Chapter 12 = Disaster Recovery and Incident Response

Gray box test

tester has some limited knowledge of the target system

Incident identification

the first step in determining what has occurred in your organization.

disaster recovery

The act of recovering data following a disaster in which it has been destroyed.

disaster recovery plan

A detailed process for recovering information or an IT system in the event of a catastrophic disaster such as a fire or flood

fireproof

A fireproof container should be guaranteed to withstand damage regardless of the type of fire or temperature

passive reconnaissance

A penetration testing method used to collect information. It typically uses open-source intelligence. Compare with active reconnaissance.

disaster-recovery plan

A plan outlining the procedure by which data is recovered after a disaster.

full backup

Complete, comprehensive backup of all files on a disk or server. Once the system goes back into operation, the backup is no longer current.

chain of custody

Covers how evidence is secured, where it is stored, and who has access to it.

Tabletop Exercises 5 levels of testing

Document Review Walkthrough Simulation Parallel Test Cutover Test

vulnerability scanning

Identifying specific vulnerabilities in your network.

snapshot

Image of a virtual machine at a moment in time.

Tabletop Exercise

Individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them

data sovereignty

Means that data stored in a country is subject to the laws of that country.

incident response plan (IRP)

Outlines what steps are needed and who is responsible for deciding how to handle a situation.

Working copy backups

Partial or full backups that are kept at the computer center for immediate recovery purposes.

Intrusive tests

Penetration-type testing that involves trying to break into the network.

The six steps of any incident response process should be as follows

Preparation Identification Containment Eradication Recovery Lessons learned

Critical Business Functions (CBFs)

Processes or systems that must be made operational immediately when an outage occurs.

Hierarchical storage management (HSM)

Provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk to the system, and it can be configured to provide the closest version of an available real-time backup.

Active Reconnaissance

Reconnaissance where the attacker engages with the target system, typically conducting a port scan to determine find any open ports.

legal hold

The process that is used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated

The Grandfather, Father, Son method

This method assumes that the most recent backup after the full backup is the son. As newer backups are made, the son becomes the father, and the father, in turn, becomes the grandfather.

escalation

This process involves consulting policies, consulting appropriate management, and determining how best to conduct an investigation into the incident.

pivot

When it is possible to attack a system using another, compromised system

full backup

a backup that copies all data to the archive medium

Journaled File System (JFS)

a log file of all changes and transactions that have occurred within a set period of time

tabletop exercise

a simulation of a disaster.

System image

a snapshot of what exists

A hot site is also referred as

active backup model

A warm site is also referred as

active/active model

Two of the key components of BCP

business impact analysis (BIA) and risk assessment.

Incident response

encompasses forensics and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.

false positive

flagged event that isn't really a notable incident and has been falsely triggered.

backup plan

identifies which information is to be stored, how it will be stored, and for what duration it will be stored.

first responders

individuals who must ascertain whether it truly is an incident or a false alarm.

Intrusive tests

involve actually trying to break into the network.

Nonintrusive tests

involve passively testing of security controls—performing vulnerability scans and probing for weaknesses but not exploiting them.

backout

is a reversion from a change that had negative consequences.

pivot (another name)

island hopping

differential backup

it backs up any files that have been altered since the last full backup; it makes duplicate copies of files that haven't changed since the last differential backup.

offsite storage of records

refers to a location away from the computer center where paper copies and backup media are kept.

Forensics

refers to the process of identifying what has occurred on a system by examining the data trail.

Working copy backups sometimes referred to as

shadow copies

fire ratings

specify that a container can protect its contents for a specific amount of time in a given situation.

onsite storage

A location on the site of the computer center that is used to store information locally.

cold site

A physical site that can be used if the main site is inaccessible (destroyed) but that lacks all of the resources necessary to enable an organization to use it immediately.

Document Review

A review of recovery, operations, resumption plans, and procedures.

non-credentialed vulnerability scan

A scan that does not use credentials to conduct an internal vulnerability assessment.

credentialed vulnerability scan

A scan that provides credentials to the scanner so that tests for additional internal vulnerabilities can be performed

hot site

A separate and fully equipped facility where the company can move immediately after a disaster and resume business

warm site

A site that provides some capabilities in the event of a disaster. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that might already exist in the warm site.

system image

A snapshot of the current state of the computer that contains all settings and data. A snapshot of what exists.

Shadow Copies

A technology that allow users to retrieve previous versions of files and folders on their own, without requiring IT personnel to restore files or folders from backup media.

differential backup

A type of backup that includes only new files or files that have changed since the last full backup

incremental backup

A type of backup that includes only new files or files that have changed since the last full backup and then clears the archive bit upon completion.

incremental backup (partial backup)

A type of backup that only backs up files that have changed since the last time files were backed up.

reciprocal agreements

An agreement between two companies to provide services in the event of an emergency

Intrusion Detection System (IDS)

Any set of tools that can identify an attack using defined rules or logic.

Intrusion Prevention System (IPS)

Any set of tools that identify and then actively respond to attacks based on defined rules.

Business Continuity Planning (BCP)

Details how a company recovers and restores critical business operations and systems after a disaster or extended disruption

intrusion

The act of entering a system without authorization to do so.

Backup Server Method

Establishes a server with large amounts of disk space whose sole purpose is to back up data.

BIA is concerned with

Evaluating the processes

Risk assessment is concerned with

Evaluating the risk or likelihood of a loss.

Nonintrusive tests

Penetration/vulnerability testing that takes a passive approach rather than actually trying to break into the network.

onsite storage

Storing backup data at the same site as the servers on which the original data resides.

Offsite storage

Storing data off the premises, usually in a secure location.

Vulnerability scanning

The act of scanning for weaknesses and susceptibilities in the network and on individual systems.

Volatility

The amount of time that you have to collect certain data before a window of opportunity is gone.

working copy backup

The copy of the data currently in use on a network.

full archival method

a concept that works on the assumption that any information created on any system is stored FOREVER

Escalation of Privileges

a hole created when code is executed with higher privileges than those of the user running it.

Black box test

tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker

White box test

tester has significant knowledge of the system. This simulates an attack from an insider.

Forensics (security)

the act of looking at all the data at your disposal to try to figure out who gained unauthorized access and the extent of that access.

incident

the occurrence of any event that endangers a system or network.

Failover

the process of reconstructing a system or switching over to other systems when a failure is detected