Chapter 12: Disaster Recovery and Incident Response

Ace your homework & exams now with Quizwiz!

Grandfather, Father, Son Method

one of the most popular methods of backup tape rotation. Three sets of tapes are rotated in this method. The most recent backup after the full backup is the Son. As newer backups are made, the Son becomes the Father, and the Father, in turn, becomes the Grandfather. At the end of each month, a full backup is performed on all systems. This backup is stored in an offsite facility for a period of one year. Each monthly backup replaces the monthly backup from the previous year. Weekly or daily incremental backups are performed and stored until the next full backup occurs. This full backup is then stored offsite, and the weekly or daily backup tapes are reused

IRP (Incident Response Plan)

outlines what steps are needed and who is responsible for deciding how to handle a situation.

Escalation of privilege

a hole created when code is executed with higher privileges then those of the user running it

There are five levels of testing tabletop exercise:

- Document Review - Walkthrough - Simulation - Parallel Test (you start up all backup systems but leave the main systems functioning) - Cutover Test (this test shuts down the main systems and has everything fail over to backup systems)

- Not disrupting operations or consuming too many resources - Definitive list of missing patches - Client-Side software Vulnerabilities are Uncovered

Benefits of credentialed scanning

Track man hours and expense

Data forensics can be a very time consuming process. Many companies base next year's budget off the current year's budget. Properly documenting time and man hours spent on forensics helps to ensure money is budgeted properly next year. Helps when planning resource needs. Based on workload, do you have enough resources to complete the job? Number of hours needed vs the expense may dictate whether you request additional FTE or contractors. Many time vendors have professional services available. Quick engagements with specific enterprise.

Take hashes

It is important to collect as much data as possible to be able to illustrate the situation, and hashes must not be left out of the equation.

identify vulnerabilities

The key element of a vulnerability scan is:

False positives

are events that aren't really incidents

chain of custody

A list of all people who came into possession of an item of evidence

Talk to witnesses

It is important to talk to as many witnesses as possible to learn exactly what happened and to do so as soon as possible after the incident.

Document Network Traffic and Logs

Look at network traffic and logs to see what information you can find there. This information can be useful in identifying trends associated with repeated attacks.

What is a good vulnerability scanner to use

Nessus

An incident response plan needs at least four of the following:

- Guideline for documenting the incident type and defining its category. - Resources used to deal with an incident - Defined roles and responsibilities for those who are involved in the investigation and response. This should identify members of the cyber-incident response team(s). - Reporting requirements and escalation procedures including a list of outside agencies that should be contacted or notified and outside experts who can be used to address issues if needed.

Six steps of any incident response process is

- Preparation - Identification - Containment - Eradication - Recovery - Lessons learned

What are the responses to two types of incidents:

- internal incidents and incidents involving law enforcement of professionals.

Offsite storage

A location away from the computer center where paper copies and backup media are kept.

Vulnerability scanning

Allows you to identify specific vulnerabilities in your network, and most penetration testers will start with this procedure so that they can identify likely targets to attack.

Backup Server Method

Servers with large amounts of disk space whose sole purpose is performing backups - Advantage: can be available online for immediate access.

Warm site

Similar to a hot site but not fully equipped with all of the necessary hardware needed for recovery which requires the customer to do more work to become operational

Record Time Offset

Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation.

Business Continuity

The ability of an organization to maintain its operations and services in the face of a disruptive event.

Legal hold

The process that is used during data acquisition for the preservation of all forms of relevant information when litigation is reasonably anticipated

Black Box

The tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker

White Box

The tester has significant knowledge of the system. This simulates an attack from an insider, a rouge employee.

After Action Report

This debriefing needs to include a sharing by team members of the steps taken, along with an open discussion of what worked and what should be changed in future crises

Gray Box

This is the middle ground between the first two types of testing. Tester has some limited knowledge of the target system

Capture Video

Video can be crucial component to documenting an investigation. Can be taken of your actions during investigation or analysis. Record what's on screen and the position and location of various components. Is there video evidence and/or security cameras inside the data center? Office or remote site? Entrance or exit of building?

access and storage of information - Back up plan is an integral part of this process

What involves a major component of a disaster-recovery plan

Windows 10

What operating system uses System Restore

- identify common misconfigurations - identifying a lack of security controls

What vulnerabilities should you identify

Hot Sites (Disaster recovery):

a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. - Also referred to as active backup model

Backout

a reversion or roll back to a previous state from a change that had negative consequences

reciprocal agreements

an agreement between two companies to provide services in the event of an emergency

working copy backup (or shadow copies)

are partial or full backups that are kept at the computer center for immediate recovery purposes

CSIRT (Computer Security Incident Response Team)

can be formalized or a ad hoc team. - You can toss a team together to respond to an incident after it arises, but investing time in the development process can make an incident more manageable.

