Chapter 12
False positives are events that aren't really?
Incidents. Remember that an IDS is based on established rules of acceptance (deviations for which are known as anomalies) and attack signatures. If the rules aren't set up properly, normal traffic may set off the analyzer and generate an event. Be sure do double-check your results because you don't want to declare a false emergency.
What are capture screenshots?
Just like video, capture all relevant screenshots for later analysis. One image can often parlay the same information that it would take hundreds of log entries to equal.
In a smaller organization, a disaster-recovery plan may be relatively?
Simple and straightforward.
Two key components of BCP are?
The business impact analysis (BIA) and risk assessment. BIA is concerned with evaluating the processes, and risk assessment is concerned with evaluating the risk or likelihood of a loss. Evaluative all of the processes in an organization or enterprise are necessary in order for BCP to be effective.
When a base system has been restored what happens?
The data files any other needed files can be restored from the last full backup, and any incremental or differential backups that have been performed.
Be able to describe the needed components of an incident response policy?
The incident response policy explains how incidents will be handled, including notification, resources, and escalation. This policy drives the incident response process, and it provides advance planning to the incident response team.
In addition to classifying a penetration test based on the amount of information given to the tester, it is also possibly to classify the?
The test as intrusive versus nonintrusive.
What are intrusive test?
They are penetration-type testing that involves trying to break into the network.
What are nonintrusive test?
They are penetration/vulnerability testing that takes a passive approach rather than actually trying to break into to network.
Critical business functions refer to?
Those processes or systems that can be made operational immediately when an outage occurs. The business can't function without them, and many are information-intensive and require access to both technology and data.
Essentially, all penetration test will have a few similar steps, regardless of the threat what are those steps?
Those steps include some attempt to bypass security controls. The penetration tester will attempt to bypass whatever security controls have been implemented on your network. This is the best way to actively test controls.
Tenable Security, the creators of the Nessus vulnerability scanner, have the following to say about the benefits of credentialed scanning:
o Not disrupting operations or consuming too many resources. § Because the scan is performed with credentials, operations are executed on the host itself rather than across the network. Everything from operating system identification to port scanning is done by running commands on the host and then sending the results of those commands back to the Nessus ever. This allows Nessus to consume far less system and network resources than performing a traditional network scan that probes ports and services today. o Definitive list of missing patches. § Rather than probe a service remotely and attempting to find a vulnerability, Nessus will query the local host to see if a patch for a given vulnerability has bene applied. This type of query is far more accurate (and safer) than running a remote check. o Client-side software vulnerabilities are uncovered. § By looking at the software installed and its version, Nessus will find client-side software vulnerabilities that are otherwise missed in a traditional network-based audit. o Several other "vulnerabilities". § Nessus can read real password policies, obtain a list of USB devices, check antivirus software configurations, and can enumerate Bluetooth devices attached to scanned hosts.
An important recovery issue is to know?
The order in which to proceed. If a server is completely destroyed and must be re-created, ascertain which applications are the most important and should be restored before the others. Likewise, which services are most important to the users from a busines standpoint and need to be available. At the same time, which services are nice but not necessary to keep your business running? The answers will differ for every organization, and you must know them for yours.
One of the oldest phrases still in use today is?
"the show must go on" Nowhere is that truer than in the world of business, where downtime means the loss of significant revenue with each passing minute.
Most operating systems provide the ability to create?
A disaster-recovery process using distribution media or system state files. After a problem has been identified, what steps will you take to restore the service? IN the case of a DoS attack, a system reboot may be all that is required. Your operating system manufacturer will typically provide detailed instructions or documentation on how to restore services in the event of an attack.
What is a capture system image?
A system image is a snapshot of what exists. Capturing an image of the operating system in its exploited state can be helpful in revisiting the issue after the fact to learn more about it. As an analogy, think of germ samples that are stored in labs after major outbreaks so scientist can revisit them later and study them further.
Be able to discuss the process of recovering a system in the event of a failure?
A system recovery usually involves restoring the base operating systems, applications, and data files. The operating systems and applications are usually restored in either from the original distribution media or from a server that contains images of the system. Data is typically revered from backups are archives.
You might need to restore information from backup copies for any number of reasons. Some of the more common reasons for doing so are?
Accidental deletion Application errors Natural disasters Physical attacks Sever failure Virus infection Workstation failure
Intrusive tests involve?
Actually, trying to break into the network. In the strictest sense, passive test are really just vulnerability scans and not penetration tests, whereas active tests provide more meaningful results. With active tests, it is possible that they may disrupt business operations in the same way as a real attack.
Essentially, a penetration tester will use the same techniques that a hacker would use to find?
Any flaws in a system's security. These flaws may be discovered by means other than directly accessing the system, such as collecting information from public databases, talking to employees/partners, dumpster diving, and social engineering. This is known as passive reconnaissance. In contrast to this, active reconnaissance directly focuses on the system (port scans, traceroute information, network mapping, and so forth) to identify weaknesses that could be used to launch an attack.
