Risk Management, Forensics and Backup

Question 1

Data Owner

Answer 1

Data owners are in charge of data ownership.

Question 2

System administrator

Answer 2

System administrators are administrative users who are responsible for maintaining a system within its defined requirements.

Question 2

System owner

Answer 2

System owners are in charge of data ownership.

Question 3

User

Answer 3

Users refer to normal users who have limited access and privileges, based on their job role and tasks.

Question 4

Privileged user

Answer 4

Privileged users have more permissions than normal users. An example is a database administrator.

Question 5

Executive user

Answer 5

Executive user is a special subset of user.

Question 5

MTBF

Answer 5

MTBF is reliability of a system. It’s mean time between failures. It’s the sum of (start of downtime – start of uptime), divided by the total number of failures.

Question 6

RTO/RPO

Answer 6

RTO is the recovery time objective. This is the target time for the resumption of operations after an incident.

Recovery point objective, RPO, is the time period representing the maximum period of acceptable data loss. The data loss part is the differentiator. This relates to backup frequency.

Question 6

MTTR

Answer 6

Mean time to repair (MTTR) is a measure of how long it takes to repair a failure. This is total downtime divided by total breakdowns.

Question 7

Mission-essential functions

Answer 7

Mission-essential functions are those that MUST occur.

Question 8

Single point of failure

Answer 8

If a single component can cause the failure of the entire system.

Question 9

Annual Loss Expectancy (ALE)

Answer 9

SLE multiplied by ARO.

Question 9

Single Loss Expectancy (SLE)

Answer 9

It’s the value of a loss expected from a single event. It’s calculated by asset value (how much it will take to replace an asset) multiplied by the exposure factor (i.e. 50% loss of functionality -> factor of 0.5).

Question 10

Annualized Rate of Occurrence (ARO)

Answer 10

Annualized rate of occurrence (ARO) is how many times per year you think something will happen. This is usually based off of historical data.

Question 11

Order of volatility (Forensics)

Answer 11

If you want to figure out what happened on a system, you need a copy of the data. What do you collect first? The digital information that is most volatile. This ensures that you don’t lose important information.

Question 11

Chain of custody (Forensics)

Answer 11

This shows who obtained the evidence, when and where it was obtained, where it was stored, and who had control of the evidence during the process.

Question 12

Legal hold (Forensics)

Answer 12

This is a term that means once an organization is aware that it needs to preserve evidence for a court case.

Question 13

Data acquisition (Forensics)

Answer 13

Evidence is a set of documents, verbal statements, and material objects that are considered admissible in a court of law.

Question 14

Network traffic and logs (Forensics)

Answer 14

Network activity of a given device can be useful data.

Question 14

Capture system image (Forensics)

Answer 14

Imaging or dumping the physical memory of a computer can help identify evidence not available on the hard drive. This is especially useful for identifying rootkits.

Question 15

Record time offset (Forensics)

Answer 15

Make sure that you are aware of, and record any time offsets. The computers in question might not be synced up to “real” time, so calculating the offset is important to establish timelines.

Question 16

Recovery (Forensics)

Answer 16

In the realm of digital forensics, this is determining the relevant information and then recovering it.

Question 17

Preservation (Forensics)

Answer 17

Evidence needs to be properly acquired, identified, protected from tampering, transported and stored.

Question 18

Active logging (Forensics)

Answer 18

If you know what events to log for, you can minimize logging scope by setting up a system that actively logs relevant info when it happens.

Question 19

Hot Site (Backup)

Answer 19

Hot sites are fully configured environments that are ready almost immediately. Has backups that are ready or nearly ready to use.

Question 20

Warm Site (Backup)

Answer 20

Warm sites are partially configured. Might take a few days to get up and running. Likely have older backups.

Question 21

Cold Site (Backup)

Answer 21

Cold sites have the basics, but not much more. You likely won’t have any backups, or most of the equipment you need.

Question 22

Differential (Backup)

Answer 22

Save only files that have changed since the last full backup.

Question 23

Incremental (Backup)

Answer 23

Save files that have changed since the last full backup, or the last incremental backup.

Question 24

Snapshots (Backup)

Answer 24

A copy of a VM.

Question 25

Full (Backup)

Answer 25

A complete copy of a machine’s data.