Capture screenshots

capture all relevant screenshots for later analysis. One image can often parlay the same information that it would take hundreds of log entries to equal.

Passive Reconnaissance

collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering.

Active Reconnaissance

directly focuses on the system (port scans, traceroute information, network mapping, and so forth) to identify weaknesses that could be used to launch an attack

One of the most important aspects of using alternative sites is

documentation

Incident Response

encompasses forensics and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.

disaster recovery plan

helps an organization respond effectively when a disaster occurs. - Disasters may include system failure, network failure, infrastructure failure, and natural disaster.

3 types of alternate sites

hot site, a warm site, or a cold site

backup plan

identifies which information is to be stored, how it will be stored, and for what duration it will be stored

JFS (Journal File System)

includes a log file of all changes and transactions that have occurred within a set period of time (such as the last few hours)

Intrusive tests

involves breaking into the network

Escalation

involves consulting policies, consulting appropriate management, and determining how best to conduct an investigation into the incident.

Non-Intrusive Testing

involves passively testing of security controls, performing vulnerability scans and probing for weaknesses but not exploiting them

full backup

is a complete comprehensive backup of all files on a disk or server

Cold site

is a facility that isn't immediately ready to use. The organization must bring along it's equipment and network. - works well when an extended outage is anticipated - Provide the most advance planning, testing, and resources to become operational, occasionally taking up to a month to make operational.

incremental backup

is a partial backup that stores only the information that has been changed since the last full or the last incremental backup. - ex. if a full backup were performed on a Sunday night, an incremental backup done on Monday night would contain only the information that changed since Sunday night

Tabletop Exercise

is a simulation of a disaster. It is a way to check to see if your plans are ready to go.

Capture system image

is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it.

Penetration Testing

is essentially an attempt to exploit these vulnerabilities

Incident identification

is the first step in determining what has occurred in your organization.

BCP (Business Continuity Plan)

is the process of implementing policies, controls, and procedures to counteract the effects of losses, outages, or failures of critical business processes.

differential backup

it backs up any files that have been altered since the last full backup; it makes duplicate copies of files that haven't changed since the last differential backup.

alternate sites

lease or purchase a facility that is available on short notice for the purpose of restoring network or systems operations.

false positive

occurs when the scan mistakenly identifies something as a vulnerability when it is not

HSM (Hierarchical Storage Management)

provides continuous online backup by using optical or tape jukeboxes - ensures that data is being continuously backed up

CBF (Critical Business Function)

refer to those processes or systems that must be made operational immediately when an outage occurs

data sovereignty

refers to having a legal department that proactively offers advice on geographic matters - ex: This is the concept that data is subject to the laws of where it is stored and legal implications of this should factor heavily into server location selection, backup facilities, and all other aspects of business operations.

What is the NSRL (National Software Reference Library)

they collect "known, traceable software applications" through their hash values and store them in a Reference Data Set (RDS)

DAT (Digital Audio Tape)

used to store a record of changes If an outage occurs, the audit or transaction files can be rolled forward to bring the databased back to its most current sate.

credentialed vulnerability scan

uses actual network credentials to connect to systems and scan for vulnerabilities

Pivot

using another compromised system to attack another system on the same network following initial exploitation

onsite storage

usually refers to a location on the site of the computer center that is used to store information locally - These containers aren't fireproof but are indeed fire rated: specify that a container can protect its content for a specific amount of time in a given situation

Persistence

when a compromise is introduce at a different time than the attack ex. would be an employee having his or her laptop infected at a hotel while traveling for business and the company's network not being compromised until the employee is back in the office a week later and connected to the company's network.

Act in Order of Volatility

when dealing with multiple issues, address them in order of volatility (OOV), always deal with the most volatile first. - In an investigation, you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. As an example, the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts.

full archival method

works on the assumption that any information created on any system is stored forever. - This method effectively eliminates the potential for loss of data - This can quickly overwhelm your storage media


Related study sets

Network Fundamental - Chapter 5-10

View Set

Ch 20 Resurgence of Conservatism

View Set

NU144- Chapter 18: Intraoperative Nursing Management

View Set

History of Rock & Roll Final Study 2

View Set