What are applications?
Applications such as word processors, transaction systems, and other programs usually don't change on a frequent basis. When a change or upgrade to an application is made, it's usually accomplished across an entire organization. You wouldn't necessarily need to keep a copy of the word processing application for each user, but you should keep a single up-to-date version that is available for download and reinstallation.
The frequency at which you do backups should be based on the amount of data that you?
Are willing to lose. If you do backups once weekly (never recommended), then you could lose up to a week's worth of data. Similarly, if you do them every day the most data you would lose is 24 hours' worth. Regardless of the frequency at which you back up, three methods exist to backup information on most systems. The difference between them is in the data that they include, and this has an impact on the amount of time it takes to perform the backup and any restore operations that may later be required.
When a suspected incident pops up, first responders are those individuals who must?
Ascertain whether it truly is an incident or a false alarm. Depending on your organization, the first responder may be the main security administrator, or it consist of a team of network and system administrators.
The information that you back up must be immediately?
Available for use when needed. If a user loses a critical file, they won't want to wait several days while data files are sent from a remote storage facility. Several types of stage mechanisms are available for data storage.
Although most attention deservedly is on backups, never overlook the need for a?
Back-out plan.
When you install a new system, make sure to make a full?
Backup of it before any data files are created. If stored onsite, this backup will be readily available for use. If you've standardized your systems, you may need just one copy of a base system that contains all the common applications that you use. The base system can usually be quickly restored, which allows for reconnection to the network for restoration of other software. Many newer operating systems now provide this capability, and the system restores are very fast.
Several common modes are used in designing?
Backup plans. Each has its own advantages and disadvantages. Numerous methods have been developed to deal with archival backup; most them are evolutions of the three models.
What are the three types of penetration testing?
Black box The tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker. White box The tester has significant knowledge of the system. This simulates an attack from an insider—a rouge employee. Gray box This is the middle ground between the first two types of testing. In gray box testing, the tester has some limited knowledge of the target system.
Another key aspect of a disaster-recovery plan is to provide the restoration of?
Business functions in the event of a large-scale loss of service. You can lease or purchase a facility that is available on short notice for the purpose of restoring network or system operations. These are referred to as recovery sites, alternate sites, or backup sites. If the power in your local area were disrupted for serval days, how would you reestablish service at an alternate site until primary services were restored? Several options exist to do this. These solutions are not ideal, but they are always considered to be significantly less costly—in terms of time—to implement than the estimated time of bringing your original site back up to speed. They are used to allow you to get your organization back on its feet until permanent service is available. An alternate site can be a hot site, a warm site, or a cold site.
What is capture video?
Capture any relevant video that you can. Video can later be analyzed manually in individual frames as well as run through a number of programs that can create indices of the contents.
A back-out is a revision from a?
Change that had a negative consequence. It could be, for example that everything was working fine until you installed a service pack on a production machine, and then services that were normally available were no longer accessible. The backout, in this instance, would revert the system to the state it was in before the service pack was applied. Backout plans can include uninstalling service packs, hotfixes, and patches, but they can also include reversing a migration and using previous iterations of firmware. A key component to creating such a plan is identifying what events will trigger your implementing the back-out.
A key aspect, often overlooked by system professionals, involves information?
Control. when an incident occurs, who is responsible for managing the communications about the incident? Employees in the company may naturally be curious about a situation. A single spokesperson needs to be designated. Remember, what one person knows runs a risk of one hundred others also finding out.
Almost every stable operating system contains a utility for creating a?
Copy of these configuration settings necessary to reach the present state after a disaster and for resetting to them. In Windows 10, for example, this is accomplished with System Restore. Make certain that you know how to do an equivalent operation for the operating system that you are running. As an administrator, you must know how to do backups and be familiar with all the options available to you.
Vulnerability scanning can be done in either a?
Credentialed or noncredentialled manner. The difference is that a credentialed vulnerability scan uses actual network credentials to connect to systems and scan for vulnerabilities.
The term incident has a special meaning in?
Different industries. In the banking and financial areas, it's very specific and involves something that includes the loss of money. You wouldn't want to call a hacker attempt an incident if you were involved in a bank network because this terminology would automatically trigger an entirely different type of investigation. The next five sections deal with the phases of a typical incident response process. The steps are generic in this example. Each organization will have a specific set of procedures that will generally map to these steps.
Understand the aspects of disaster recovery?
Disaster recovery is concerned with the recovery of critical systems in the event of a loss. One of the primary issues is the effectiveness of backup policies and procedures. Offsite storage is one of the most secure methods of protecting information from loss.
There are five levels of testing in a table top exercise what are they?
