Chapter 10 - Incident and Disaster Response Flashcards
(105 cards)
1
Q
What three things are successful attacks commonly called?
A
Successful attacks are commonly called:
- Security Incidents
- Breaches
- Compromises
2
Q
What are the four severity levels of incidents?
A
The four severity levels of incidents are:
- False Alarm - AKA false positives.
- Minor Incidents - Small virus outbreaks, etc.
- Major Incidents - Beyond the ability of on-duty staff, requires a computer security response team to be assembled, and require action beyond the IT department.
- Disaster - Fire, flood, terrorist attacks. Threatens business continuity.
3
Q
Why is speed of response important?
A
Speed of response is important because the majority of attackers will continue to do harm until they are stopped. In addition, attacks generally cause systems to fail, and each minute they are down is money lost.
4
Q
What is the purpose of a CSIRT?
A
A CISRT, or a computer security incident response team, is a team of IT and IT security professionals dedicated to resolving an incident, as well as members from legal, PR, and senior management.
5
Q
What is business continuity?
A
Business continuity is the day-to-day revenue-generating operations of the firm.
6
Q
Who should head the business continuity team?
A
A senior manager should head the business continuity team.
7
Q
Why is accuracy of response important?
A
Accuracy is important, as haste can lessen accuracy, allowing people to overlook the root cause in the rush to fix.
8
Q
Define incident response in terms of planning.
A
In terms of planning, incidence response is only as effective as the plans set, and in most situations, no plan will fit exactly. Improvisation is key.
9
Q
Why are rehearsals important?
A
Rehearsals are important because they allow a firm to practice plans and procedures that may only come up in a true crisis.
10
Q
What is a walkthrough or table-top exercise?
A
A walkthrough/table-top exercise is the simplest form of rehearsal, where key personnel gather together and discuss, step by step, what each will do during an incident.
11
Q
Why is a live test better than a tabletop?
A
A live test is preferential to a tabletop because actually going through the steps can actually reveal small flaws that might not be apparent in a tabletop.
12
Q
What is the problem with live tests?
A
The main problem with live tests is that they are expensive.
13
Q
Distinguish between detection and analysis.
A
Detection is the act of learning that an incident has occurred. Analysis is the act of understanding the incident, determining the damage potential, and to gather information needed for containment and recovery.
14
Q
Why is good analysis important for the later stages of handling an attack?
A
In the later stages, good analysis will help uncover the root cause of the issue, and allow for diagnosis and repair.
15
Q
What is escalation?
A
Escalation is the act of increasing the priority of an incident.
16
Q
What is containment?
A
Containment is the method by which the damage is stopped from progressing.
17
Q
Why is disconnection undesirable during containment?
A
Disconnection is undesirable during containment because, while it stops the attack, it prevents legitimate users from using services. This can have significant business impact.
18
Q
What is black holing? Why may this only be a temporary containment solution?
A
Black holing is a method of containment where the packets from a particular IP address are automatically dropped to prevent an attack? This may wind up being only a temporary solution because of the ease in which an attacker could spoof a new IP address.
19
Q
Why might a company allow an attacker to continue working in the system for a brief period of time? Why is this dangerous?
A
A company might allow an attacker to continue working in the system for a brief period of time in order to gather more information on the attacker, provided the damage isn’t too severe. This is dangerous, because the longer the attacker is in the system, the more likely they are to erase their presence from logs, or gain access to do more severe damage.
20
Q
What are the three major recovery options?
A
The three major recovery options are:
- Repair During Continuing Operation
- Restoration From Backup Tapes
- Total Software Reinstallation
21
Q
What are the two main reasons that repair during continuing operation good?
A
The two main reasons that repair during continuing operation is good is that:
A. It reduces downtime
B. No data is lost, as there is no need to use a restore tape
22
Q
Why may not repair during continuing operation work?
A
Repair during continuing operation may not work because it is not always possible to find all the Trojans, rootkits, and other tools of the break-in.
23
Q
Why is the restoration of data files from backup tapes undesirable?
A
The reason that restoration from tape is undesirable is that any data collected since the last update will be lost, or if the attack began before the restore, the restore could restore Trojans and such.
24
Q
What are the potential problems with total software reinstallation?
A
Total software reinstallation comes with data loss, but that is still dependent on the organization still having the original installation media.
25
How does having a disk image reduce the problems of total software reinstallation?
Disk images remove the problem of having to retain the original installation media.
26
What are the three rules for apology?
The three rules of apology are as follows:
1. Acknowledge responsibility and harm.
2. Explain what happened, without technical details.
3. Explain what actions will be taken to compensate the person.
27
Why do companies often not prosecute attackers?
