Incident Response Final Exam

Ace your homework & exams now with Quizwiz!

Clearing

Disconnecting temporary services at an alternate facility

malware hoax

Essentially a DoS attack, a ____ is a message aimed at causing organizational users to waste time reacting to a nonexistent malware threat.

Data management team

Expected to quickly assess the recoverability of data from systems on site and then make recommendations to the management team as to whether off-site data recovery is needed

Disaster recovery

Focuses on business resumption at the primary place of business

Recovery phase

Focuses on critical business operations

Resumption phase

Focuses on functions that are not critical

Business continuity

Focuses on resuming critical functions at an alternate site

bitstream

Forensic investigators use ____ copying when making a forensic image of a device, which reads a sector (or block; 512 bytes on most devices) from the source drive and writes it to the target drive; this process continues until all sectors on the suspect

Computer forensics

Forensic techniques with a computer system as the source of evidence

Digital forensics

Forensic techniques with a digital electronic device as the source of evidence

Field evidence log

Identifies each item collected by forensic team by a filename number

Incident manager

Identifies sources of relevant information on a first response team

hoax

If a user receives a message whose tone and terminology seems intended to invoke a panic or sense of urgency, it may be a(n) ____.

blocking a specific IP address

In a "block" containment strategy, in which the attacker's path into the environment is disrupted, you should use the most precise strategy possible, starting with ____.

False

In disaster recovery planning, there is a prevention phase similar to that in IR planning.

False

In general, a law enforcement organization can become the target of a retaliatory lawsuit for damages arising from an investigation that proves to be groundless.

Selected Answer: Personal Privacy to me encompasses privacy for a persons property; this is stuff like mail, your "home", and your items but these protections are only for properly secured property so stuff that is easily found in an investigation are up for interpretation by the courts. Personally I think the only truly secure private property is the stuff handled in the U.S. mail, everything else can be searched if the Feds want to search it, because "probable cause" is really loosely defined. Correct Answer: Personal privacy is defined in the Fourth Amendment to the U.S. Constitution as follows: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. The Fourth Amendment states that citizens have a right against unreasonable searches of their person and property without authorization by an appropriate entity, and this expectation of privacy has been expanded by case law to include the workplace.

In your own words, summarize how personal privacy is defined in the Fourth Amendment of the U.S. Constitution.

Communications team

Interfaces with upper management, law enforcement, the press, etc.

Testing

Involves assessment, whether internal or external

Faraday Cage

It is critical to protect wireless devices from accessing (or being accessed though) the network after seizure and during analysis. Because removing power to the device would lose the volatile information, a better solution is to block wireless access using a(n) ____________________

IR reaction strategies

Known as ____, procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT's operations.

False

Mainframe systems leverage data communications to decentralize and/or distribute capacity.

Scribe

Maintains control of the field evidence log on a first response team

blended

Many malware attacks are ____ attacks, which involve more than one type of malware and/or more than one type of transmission method.

True

Many practitioners feel that a system, once compromised, can never be restored to a trusted state.

jump bag

Most digital forensic teams have a prepacked field kit, also known as a(n) ____.

False

One activity that occurs during the clearing phase of a BC implementation is scheduling a move back to the primary site.

True

Over 90 percent of organizations that experienced disruption at a data center lasting 10 days or longer were forced into bankruptcy within one year.

Privacy Protection Act

Protects journalists from having to turn over material before public dissemination

Federal Wiretapping Acts

Regulates interception of electronic and oral communications

Sequential roster

Requires that a contact person call each person on the roster

Logistics

Serves as the go-to team to physically acquire and transport needed resources to the appropriate location.

Theft or damage to assets whether to preserve evidence for potential criminal persecution service-level commitments and contract requirements to customers allocation of necessary resources to activate strategy graduated responses that may be necessary duration of containment efforts

The CSIRT's operational guidance should include containment strategies that are applicable as well as when they may be employed. List the minimum set of potential containment strategies.

www.ready.gov

The U.S. Department of Homeland Security's Federal Emergency Management Association has developed a support Web site at ____ that includes a suite of tools to guide the development of disaster recovery/business continuity plans.