Document review A review of recover, operations, resumption plans, and procedures. Walkthrough A group discussion of recovery, operating, resumption plans, and procedures. Simulation A walkthrough of recovery, operations, resumption plans, and procedures in a scripted "case study" or "scenario" Parallel test With this test, you start up all backup systems but leave the main systems functioning. Cutover test This test shuts down the main systems and has everything fail over to backup systems. You should never do a cutover test if you have not already done a simulation and parallel test. If the cutover test fails, your entire system is offline; in essence, you have created a disaster. The larger the system, the more wide-ranging an impact the system being shut down can have. Because, of this, doing a cutover test can be very difficult, but you should never simply ignore those systems in your disaster-recovery planning just because of the challenge they entail.
A disaster-recovery plan, or scheme, helps and organization respond?
Effectively when a disaster occurs. Disasters may include system failure, network failure, infrastructure failure, and natural disaster. The primary emphasis of such a plan is reestablishing services and minimizing losses.
One weakness a good penetration test looks for is?
Escalation of privilege—that is, a hole created when code is executed with higher privileges than those of the user running it. By breaking out of the executing code, users are left with higher privileges than they should have.
An incident is the occurrence of any?
Event that endangers a system or a network. We need to discuss responses to two types of incidents: internal incidents and incidents involving law enforcement professionals.
Just as fire drills are helpful for dealing with the real crisis when it comes, once of the best ways to be prepared to deal with an incident is to?
Exercise responses to emergencies before they happen. Include the members of the team, and walk-through mock incidences on a regular basis to identify weaknesses in your response and solutions for them.
Whether you use credentialed or noncredentialled vulnerability scanning, be prepared for?
Fasle positives.
Understand the basics of forensics?
Forensics is the process of identifying what has occurred on a system by examining the data trail. It involves an analysis of evidence found in computers and on digital storage media. When dealing with multiple issues, address them in order of volatility: capture system images as a snapshot of what exists, look at network traffic and logs, capture any relevant video/snapshots/hashes, record time offset on the systems, talk to witnesses, and track total man-hours and expenses associated with the investigation.
According to CERT, a computer security incident response team (CSIRT) can be a?
Formalized or an ad hoc team. You can toss a team together to respond to an incident after it arises, but investing time in the development process can make an incident more manageable. Many decisions about dealing with an incident will have been considered in advance. Incidents are high-stress situations; therefore, it's better to simplify the process by considering important aspects in advance. If civil or criminal actions are part of the process, evidence must be gathered and safeguarded properly. Let's say that you've just discovered a situation where a fraud has been penetrated internally using a corporate computer. You're part of the investigation team. Your incident response policy lists the specialists that you need to contract for an investigation. Ideally, you've already met the investigator or investigating firm, you've developed an understanding of how to protect the scene, and you know how to deal properly with the media (if they become involved).
It's important that an incident response plan establish at least what following items?
Guidelines for documenting the incident type and defining its category. This includes lists of information that should be collected about an incident and the procedures to gather and secure evidence. Resources used to deal with the incident. Defined roles and responsibilities for those who are involved in their investigation and response. This should identify members of the cyber-incident response teams. Reporting requirements and escalation procedures including a list of outside agencies that should be contracted or notified and outside experts who can be used to address issues if needed.
After you determined that you indeed have an incident on your hands, you need to consider how to?
Handle it. This processes, called escalation, involves consulting policies, consulting appropriate management, and determining how best to conduct an investigation into the incident. Make sure that the methods you use to investigate the incident are consistent with corporate and legal requirements for your organization. Bring your Human Resources and Legal departments into the investigation early, and seek their guidance whenever questions involving their areas of expertise arise.
After an incident has been successfully managed it's a worthwhile step to revisit the procedures and policies in place in your organization to determine what changes, if any, need to be made. Answering simple questions can sometimes be helpful when you're resolving problems. The following questions might be included in a policy or procedure manual what are they?
How did the policies work or not work in this situation? What did you learn about the situation that was new? What should you do differently next time? These simple questions can help you adjust the procedures. This process is called a post mortem, and it's the equivalent of an autopsy.
False positives are common in an?
IDS environment and may be the result of unusual traffic in the network. It may be that your network is being pinged by a class of computer security students to demonstrate the return times, or it may be that an automated tool is launching an attack. o You might find that the incident doesn't require a response if it can't be successful. Your investigation might conclude that a change in policies is required to deal with a new type of threat. These types of decisions should be documented and, if necessary, reconfigurations should be made to deal with the change.
During the entire process of responding to an incident, you should document the step you take to?
Identify, detect, and repair the system or network. This information is valuable; it needs to be captured in case an attack like this occurs again. The documentation should be accessible by the people most likely to deal with this type of problem. Many help-desk software systems provide detailed methods that you can use to record procedures and steps. These type software products allow for fast access.
Incident response encompasses forensics and refers to the process of?
Identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident.