There are three main reasons companies often choose to not prosecute attackers:
- Cost and Effort - Finding and prosecution are pretty tricky.
- Probability of Success - Very rarely is the attacker someone for whom the punishment will really matter (foreign national, teenager, etc)
- Loss of Reputation - Public prosecution is an admission of a failure to protect information.
28
What is forensics evidence?
Forensics evidence is evidence that is acceptable for court proceedings.
29
Under what conditions will you need to hire a forensics expert?
For civil lawsuits (torts), only evidence collected by a forensics expert will be permissible in court.
30
What is the chain of evidence, and why is documenting it important?
The chain of evidence is the hands that evidence has passed through to get to court and the protection it has been under. It must be documented completely, otherwise it could be tossed out on grounds that it could have been tampered with.
31
Why should a senior manager head the CSIRT?
A senior manager must head the CSIRT because all the security decisions made during a major incident are also business decisions.
32
Why should members of affected line departments be a on the CSIRT?
Members of the line departments affected by the major incident should be a part of the CSIRT because they will have knowledge of the impact of the incident.
33
Who is the only person who should speak on behalf of the CSIRT?
The head of public relations is the only person who should speak on behalf of the firm.
34
Why should both the Police and the FBI be called in the case of an attack?
Both the police and the FBI should be called in the case of an attack because it is not certain which of them will have jurisdiction over a particular crime.
35
What different actions do criminal and civil law deal with?
Criminal law deals with violations of criminal statutes, which are laws that prohibit specific behaviors. Civil law deals with interpretations of the rights and duties that companies or individuals have relative to one another.
36
How do punishments differ in civil and criminal law?
Punishment in criminal law generally deals with jail time and fines, whereas civil law generally deals with monetary penalties or orders to take or not take action.
37
Who brings lawsuits in civil and criminal cases?
Lawsuits are brought by a prosecutor against a defendant in a criminal case, whereas a plaintiff brings the case against the defendant in a civil case.
38
What is the normal standard for deciding a case in civil and criminal cases?
In a criminal case, the prosecutor must prove beyond a reasonable doubt that the defendant is guilty. In civil, the plaintiff must prove a preponderance of the evidence (> 51%) that the defendant is liable for damages.
39
What is mens rea? In what type of trial is mens rea relevant?
Mens rea is being in the mental state to intentionally commit the act that is in question. It's generally only used in criminal cases.
40
Can a person be tried separately in a criminal trial and later in a civil trial?
A person can be tried in a criminal trial, and then be later sued in civil court for damages by the victim.
41
What is case law?
Case law is where judicial decisions set precedent for how laws may be interpreted in future trials.
42
What are jurisdictions?
Jurisdictions are areas of responsibility in which government bodies can make an enforce laws, and outside of which, are powerless.
43
What is cyberlaw?
Cyberlaw is any law dealing with information technology.
44
What are the three levels of the U.S. Federal Courts? Which levels can create precedent?
The three levels of the U.S. Federal Court system are the district courts, the circuit courts of appeal, and finally the supreme court. Both the circuit courts of appeal and the supreme court can create precedent.
45
Does federal jurisdiction typically extend to computer crimes that are committed entirely within a state and that do not have a bearing on interstate commerce?
Federal jurisdiction only applies to crimes that affect interstate commerce or litigants from different states, in the case of cybercrime/hacking.
46
Who is likely to investigate a cybercrime that takes place within a city?
Local police will generally be the most likely people to investigate a cybercrime that akes place within one city.
47
Are international laws regarding cybercrime fairly uniform?
International laws regarding cybercrime vary widely.
48
Why should companies that do business only within a country be concerned about international cyberlaw?
Even if a company deals only within one nation, they should still be concerned about international cyberlaw because they might still be attacked by someone from another nation.
49
Why will courts not admit unreliable evidence?
Courts will not admit unreliable evidence because jurors are not expected to be able to evaluate the reliability of evidence.
50
What is a computer forensics expert?
A computer forensics expert is a professional who has been trained to collect and evaluate computer evidence in ways that are likely to be admissible in court.
51
What type of witness is allowed to interpret facts for juries?
An expert witness is allowed to interpret facts for juries.
52
Why should companies work with forensics professionals before they have a need for them?
Companies should work with forensics professionals before they have a need, so as to have a an understanding what might be required for a trial.
53
What section title of the U.S. Code prohibits hacking? What other attacks does it prohibit?
Section 1030 of the U.S. Code prohibits the intentional access of protected computers without authorization or exceeding authorization. It also prohibits "the transmission of a program, information, code, or command that intentionally causes damage without authorization to a protected computer.
Basically, malware, and DoS attacks.
54
Does Section 1030 of the U.S. Code protect all computers?
