Chapter 12 = Disaster Recovery and Incident Response
Gray box test
tester has some limited knowledge of the target system
Incident identification
the first step in determining what has occurred in your organization.
disaster recovery
The act of recovering data following a disaster in which it has been destroyed.
disaster recovery plan
A detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood
fireproof
A fireproof container should be guaranteed to withstand damage regardless of the type of fire or temperature
passive reconnaissance
A penetration testing method used to collect information. It typically uses open-source intelligence. Compare with active reconnaissance.
disaster-recovery plan
A plan outlining the procedure by which data is recovered after a disaster.
full backup
Complete, comprehensive backup of all files on a disk or server. Once the system goes back into operation, the backup is no longer current.
chain of custody
Covers how evidence is secured, where it is stored, and who has access to it.
Tabletop Exercises 5 levels of testing
Document Review Walkthrough Simulation Parallel Test Cutover Test
vulnerability scanning
Identifying specific vulnerabilities in your network.
snapshot
Image of a virtual machine at a moment in time.
Tabletop Exercise
Individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them
data sovereignty
Means that data stored in a country is subject to the laws of that country.
incident response plan (IRP)
Outlines what steps are needed and who is responsible for deciding how to handle a situation.
Working copy backups
Partial or full backups that are kept at the computer center for immediate recovery purposes.
Intrusive tests
Penetration-type testing that involves trying to break into the network.
The six steps of any incident response process should be as follows
Preparation Identification Containment Eradication Recovery Lessons learned
Critical Business Functions (CBFs)
Processes or systems that must be made operational immediately when an outage occurs.
Hierarchical storage management (HSM)
Provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and it can be configured to provide the closest version of an available real-time backup.
Active Reconnaissance
Reconnaissance where the attacker engages with the target system, typically conducting a port scan to determine find any open ports.
legal hold
The process that is used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated
The Grandfather, Father, Son method
This method assumes that the most recent backup after the full backup is the son. As newer backups are made, the son becomes the father, and the father, in turn, becomes the grandfather.
escalation
This process involves consulting policies, consulting appropriate management, and determining how best to conduct an investigation into the incident.
pivot
When it is possible to attack a system using another, compromised system
full backup
a backup that copies all data to the archive medium
Journaled File System (JFS)
a log file of all changes and transactions that have occurred within a set period of time
tabletop exercise
a simulation of a disaster.
System image
a snapshot of what exists
A hot site is also referred as
active backup model
A warm site is also referred as
active/active model
Two of the key components of BCP
business impact analysis (BIA) and risk assessment.
Incident response
encompasses forensics and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.
false positive
flagged event that isn't really a notable incident and has been falsely triggered.
backup plan
identifies which information is to be stored, how it will be stored, and for what duration it will be stored.
first responders
individuals who must ascertain whether it truly is an incident or a false alarm.
Intrusive tests
involve actually trying to break into the network.
Nonintrusive tests
involve passively testing of security controls—performing vulnerability scans and probing for weaknesses but not exploiting them.
backout
is a reversion from a change that had negative consequences.
pivot (another name)
island hopping
differential backup
it backs up any files that have been altered since the last full backup; it makes duplicate copies of files that haven't changed since the last differential backup.
offsite storage of records
refers to a location away from the computer center where paper copies and backup media are kept.
Forensics
refers to the process of identifying what has occurred on a system by examining the data trail.
Working copy backups sometimes referred to as
shadow copies
fire ratings
specify that a container can protect its contents for a specific amount of time in a given situation.
onsite storage
A location on the site of the computer center that is used to store information locally.
cold site
A physical site that can be used if the main site is inaccessible (destroyed) but that lacks all of the resources necessary to enable an organization to use it immediately.
Document Review
A review of recovery, operations, resumption plans, and procedures.
non-credentialed vulnerability scan
A scan that does not use credentials to conduct an internal vulnerability assessment.
credentialed vulnerability scan
A scan that provides credentials to the scanner so that tests for additional internal vulnerabilities can be performed
hot site
A separate and fully equipped facility where the company can move immediately after a disaster and resume business
warm site
A site that provides some capabilities in the event of a disaster. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that might already exist in the warm site.
system image
A snapshot of the current state of the computer that contains all settings and data. A snapshot of what exists.
Shadow Copies
A technology that allow users to retrieve previous versions of files and folders on their own, without requiring IT personnel to restore files or folders from backup media.
differential backup
A type of backup that includes only new files or files that have changed since the last full backup
incremental backup
A type of backup that includes only new files or files that have changed since the last full backup and then clears the archive bit upon completion.
incremental backup (partial backup)
A type of backup that only backs up files that have changed since the last time files were backed up.
reciprocal agreements
An agreement between two companies to provide services in the event of an emergency
Intrusion Detection System (IDS)
Any set of tools that can identify an attack using defined rules or logic.
Intrusion Prevention System (IPS)
Any set of tools that identify and then actively respond to attacks based on defined rules.
Business Continuity Planning (BCP)
Details how a company recovers and restores critical business operations and systems after a disaster or extended disruption
intrusion
The act of entering a system without authorization to do so.
Backup Server Method
Establishes a server with large amounts of disk space whose sole purpose is to back up data.
BIA is concerned with
Evaluating the processes
Risk assessment is concerned with
Evaluating the risk or likelihood of a loss.
Nonintrusive tests
Penetration/vulnerability testing that takes a passive approach rather than actually trying to break into the network.
onsite storage
Storing backup data at the same site as the servers on which the original data resides.
Offsite storage
Storing data off the premises, usually in a secure location.
Vulnerability scanning
The act of scanning for weaknesses and susceptibilities in the network and on individual systems.
Volatility
The amount of time that you have to collect certain data before a window of opportunity is gone.
working copy backup
The copy of the data currently in use on a network.
full archival method
a concept that works on the assumption that any information created on any system is stored FOREVER
Escalation of Privileges
a hole created when code is executed with higher privileges than those of the user running it.
Black box test
tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker
White box test
tester has significant knowledge of the system. This simulates an attack from an insider.
Forensics (security)
the act of looking at all the data at your disposal to try to figure out who gained unauthorized access and the extent of that access.
incident
the occurrence of any event that endangers a system or network.
Failover
the process of reconstructing a system or switching over to other systems when a failure is detected