CPMT

The ____ assembles a disaster recovery team.

DR plan desk check

The ____ involves providing copies of the DR plan to all teams and team members for review.

after-action review

The ____ is a detailed examination of the events that occurred, from first detection to final recovery.

Archivist

The individual responsible for the maintenance of the business continuity plan document

Scene sketch

The only forensic team field note that can be done in pencil

scope

The part of a disaster recovery policy that identifies the organizational units and groups of employees to which the policy applies is called the ____ section.

after-action review

The purpose of the ____ is to provide a way for management to obtain input and feedback from representatives of each team.

True

The purpose of the disaster recovery program is to provide for the direction and guidance of all disaster recovery operations.

plan maintenance schedule

The section of a DR policy that includes a schedule and instructions for the review and updating of the DR plan is called the

Some variables to be considered are the type of the incident, method of incursion, current level of success, current level of loss, expected or projected level of loss, target, target's level of classification and/or sensitivity, and legal or regulatory impacts mandating a specific response.

The selection of an appropriate reaction strategy is an exercise in risk assessment in which the CSIRT leader must determine what the appropriate response is based on a number of variables. What are some of the variables that must be considered?

Network recovery

This team works to establish short-term and long-term networks

True

Training focuses on the particular roles each individual is expected to execute during an actual disaster.

Common Body of Knowledge

Two dominantly recognized professional institutions certifying business continuity professionals agree on the ____ as the basis for certification.

hot site

Unless an organization has contracted for a ____ or equivalent, office equipment such as desktop computers are not provided at BC alternate site.

1. Develop the DR planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. 2. Review the business impact analysis (BIA): The BIA was prepared to help identify and prioritize critical IT systems and components. A review of what was discovered is an important step in the process. 3. Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life-cycle costs. 4. Create DR contingency strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. 5. Develop the DR plan: The DR plan should contain detailed guidance and procedures for restoring the organization and its system after a disaster. 6. Ensure DR plan testing, training, and exercises: Testing validates recovery capabilities, training prepares recovery personnel for plan activation, and exercises identify planning gaps; together, these activities improve plan effectiveness and overall organizational preparedness. 7. Ensure DR plan maintenance: The DR plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.

What are the seven steps that are recommended for developing a comprehensive disaster recovery plan?

One important note for both DR and IR planning: when selecting an off-site storage location for data backups or stored equipment, extra care should be taken to minimize the risk at that storage location. In many instances, a large-scale disaster may destroy or damage both the primary location and the off-site storage location, if the latter is not carefully selected.

Why are large-scale disasters of particular concern when choosing off-site storage locations for data backups and equipment?

Business continuity management team: This is the command and control group responsible for all planning and coordination activities. The management team consists of organization representatives as described above, working together to facilitate the transfer to the alternate site. During relocation, this group coordinates all efforts and receives reports from and assigns work to the other teams. With the BC version of this group, the team handles the functions performed by the communications, business interface, and vendor contact teams under the DR model. Operations team: This group works to establish the core business functions needed to sustain critical business operations. The specific responsibilities of this team vary dramatically between organizations, because their operations differ.

Within a BC team, there may be many subteams. What are the responsibilities of the business continuity management team and the operations team?

notification

A DR plan addendum should include the trigger, the ____ method, and the response time associated with each disaster situation.

distributed denial-of-service

A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target.

False

A business continuity plan should be a single unified plan.

BCI Professional Recognition Program

A certification offered by the Business Continuity Institute is called ____.

snapshot

A continuously changing process presents challenges in acquisition, as there is not a fixed state that can be collected, hashed, and so forth. This has given rise to the concept of ____ forensics which captures a point-in-time picture of a process.

field notes

A forensics team typically uses two methods to document a scene as it exists at the time of arrival: photography and ____.

expectation of privacy

A search is constitutional if it does not violate a person's reasonable or legitimate____.