In some cases, it may not be possible to repair the problem completely. If data has been stolen, you cannot go back in time and prevent the loss of data. In such cases, you must take mitigation steps. These are steps to lessen the damage. For example, if data has been solen you should complete what steps?
Immediately change all passwords. Notify the relevant parties Make procedural changes so that the information stolen cannot be used to affect additional breaches.
Business continuity planning is the process of?
Implementing policies, controls, and procedures to counteract the effect of losses, outages, or failures of critical business processes. BCP is primarily a management tool that ensure that critical business functions can be performed when normal business operations are disrupted and alternative business practices must be employed. For each critical business task, there should be a minimum of one alternative business process identified during the crafting of a continuity plan. Those alternative business practices should be documented in such a way that someone unfamiliar with them could perform them with minimal training.
What are forensics?
In terms of security, it is the act of looking at all of the data at your disposal to try and figure out who gained unauthorized access and the extend of that access.
Summary of this chapter
In this chapter, you learned about the many aspects involved in the operations of a secure environment. You studied business continuity and vendor support. Business continuity planning is the process of making decisions about how losses, outages, and failures are handled within an organization. This information is used to make educated decisions about how to deal with outages should they occur. The issue of reliable service from utility companies, such as electricity and water, should be evaluated as part of your disaster-recovery process. Addressing potential problems as part of your business decision making can prevent unanticipated downtime. Disaster recovery is the process of helping your organization prepare for recovery in the event of an unplanned situation, and it's part of your organization's business continuity plans. The process of dealing with a security problem is called incident response. An incident response policy should clearly outline what resources, individuals, and procedures are to be involved in the event of an incident.
It's a good idea to include the procedures that you'll generally follow in an?
Incident response plan (IRP). The IRP outlines what steps are needed and who is responsible for deciding how to handle a situation. The computer science department at Carnegie Mellon pioneered this process.
A major component of a disaster-recovery plan involves the access and storage of?
Information. Your backup plan for the data is an integral part of this process. The following sections address backup plan issues and backup types. They also discuss developing a backup plan, recovering a system, and using alternative sites. These are key components of a disaster-recovery plan: they form the heart of how an organization will respond when a critical failure or disaster occurs.
Management must view the disaster-recovery plan as an?
Integral part of its business continuity planning (BCP). Management must also provide the resources needed to implement and maintain an alternative site after the decision has been made to contract for the facilities. It is their responsibility to factor geographic distance into the selection criteria and include travel related travel-related costs associated with the distance.
The very first step, even with a suspected incident is?
Isolation. If you think, for example that a given machine is infected with a virus, you must isolate that machine, even before you are sure that it is indeed infected. This involves quarantining the machines that you suspect of being infected. Literally disconnect them from the network while you analyze the situation. In some cases, this is accomplished with simple device removal—just remove the device from the network by unplugging the network cable.
What is a tabletop exercise?
It is an exercise that involves individuals sitting around a table with a facilitator discussing situations that could arise and how best to respond to them.
What is a snapshot?
It is an image of a virtual machine at a moment in time.
What is the Grandfather, Father, Son method?
It based on the philosophy that a full backup should occur at regular intervals, such as monthly or weekly. This method assumes that the most recent backup after the full backup is the son. As newer backups are made, the son becomes the father, and the father, in turn, becomes the grandfather. At the end of each month, a full backup is performed on all systems. This backup is stored in an offsite facility for period of one year. Each monthly backup replaced the monthly backup from the previous year. Weekly or daily incremental backups are performed and stored until the next full backup occurs. This full backup is then stored offsite and the weekly or daily backup tapes are reused (the January 1 incremental backup is used on February 1, and so on). This method ensures that in the event of a loss, the full backup form the end of last month and the daily backups can be used to restore information from the last day. The annual backup is referred to as the grandfather, the monthly backup is the father, and the weekly backup is the son. The last backup of the month becomes the archived backup for that month. The last backup of the year becomes the annual backup for the year. Annual backups are usually archived; this allows an organization to have backups available for serval years and minimizes the likelihood of data loss. It's a common practice for an organization to keep a minimum of seven years in archives. The last backup of the year is permanently retained. This ensures the previous year's information can be recovered if necessary. The major difficulty with this process is that a large number of tapes are constantly flowing between the storage facility and the computer center. In addition, cataloging daily and weekly backups can be complicated. It can become difficult to determine which files have been backed up and where they're stored.
The process of investigating an incident involves what?
It involves searching logs, files, and any other sources of data about the nature and scope of an incident. If possible, you should determine whether this is part of a larger attack, a random event, or a false positive.
What is a full back up?
It is a backup that copies all data to archive medium.
What are full back ups?
It is a complete, comprehensive backup of all files on a disk or server. The full backup is current only at the time it's performed. Once a full backup is made, you have a complete archive of the system at that point in time. A system shouldn't be in use while it undergoes a full back up because some files may not get backed up. Once the system goes back into operation, the backup is no longer current. A full backup can be a time-consuming process on a large system.