Section 1030 of the U.S. Code defines protected computers as "government computers, financial institution computers, and any computer that is used in interstate or foreign commerce or communications. This is NOT all U.S. computers.
55
What are damage thresholds?
Damage thresholds are minimum amounts of damage that must be met before attackers are in violation of the law.
56
What types of acts does 18 U.S.C. 2511 prohibit?
18 U.S.C. 2511 prohibits the interception of electronic messages, both en route and after being received.
57
What is an IDS?
An IDS, or Intrusion Detection System, is a set of software and hardware that captures suspicious network and host data activity in event logs and provides automatic tools to generate alarms, as well as query and reporting tools to help analysis.
58
Is an IDS a preventative, detective, or restorative control?
An IDS is a detective control.
59
What are false positives?
A false positive occurs when an IDS or similar system flags an attack or breach when there is not one.
60
Why are false positives problems for IDSes?
False positives are problems for IDSes because they reduce trust in the system, and reduce the sense of urgency in flagged events.
61
What are the four functions of an IDS?
The four major functions of an IDS are logging, automated analysis, administrator actions (Alarms, summary reports, logs), and management.
62
What are the two types of analysis that IDSes usually do?
IDSes generally provide analysis of attack signatures (known threats) and anomaly detection (detecting new threats that don't have signatures).
63
What information should alarms contain?
Alarms should contain a description of what the problem is, a way to test the alarm for accuracy, and advice on what the security administrator should do.
64
What is the purpose of log summary reports?
Log summary reports contain listings of the various types of ongoing suspicious activity that didn't merit an alarm.
65
Describe interactive log file analysis.
Interactive log file analysis is the act of using tools to drill down into log files for a better level of understanding.
66
What is the advantage of a distributed IDS?
A distributed IDS is able to collect data from many devices at once, allowing for a broader scope of analysis.
67
Name the elements in a distributed IDS.
The elements of a distributed IDS are agents, which are software that collect event data and stores it in log files on their monitoring devices. There are managers, which are programs that are responsible for integrating the data coming in from multiple agents running on multiple monitoring devices. It then analyzes the log file, generating alarms as needed and allowing for data queries.
68
Distinguish between batch and real-time transfers for event data. What is the advantage of each?
Batch transfers of event data are scheduled transfers between an agent and its manager, whereas real-time transfers occur immediately as data is collected.
The advantage of batch transfers is that it is inexpensive and efficient, and does not disrupt the manager often.
The advantage of real-time transfer is that if and when the agent is breached, the manager has a log of all events right up to that point, which would not occur with a batch.
69
What two types of communication must be secure in an IDS?
In an IDS, communications between agents and their manager must be secure, with authentication, integrity checking, confidentiality, and anti-replay protection.
Communication between the IDS vendor and the manager must also be secure.
70
What information do NIDSs look at?
NIDSs, or Network IDSs, are agents of an IDS that look at the packets as they travel through the network.
71
Distinguish between stand-alone NIDSs and switch- and router- based NIDSs.
Stand-alone NIDSs are boxes situated at specific points in the network, and read and analyze the network frames that pass by them. Switch- and router-based NIDSs are simply switches and routers that have IDS software tracking all ports.
72
What are the strengths of NIDSs? What are the two weaknesses?
The key strength of NIDSs is that they can see all packets passing through specific locations on the network. These undergo heavy diagnostics. The two weaknesses of NIDSs are that no firm can afford to place a NIDS on every link in the router, and the fact that a NIDS cannot scan encrypted data (like a firewall).
73
What is the major attraction of a HIDS?
The major attraction of a HIDS, or Host IDSs, is that they work specifically on one host, and provide specific information on what happens on that host. This gives good insight.
74
What are the two major weaknesses of host IDSs?
The first major weakness of host IDSs is that they are limited in scope to their host. The second major weakness is that, like their hosts, they may be compromised.
75
List some things at which host operating system monitors look.
Host operating system monitors look at OS events, like:
| Adding new executables, modifying them, changing the registry, the logs, system audit policies, and so on.
76
Why are integrated log files good?
Integrated log files, that is, log files that contain data from many other locations on the network at any given moment, which gives a broad view of ongoing events and allows to see large trends.
77
Why are integrated log files difficult to create?
Integrated log files are difficult to create because it is very rare to be able to have all IDSs on a firm's network be from the same vendor, leading to integration trouble.
78
Explain the time synchronization issue for integrated log files.
The time synchronization issue for integrated log files refers to the fact that unless all the logs that go into building an integrated log file are in sync, it is almost impossible to focus in on a specific moment in the logs.
79
How do companies overcome the time synchronization issue?
To overcome the time synchronization issue with integrated log files, companies use the Network Time Protocol, which uses a central server to synchronize hosts.