Permissible in scope

A search that is constrained to a specific focus

True

Automated IR systems to facilitate IR documentation are available through a number of vendors.

True

BC is specifically designed to get the organization's most critical services up and running as quickly as possible in order to enable the continued operation of the organization and thereby ensure its existence and minimize the financial losses from the disruption.

Vendor contact team

Can work from preauthorized purchase orders to quickly order replacement equipment, applications, and services, as the individual teams work to restore recoverable systems

The Cuckoo's Egg

Clifford Stoll's book, ____, provides an excellent story about a real-world incident that turned into an international tale of espionage and intrigue.

Alert roster

Commonly tested at least quarterly

Logistics team

Consists of the individuals responsible for providing any needed supplies, space, materials, food, services, or facilities at the primary site

DR strategies go substantially beyond the recovery portion of data backup and recovery and must include the steps necessary to fully restore the organization to its operational status. This includes personnel, equipment, applications, data, communications, and support services (power, water, and so on). Only through close coordination with these services can the organization quickly reestablish operations back at its principle location, which is the primary objective of the DR plan.

Contrary to popular belief, DR strategies go substantially beyond the recovery portion of data backup and recovery. Discuss what further steps are necessary.

Disaster management team

Coordinates all disaster recovery efforts

Command and control

Core administrative functions needed by an organization to remain operational

information system

Deciding which technical contingency strategies are selected, developed, and implemented is most often based on the type of ____ being used.

Malware

Deliberate software attacks occur when an individual or group designs and deploys software, known as ___________________, to attack a system.

cookie

A ____ is a small quantity of data kept by a Web site as a means of recording that a system has visited that Web site.

Although some encryption is poorly done and is easily broken, high-quality products are increasingly available that use good encryption algorithms beyond our current capability to reverse encryption by trying all possible combinations. Encrypted information poses significant challenges to forensic investigators because, by its nature, encryption conceals the content of digital material. Many encryption products require input of an encryption key when the user logs on and then decrypts the user's information on the fly. When the system goes into screen saver mode or is powered down, the encryption key is deactivated and must be reentered. Unfortunately, data needed by the forensic investigator will be encrypted and will not be readable without the proper key.

An increasing concern for privacy and widespread availability of encryption products has led to the use of encryption for individual files and even entire devices. Briefly discuss the current state of encryption with respect to forensic investigation.

1) Preparation: The planning and rehearsal necessary to respond to a disaster 2) Response: The identification of a disaster, notification of appropriate individuals, and immediate reaction to the natural disaster 3) Recovery: The recovery of necessary business information and systems 4) Resumption: The restoration of critical business functions 5) Restoration: The reestablishment of operations at the primary site, as it was before the disaster

Briefly discuss the five phases of a disaster recovery plan.

BCI certification focuses on these key principles: Business continuity management policy and program management—Establishing the need for a business continuity management process, organizing and managing the formulation of the process and developing, coordinating, evaluating, and exercising plans during incidents Understanding the organization—Identifying critical functions, risk evaluation and control focusing on events and surroundings affecting the organization and controls to mitigate potential loss, and cost/benefit analysis Determining business continuity strategies—Selecting alternate recovery strategies and solutions based on RTO and RPO, developing, coordinating evaluating and exercising communications plans, and providing trauma counseling Developing and implementing a BCM response—Developing emergency response procedures, establishing an emergency operations center, experience in handling an emergency, and developing, designing, and implementing BC plans Exercising, maintaining, and reviewing BCM arrangements—Planning BC exercises, ensuring currency of BC plans, verifying plans against standards, and establishing procedures and policies for coordinating with external agencies Embedding BCM in the organization's culture—Developing training and awareness plans for BC

Describe three of the key principles that are a focus of the Business Continuity Institute certification.

Restoration phase

During this phase, an organization might have to select a new permanent home

Factors that could affect the maintenance process is change of location, size, or change in business focus.