What are cold sites?
It is a facility that isn't immediately ready to use. The organization using it must bring along its equipment and network. A cold site may provide network capability, but this isn't usually the case; the site provides a place for operations to resume, but is doesn't provide the infrastructure to support those operations. Cold sites work well when an extended outage is anticipated. The major challenge is that the customer must provide all the capabilities and do all the work to get back into operation. Cold sites are usually the least expensive to put into place, but they require the most advanced planning, testing, and resources to become operational-occasionally taking up to a month to make operational. Herein lies the problem. The likelihood that you'll need any of these facilities is low—most organizations will never need to use these types of facilities. The costs are usually based on a subscription or other contracted relationships, and it's difficult for most organizations to justify the expense. In addition, planning testing, and maintaining these facilities is difficult; it does little good to pay for any of these services if they don't work and aren't available when you need them.
What is a false positive?
It is a flagged event that isn't really a notable incident and has been falsely triggered.
What is a host site?
It is a location that can provide operations within hours of a failure.
What is a Hot Site?
It is a location that can provide operations within hours of a failure. This type of site would have servers, networks, and telecommunications equipment in place to reestablish service in a short time. Hot sites provide network connectivity, systems, and preconfigured software to meet the needs of an organization. Databases can be kept up-to-date using network connections. These types of facilities are expensive, and they're primarily suitable for short-term situations. A hot site may also double as an offsite storage facility, providing immediate access to archives and backup media. Also, a hot site is also referred to as an active backup model.
What are incremental backups?
It is a partial backup that stores only the information that has been changed since the last full or last incremental backup. If a full backup were performed on a Sunday night, an incremental backup done on Monday night would contain only the information that changed since Sunday night. Such a backup is typically considerably smaller than a full backup. Each incremental backup must be retained until a full backup can be performed. Incremental backups are usually the fastest backups to perform on most systems, and each incremental backup tape is relatively small. Keep in mind that though we may use the word tape even when a different storage medium is used, the concept is still the same.
What is a cold site?
It is a physical site that can be used if the main site is inaccessible (destroyed) but that lacks all of the resources necessary to enable an organization to use it immediately.
What is a disaster-recovery plan?
It is a plan outlining the procedure by which data is recovered after a disaster.
What is a warm site?
It is a site that provides some capabilities in the event of a disaster. The organization that wants to use a warm site will need to install, configure, and reestablish operations on systems that might already exist in the warm site.
What is a system image?
It is a snapshot of what exists.
What is a differential backup?
It is a type of backup that includes only new files or files that have been changed since the last full backup. Differential backups differ from incremental backups in that they don't clear the archive bit upon their completion.
What is an incremental backup?
It is a type of backup that includes only new files or files that have changed since the last full backup and then clears the archive bit upon completion.
What is an intrusion detection system (IDS)?
It is any set of tools that identify and then actively respond to attacks based on defined rules. Like an IDS (which is the passive counterpart), an IPS can be network-based or host-based.
What is onsite storage?
It is backup data at the same site as the severs on which the original data resides.
What is vulnerability scanning?
It is identifying specific vulnerabilities in your network.
What is take hashes?
It is important to collect as much data as possible to be able to illustrate the situation, and hashes must not be left out of the equation. NIST (National Institute of Standards and Technology) maintains a National Software Reference Library (NSRL). One of the purposes of NISL is to collect "known, traceable software applications" through their hash values an store them in Reference Data Set (RDS). The RDS can then be used by law enforcement, government agencies, and businesses to determine which files are important as evidence in criminal investigations.
What is talk to witnesses?
It is important to talk to as many witnesses as possible to learn exactly what happened and to do so as soon as possible after the incident. Over time, details and reflections can change and you want to collect their thoughts before such changes occur. If at all possible, document as must of the interview as you can with video recorders, digital recorders, or whatever recording tools you can find.
What is record time offset?
It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system.
What are differential backups?
It is similar in function to an incremental backup, but it backup up any files that have been altered since the last full backup; it makes duplicate copies of files that haven't been changed since the last differential backup. If a full backup were performed on Sunday night, a differential backup performed on Monday night would capture the information that was changed on Monday. A differential backup completed on Tuesday night would record the changes in files from Monday and any changes in files on Tuesday. As you can see, during the week each differential backup would become larger; by Friday or Sunday night, it might be nearly as large as a full backup. This means that the backups in the earliest part of the weekly cycle will be very fast, whereas each successive one will be slower.
What is offset storage?
It is storing off the premises, usually in a secure location.
What is an intrusion?
It is the act of entering a system without authorization to do so.
What is disaster recovery?
It is the act of recovering data following a disaster in which it has been destroyed.
What is a working copy backup?
It is the copy of the data currently in use on a network.
