associated with determining the relevant information for the issue at hand--simply stated, recover the evidence associated with an act. But what if the act is not precisely known? For example, suppose a sales manager for a company quits and goes to work with the competitor. Because she is a sales manager, she has had access to sensitive information that would benefit the new employer. But how do you know whether she took sensitive information with her? And even if she did, are you determined for purposes of _________ which information she took, and where to look for?
Mean Time To Repair - MTTR
__________ is a common measure of how long it takes to repair given failure. This is the average time, and may or may not include the time needed to obtain parts. Is calculated as follows: = total downtime / number of breakdowns
Mean Time Between Failures - MTBF
__________ is a common measure of reliability of the system and is an expression of the average time between system failures. The time between failures is measured from the time the system returns to service until the next failure. This is an arithmetic mean of a set of system failures. = (Start of downtime - start of uptime) / number of failures
Separation of duties
__________ is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone. This means that the level of trust in any one individual lesson, and the ability for any individual to cause catastrophic damage to the organization is also lesson. An example might be in an organization in which one person has the ability to order equipment, but another individual makes the payment. An individual who wants to make unauthorized purchases for his own personal gain would have to convince another person to go along with the transaction.
Record time offset (Data acquisition)
__________ is the difference in time between the system clock in the actual time. To minimize this, most computers think their time over the Internet with an official time source. Files and events logged on a computer will have timestamp markings that are based on the clock time on the machine itself. Is a mistake to assume that this clock is accurate. To allow the correlation of timestamp data from records inside the computer with any external event, it is necessary to know any time offset between the machine clock the actual time. When collecting forensic data is vitally important to collect the __________ so that local variations in time can be corrected.
Qualitative (risk assessment)
__________ risk assessment is the process of subjectively determining the impact of an event that affects a project, program, or business. This type of risk assessment usually involves the use of expert judgment, experience, or group consensus to complete the assessment.
Exit interviews
___________ can be powerful tools for gathering information when people leave an organization. From a security perspective, the off-boarding process for personnel is very important. Employee termination needs to be modified to include termination of all accounts, including those enable on mobile devices.
Change management
___________ has roots in system engineering, where it is commonly referred to as configuration management. Most of today's software and hardware these derived from long-standing system engineering can iteration management practices. Computer hardware and software development have also evolved to the point that proper management structure and controls must exist to ensure the products operate as planned. It is normal for enterprise to have a Change Control Board to prove all production changes ensure the change management procedures are followed before changes are introduced to a system. Configuration control is the process of controlling changes to items that have been baselined. Configuration control ensures that only approve changes to a baseline are allowed implemented.
Quantitative (risk assessment)
___________ risk assessment is the process of objectively determining the impact of an event that affects the project, program, or business. This type of risk assessment usually involves the use of metrics and models to complete the assessment.
Executive users (Role-based awareness training)
____________ are a special type of user. Their business responsibility may be broad and deep, covering many levels and types of business functions. This work level of responsibilities may not translate directly to their needed computer access. Does the CIO, the highest IT level employee, require all the permissions of all their subordinates? The true answer is no, for they will not be performing state has their work. And should they on occasion need access, it can be granted at the time of need.
Risk response techniques, avoiding (risk assessment)
____________ the risk can be accomplished in many ways. Although you can't remove threats from the environment, you can alter the systems exposure to the threats. Not deploying a module that increases risk is one manner of risk ___________.