Summarize the general activities and timing associated with DR plan maintenance and discuss organizational factors that can affect the maintenance process.

team leader

The BC ____________________ is most likely a general manager from the operations or production division, appointed by the chief operations officer, chief finance officer, or chief executive officer.

policy

The BC team begins with the development of the BC __________, which overviews the organization's philosophy on the conduct of BC operations and serves as the guiding document for the development of BC planning.

recovery point objective

The ____ is the point in the past to which the recovered applications and data at the alternate infrastructure will be restored.

roles and responsibilities

The ____ section of the business continuity policy identifies the roles and responsibilities of the key players in the business continuity

data management

The ____ team is primarily responsible for data restoration and recovery.

Systems recovery

This team works to install operating systems

Data management

This team works with other teams toward restoring and recovering data

trigger point

When implementing a BC plan, an organization reaches a predetermined state, known as a(n) ____, at which time the responsible executive indicates that the organization is to relocate to a pre-selected alternate site.

Computer recovery team

Works to recover physical computing assets that might be usable

Man-made

____ disasters include acts of terrorism and acts of war.

Inappropriate Use

____________________ is a category of incidents that covers a spectrum of violations made by authorized users of a system who nevertheless use the system in ways specifically prohibited by management.

incident

An ____ may escalate into a disaster when it grows in scope and intensity.

Scheduling of employee move: Note that not all business functions may return at the same time, just as not all will relocate to the BC site in the same order or time. The organization may have the most critical functions continue to work out of the BC site until all support personnel are relocated and support services are functional at the primary site. The organization may also want to wait for a natural break in the business week, like the weekend. In any case, the BC plan should contain information on who will begin directing the move back to the primary site, and generally in what order the business functions and associated personnel will move.

Briefly describe the information required for the "scheduling of employee move" operation that should be specified in a BC plan to support returning to the primary site.

Vendor relationships

Crucial during a disaster

1 Laptop with kali or something similar 2 Call list with subject-matter experts 3 Cellphones with extra batteries and chargers 4 Imaging software or hardware with write blockers 5 Hard drives, CDs, DVDs, USB flash drives for evidence 6 Cables for access to network, and memory storage devices 7 Evidence bags 8 Digital Camera for photographic evidence 9 Incident forms 10 Spare screws, anti-static mats, mechanics' mirrors, telescoping lights and grabbers, general hardware equipment

Describe ten things that you might find in a forensic field kit.

Structured walk-through: All involved individuals walk through the steps they would take during an actual disaster, either on site or as a conference room discussion. Simulation: Each involved individual or team works independently, rather than in conference, simulating the performance of each task, stopping short of the actual physical tasks required, such as restoring the backup or rebuilding a particular server or communications device.

Describe the structured walk-through and simulation strategies that can be used for plan testing and rehearsal by disaster recovery teams.

Altering the filtering rules, either temporarily or permanently, may resolve the issue. Be aware of the possibility of service availability to legitimate customers. Also, the attacker may not only shift spoofed addresses, he may also shift source protocols. Also be aware that the more rules present in a device, the slower it will run. Thus, changing the organization's filtering strategy should only be done on a temporary, emergency basis if it causes issues. For long-term solutions, the organization may want to consider upgrades to critical network technologies to make such responses insignificant.

During a DoS incident, one possible containment strategy is to block the address the attacks are coming from. In addition, the organization may want to change its filtering strategy. What are the advantages and disadvantages of this approach?

Hierarchical roster

Requires that the first person cal other designated people on the roster

Needs training in recovering data from off site, along with the data management team

Storage recovery team

response phase

The ____ is the phase associated with implementing the initial reaction to a disaster; it is focused on controlling or stabilizing the situation, if that is possible.

damage assessment

The ____ team is responsible for providing the initial assessments of the extent of damage to equipment and systems on-site and/or for physically recovering the equipment to be transported to a location where the other teams can evaluate it.

applications recovery

The ____ team is responsible for recovering and reestablishing operations of critical business applications.

network recovery

The ____ team is responsible for reestablishing connectivity between systems and to the Internet.

response

The ____________________ phase of a disaster recovery plan involves activating the plan and following the steps outlined therein.