What is a failover?
It is the process of reconstructing a system or switching over to other systems when a failure is detected.
An incident response plan outline what?
It outlines action steps, or incident response procedures will define how an organization should respond to an incident. These policies involve third parties and they need to be comprehensive.
What is a Warm Site?
It provides some of the capabilities of a hot site, but it requires the customer to do more work to become operational. Warm sites provide computer systems and compatible media capabilities. If a warm site is used, administrators and other staff will need to install and configure systems to resume operations. For most organizations a warm site could be a remote office, a leased facility, or another organization with which yours has a reciprocal agreement. Warm sites may be your exclusive use, but they don't have to be. A arm site requires more advanced planning, testing and access to media for system recovery. Warm sites represent a compromise between a hot site, which is very expensive, and a cold site, which is not preconfigured.
What is offsite storage?
It refers to a location away from the computer center where paper copies and backup media are kept. Offsite storage can involve something as simple as keeping a copy of backup media at a remote office, or it can be as complicated as a nuclear hardened, high-security storage facility. The storage facility should be bonded, insured and inspected on a regular basis to ensure that all storage procedures are being followed. Determining which storage mechanism to use should be based on the needs of the organization, the availability of storage facilities, and the available budget. Most offsite storage facilities charge based on the amount of space required and the frequency of access needed to the stored information.
What is HSM?
It stands for Hierarchical storage management (HSM). It is a newer backup type. HSM provides continuous online backup by using optical or tape jukeboxes. It appears as an infinite disk on the system, and it can be configured to provide the closet version of an available real-time backup. So rather than using one of the three traditional backup strategies, you ensure that data is being continuously backed up.
The term incident is somewhat?
Nebulous in scope. For our purposes, an incident is any attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. This includes systems failures and disruption of services in the organization.
What tis after-action reports?
Never, after recover from any disaster/incident, fail to have the recovery team meet for an after-action review. This debriefing needs to include a sharing by team members of the steps taken, along with an open discussion of what worked and what should be changed in future crises. An evaluation of recovery objective performance, and any metrics used during or following the event should be reviewed.
What does onsite storage refer to?
It usually refers to a location on the site of the computer center that is used to store information locally. Onsite storage containers are available that allow computer cartridges and tapes or backup media to be stored in a reasonably protected environment in the building. Onsite storage containers are designed and rater for fire, moisture, and pressure resistance. These containers aren't fireproof in most cases, but are indeed fire rated. A fireproof container should be guaranteed to withstand damage regardless of the type of fire or temperature, whereas fire ratings specify that a container can protect its contents for a specific amount of time in a given situation. If you choose to depend entirely on onsite storage, make sure that container's you acquire can withstand the worst-case environmental catastrophes that could happened at your location. Make sure as well that they are in locations where you can easily find and access them after the disaster (for example, near exterior walls, on the ground floor, and so forth).
What is the full archival method?
It works on the assumption that any information crated on any system is stored forever. All backups are kept indefinitely using some form of backup media. In short, all full backups, all incremental backups, and any other backups are permanently kept somewhere. This method effectively eliminates the potential for loss of data. Everything that is created on any computer is backed up forever. As you can see, the number of copies of the backup media can quickly overwhelm your storage capabilities. Some organizations that have tried to do this have needed entire warehouses to contain their archival backups. Think about the number of files your organization has: how much storage media would be required to accomplish full archiving? The other major problem involves keeping records of what information has been full archiving? The other major problem involves keeping records of what information has been archived. For these reasons, many larger companies don't find this to be an acceptable method of keeping backups.
Many filesystems used on servers include?
Journaling. A journaled file system (JFS) includes a log file of all changes and transactions that have occurred within a set period of time (such as the last few hours). If a crash occurs, the operating system can check the log files to see which transactions have been committed and which ones have not. This technology works well, and it allows unsaved data to be written after recovery. The system usually successfully restored its pre-crashed condition.
Most database systems contain?
Large files that have only a relatively few records updated in relation to the number of records stored. A large customer database may store millions of records; however, only a few hundred may be undergoing modification at any given time.
If appropriate, you should report/disclose the incident to?
Legal authorities and CERT so that others can be aware of this type of attack and help to look for productive measures to prevent it from happening again. You might also want to inform the software system manufacturer of the problem and how you corrected it. Doing so might help them inform or notify other customers of the threat and save time for someone else.
What is document network traffic and logs?
Look at network traffic and logs to see what information you can find there. This information can be useful in identifying trends associated with repeated attacks.
What is track man-hours and expenses?
Make no mistake about it; an investigation is expensive. Track total man-hours and expenses associated with the investigation, and be prepared to justify them if necessary, to superiors, a court, or insurance agents.
A false positive occurs when the scan?
Mistakenly identifies something as a vulnerability when it is not. No software program is perfect, and this means that any vulnerability scanner will yield some occasional false positives.