80
What is event correlation.
Event correlation is a term for the analysis of multiple events in the search for signs of an attack.
81
Distinguish between aggregation and event correlation.
Aggregation is the process of integrating log files from multiple devices, where event correlation is actually looking for signs in multiple events.
82
Why is analyzing log file data difficult?
Analyzing log file data is difficult mostly because of the sheer, overwhelming amount of data to shift.
83
What is precision in an IDS?
Precision in an IDS refers to the principle that an IDS should report all attacks and as few false alarms as possible.
84
What are false positives, and why are they bad?
False positives are basically false alarms generated by an IDS. They generally outnumber true alarms by a factor of 10-1.
85
What are false negatives, and why are they bad?
False negatives are failures to report true attacks. These are obviously far more dangerous than false positives.
86
How can tuning reduce the number of false positives?
Tuning can reduce the number of false positives by turning off unnecessary rules and reducing the severity level in the alarms generated by other rules.
87
What does an IDS do if it cannot process all of the packets it receives?
When an IDS cannot process all of the packets it receives, it begins to skip packets.
88
What may happen to an IDS if a system runs out of storage space?
When a system runs out of storage space, IDS will transfer its current log file to backup and begin a new log file. Unfortunately, events that span log files become difficult to analyze.
89
What is a honeypot?
A honeypot is a faux network used to lure in attackers for study, or as a trap of some sort, I suppose.
90
What do business continuity plans specify?
A business continuity plan specifies how a company plans to maintain or restore core business operations when disasters occur.
91
Distinguish between business continuity plan and IT disaster recovery plans.
IT disaster recovery plans focus on restoring IT functionality after a disaster; business continuity plans focus on restoring core business functionality.
92
What four protections can firms provide for people during an emergency?
The four protections firms can provide for people during an emergency are:
- An evacuation plan
- A safe environment
- A way to identify missing persons
- Counseling
93
Why does human cognition in crises call for extensive pre-planning and rehearsal?
In emergencies, people's ability to make good, sound decisions is hampered by urgency.
94
Why is it necessary not to make plans and processes for crisis recovery too rigid?
In an emergency, if plans are too rigid, they likely won't work, as no emergency is going to fit exactly to the plans laid out.
95
List the four steps in business process analysis. Explain why each is important.
The four steps in business process analysis are:
1. Identification of Business Processes and How They Link - If you don't know the processes and how they work together, you'll have no way of bringing them back online.
2. Prioritization of Business Processes - Restore the most important processes first.
3. Specify Resource Needs - Plan which resources need to go where for the correct prioritization of resources.
4. Specify Actions and Sequences - Have a precise plan in place for bringing business processes back online.
96
Why are business continuity plans more difficult to test than incident response plans?
Business continuity plans are more difficult to test than incident response plans because the scope is far wider.
97
Why is frequent plan updating important with business continuity plans?
It is important to update the business continuity plan often because the business itself shifts and changes constantly.
98
Why must companies update contact information even more frequently?
Companies must update contact information frequently because telephone numbers and other contact information changes even more rapidly than other factors in a business.
99
For what two reasons is a business continuity staff necessary?
Business continuity staff are in charge of managing the ever-changing business continuity plan, as well as for being operational managers during a disaster.
100
What is IT disaster recovery?
IT disaster recovery is an examination of the technical aspects of how a company can get IT back into operation using backup facilities.
101
Why is IT disaster recovery a business concern?
IT disaster recovery is a business concern because IT itself has a major impact on the business itself.
102
What are the main alternatives for backup sites?
The main alternatives for backup facilities are as follows:
- Hot Sites - A hot site is a site with power, HVAC, hardware, installed software, and up-to-date data. This site can begin operation with even a skeleton crew.
- Cold Sites - A cold site is a physical facility with power and HVAC, and connections to the outside world, but no hardware, software, or data.
- Site Sharing with Continuous Data Protection - Multiple facilities with hardware, software, and data, that can pick up the slack of a downed facility.
103
Why is Continuous Data Protection necessary?
Continuous data protection is necessary because it allows for instantaneous recovery of a site, as all changes in data are shared via a high-capacity line.
104
What three things should a firm do about disaster recovery planning for office PCs?
The three things that are necessary for recovery planning for office PCs are:
1. Have data backups, with centralized storage.
2. Have new computers for people to work with.
3. Have a place for people to work until the office is restored.
105
What must be done to restore data at a backup site via tapes? How does this change if a firm uses continuous data protection?
For backup to be restored from tape, the site getting the restore needs to have the necessary hardware to read from the tapes, and the tapes will need to be shipped there quickly and securely.
If the firm is using CDP, then no restore is necessary, as the backup is already ready to take over.