True

The alert roster must be tested more frequently than other components of a disaster recovery plan because it is subject to continual change due to employee turnover.

Forensic Toolkit (FTK)

The forensic tool ____ does extensive pre-processing of evidence items that recovers deleted files and extracts e-mail messages.

Timeliness is a factor in prioritizing the response. Use software to support incident management priotitize each incident component as it arises Contain each incident, then scan for others.

What are some of the recommendations for handling hybrid incidents?

The key points the CP team must build into the DR plan include: the clear delegation of roles and responsibilities; the execution of the alert roster and notification of key personnel; the use of employee check-in systems; the clear establishment and communication of business resumption priorities; the complete and timely documentation of the disaster; and preparations for alternative implementations.

What are some of the key points that the CP team must build into the DR plan?

Repair damage or select or build replacement facility Replace primary site damaged or destroyed contents Coordinate relocation from temporary offices to primary sire or to new replacement facility Restore normal operations at the primary site Stand down the DR teams and conduct the after-action review

What are the primary goals associated with the restoration phase of a disaster recovery plan?

This means that a search is rooted in a legitamete business reason, such that it was done specifically to locate a legitimate work product or as part of an investiagtion into work-related misconduct involving organization resources.

What does it mean for a search to be "justified at its inception?"

Correct The recovery time objective (RTO) is the amount of time that the business can tolerate until the alternate capabilities are available. Reducing RTO requires mechanisms to shorten start-up time or provisions to make data available online at a fail-over site. The recovery point objective (RPO) is the point in the past to which the recovered applications and data at the alternate infrastructure will be restored.

What is the difference between the recovery time objective and the recovery point objective?

After evidence is bagged in an Evidence Bag or storage unit there should be a place on the bag where the person who collects it signs that they've collected it and when this happened, from there everyone who handles it has to sign that they've obtained it from the last in command and the last in command signs that it was given to the next in command.

What is the usual process for creating a chain of custody for collected evidence from the time it is sealed?

True

Within the private sector, the Supreme Court stated, "Every warrantless workplace search must be evaluated carefully on its facts. In general, however, law enforcement officers can conduct a warrantless search of private (i.e., nongovernment) workplaces only if the officers obtain the consent of either the employer or another employee with common authority over the area searched."

Network recovery team

Works to reestablish functions by repairing or replacing damaged or destroyed components.

Business interface team

Works with the remainder of the organization to assist in the recovery of nontechnology functions

Business interface team

Works with the remainder of the organization to assist in the recovery of nontechnology functions.

Inappropriate use

____ incidents are predominantly characterized as a violation of policy rather than an effort to abuse existing systems.

Anti-forensics

____ involves an attempt made by those who may become subject to digital forensic techniques to obfuscate or hide items of evidentiary value.

Rapid onset disasters

____ may be caused by earthquakes, floods, storm winds, tornadoes, or mud flows.

Preparation

____ means making an organization ready for possible contingencies that can escalate to become disasters.

External

___________________ testing can come from standardization boards or consultants (for example, ISO 9000), certification or accreditation groups, or a group selected by the organization's management from a sister company.

Internal

____________________ testing can include employees conducting self-assessments after an exercise by completing feedback surveys indicating what they thought worked well and what did not.

Disaster recovery planning

______________________________ is the preparation for and recovery from a disaster, whether natural or man-made.

contamination

____—that is, alleging that the relevant evidence came from somewhere else or was somehow tainted in the collection process.


Related study sets

Unit 8 - Accidents: The Cost, Causes, and Prevention

View Set

Nutrition: Analyze Cues and Prioritize Hypotheses; Plan and Generate Solutions

View Set

Positive, Negative, or Zero Slope

View Set

chapter 13 organizational behavior

View Set

Financial Accounting before test 2

View Set

Simplifying Trigonometric Identities

View Set