What is database system and what do they provide the ability to do?
Most modern database systems provide the ability to back up data or certain sections of the database globally without difficulty. Larger-scale database systems also provide transaction auditing and data-recovery capabilities. For example, you can configure your database to record in a separate file each addition, update, deletion, or change of information that occurs. These transaction or audit files can be stored directly on any type of archival media, such as magnetic tape cartridges, solid state drives, etc. in the event of a system outage or data loss, the audit file can be used to roll back the database and update it to the last transaction made. Also in another example, the audit file is directly written to a digital audio tape (DAT) that is used to store a record of changes. If an outage occurs, the audit or transaction files can be rolled forward to bring the database back to its most current state. This recovery process brings the database current to within the last few transactions. Although it does not ensure that all of the transactions that were in process will be recovered, it will reduce potential losses to the few that were in process when the system failed.
The last full backup should contain?
Most of the data on the system; the incremental backup or differential backups contain the data that has changed since the full backup.
In a larger organization a disaster-recovery plan involves?
Multiple facilities, corporate strategic plans, and entire departments. In either case, the purpose is to develop the means and methods to restore services as quickly as possible and to protect the organization from unacceptable losses in the event of a disaster.
Incident identification is the first step in determining what has?
Occurred in your organization. An internal or external attack may have been part of a larger attack that has just surfaced, or it may be a random probe or scan of your network. Many IDSs trigger false positives when reporting incidents.
Forensics refers to the process of identify what has?
Occurred on a system by examining the data trail It involves an analysis of evidence found in computers and on digital storage media.
One problem that can occur with manual network monitoring is?
Overload. Over time, a slow attack may develop that increases in intensity. Manual processes typically will adapt, and they may not notice the attack until it's too late to stop it. Personnel tend to adapt to changing environments if the changes occur over a long-period of time. An automated monitoring system, such as an IDS, will sound the alarm when a certain threshold or activity level occurs.
Nonintrusive test involves?
Passively testing of security controls—performing vulnerability scans and probing for weaknesses but not exploiting them.
It is becoming more common for companies to hire?
Penetration testers to test their system's defenses.
Many security experts view vulnerability scanning as separate from?
Penetration testing. However, it should be either part of the penetration test or done alongside it.
If the compromise is introduced at a different time than the attack, then it is said to involve?
Persistence. An example of persistence would be an employee having his or her laptop infected at a hotel while traveling for business and the company's network not being compromised until the employee is back in the office a week later and connected to a company's network.
Often, the weakest link may not be on the system that you are ultimately wanting to access, but on another, trusted system. When it is possible to attack s system using another, compromised system, this is knows as doing a?
Pivot. With pivoting (also known as island hopping), a compromised system is used to attack another system on the same network following the initial exploitation.
The six steps of any incident response processes should be as follows what are they?
Preparation Identification Containment Eradication Recovery Lessons learned
Business continuity is primary concerned with the?
Processes, policies and methods that an organization follows to minimize the impact of a system failure, network failure, or the failure of any key component needed for operation—that is, essentially whatever it takes to ensure that the business continues and that the show does indeed go on.
When backup methods are used in conjunction with each other, the risk of loss can be greatly?
Reduced, but you can never combine incremental and differential backups in the same set. One of the major factors in determining which combination of these three methods to use is time—in an ideal situation, a full backup would be performed every day. Several commercial backup programs support these three backup methods. You must evaluate your organizational needs when choosing which tools to use to accomplish backups.
When a system fails, you'll be able to reestablish operation without?
Regenerating all of the system's components. This process includes making sure that hardware is functioning, restoring or installing the operating systems, restoring or installing applications, and restoring data files. It can take several days on a large system. With a little forethought, you may be able to simply the process and make it easily manageable.
If a system has been severely compromised, as in the case of a worm, it might not be possible to?
Repair it. It may need to be regenerated from scratch. Fortunately, antivirus software packages can repair most of the damage done by the viruses you encounter. But what if you come across something new? You might need to start over with a new system. In that case, we strongly advise you to do a complete disk drive format or repartition to ensure that nothing is lurking on the disk, waiting to infect your network again. In some cases, it may not be possible to repair the problem completely.
One of your first considerations after an incident is to determine how to?
Restore access to resources that have been compromised. Then, of course, you must reestablish control of the system.
When doing penetration testing, it is important to have a?
Scope document outlining the extent of the testing that can be done. It is equally important to have permission for an administrator who can authorize such testing—in writing—to be conducted.
A tabletop exercise is a?
Simulation of a disaster. It is a way to check to see if you plans are ready to go.
Vulnerability scanning allows you to identify?
Specific vulnerabilities in your network, and most penetration testers will start with this procedure so that they can identify likely targets to attack. A penetration test is essentially an attempt to exploit these vulnerabilities.
A backup plan identifies which information is to be?
Stored, how it will be stored, and for what duration it will be stored. You must look at the relative value of the information you retain. To some extent, they type of systems you use and the applications you support dictate the structure of your plan.
Before an incident occurs there needs to be?
Substantial preparation. Preparing for incident response involves multiple factors. The first step is outlining how you intend to respond to specific incidents. Formulating an IRP is part of that preparation. You will need to identify the personnel and resources required for your response. For example, if you intend to take a server offline in the event that it is breached, do you have a backup server available? In the event of suspected computer crime, which of your personnel are qualified to perform the initial forensic processes? If no one is qualified, you need to identify a third party that you can contact.
One of the first steps in penetration testing is deciding what needs to be?
Tested. This is a question of verifying what actual threats exist in your network. For example, if you are the network administrator of a public school, it is unlikely that highly skilled cyber terrorists are trying to infiltrate your network. The most likely threats are what you should determine the exact nature of a penetration test.
What is the backup sever method?
The costs of disk storage and servers have fallen tremendously over the past few years. Lower prices have made it easier for organizations to use dedicated servers for a backup. The backup sever method establishes a server with large amounts of disk space whose sole purpose is to back up data. With the right software, a dedicated server can examine and copy all of the files that have been altered every day. The files on the backup server contain copies of all the information and data on the APPS, ACCTG, and the DB severs. The files on the three servers are copied to the backup sever on a regular basis; over time, the server's storage requirements can become enormous. The advantage of this method is that all backed-up data is available online for immediate access. The server can be backed up on a regular basis and the backups can be kept for a specified period. If a system or server malfunctions, the backup sever can be accessed to restore information from the last backups performed on that system. Backup severs don't need overly large processors; however, they must have large disk and other long-term storage media capabilities. Several software manufactures take backup severs one additional step and create hierarchies of files. Over time, if a file isn't accessed it's moved to slower media and may eventually be stored offline. This helps reduce the disk storage requirements, yet it still keeps the files that are most likely to be needed for recovery readily available. Many organizations use two or more of these methods to backup systems. The issue becomes one of the storage requirements and retention requirements. In establishing a backup plan, you must ask users and manager how much backup (in terms of frequency, size of files, and so forth) is really needed and how long it will be needed.
Know the types of backups that are typically performed in an organization?
The three backup methods are full incremental, and differential. A full backup involves the total or archiving of all information on a system. An incremental backup involves archiving only information that has changed since that last backup. Differential backups save all information that has been changed since the last full backup.
Be able to discuss the types of alternative sites available for disaster recovery?
The three types of sites available for disaster recovery are host sites, warm sites, and cold sites. Hot sites typically provide high levels of capability, including networking. Warm sites may provide some capabilities, but they're generally less prepared than a hot site. A cold site requires the organization to replicate critical systems and all services to restore operations.
What are working copies?
They are backups, sometimes refereed to as shadow copies, are partial or full backups that are kept at the computer center for immediate recovery purposes. They are usually updated on a frequent basis and are generally the most recent backups that have been made.
What are user files?
They are word processing documents, spreadsheets, and other files that are extremely valuable to an organization. Fortunately, although the number of files that people retain is usually large, the number of files that change after initial creation is relatively small. By doing a regular backup on user systems, you can protect these documents and ensure that they're recoverable in the event of a loss. In a large organization, backing up user files can be an enormous task. Fortunately, most operating systems date-stamp files when they're modified. If backups that store only the changed files are created, keeping user files safe becomes a relatively less painful process for an organization.
Many newer operating systems allows you to create a model?
User system as a disk image on a server; the disk image is downloaded and installed when failure occurs. This method makes it easier for administrators to restore a system than it would be to do it manually. It's as well and good to know how to make backups and the importance of doing so. There will come a time, however, when a recovery—the whole reason for disaster planning—will be necessary. As an administrator, you must be ready for this event and know how to handle it.
When an organization develops a backup plan for information, it must be clear about the?
Value of the information.
The key element of a vulnerability scan is always to identify?
Vulnerabilities: identifying common misconfigurations and identifying a lack of security controls. Once you have identified the vulnerabilities, it is time to attempt to exploit them. Of course, the most egregious vulnerability is any aspect of your system where vulnerability scanning reveals a lack of security controls. Some of the more common vulnerability scanning reveals a lack of security controls. Some of the more common vulnerabilities involve misconfiguration. In fact, popular vulnerability scanners such as Nessus will help identify common misconfigurations.
What is the act of volatility?
When dealing with multiple issues, address them in order of volatility (OVV); always deal with the most volatile first. Volatility can be thought of as the amount of time that you have to collect certain data before a window of opportunity is gone. Naturally, in an investigation you want to collect everything, but some data will exist longer than others, and you cannot possibly collect all of it once. As an example, the OOV in an investigation may be RAM, hard drive data, CDs/DVDs, and printouts.