3.3 Incident Response and Recovery Procedures

Question 1

(E-Discovery)

Answer 1

The electronic discovery of evidence

Question 2

(E-Discovery)

Electronic inventory and asset control

Answer 2

must identify, track, classify, and assign ownership for important assets

Question 3

(E-Discovery)

Data Recovery

Answer 3

the process of recovering data from damaged, failed, corrupted, or inaccessible storage devices when it cannot be accessed using normal data access methods

Question 4

(E-Discovery)

Data Storage

Answer 4

strategies that includes backups to provide for recovery in the event of primary storage failure

Question 5

(E-Discovery)

Data Ownership

Answer 5

establish data owners and responsibility for all custodial duties

Question 6

(E-Discovery)

Data Handling

Answer 6

department managers that make decisions on how certain data should be used and managed
-data custodians are IT personnel that implement the decisions made by the data owners

Question 7

(E-Discovery)

Legal Holds

Answer 7

process that permits organizational compliance with legal directives to preserve all digital and paper records in anticipation of possible litigation

Question 8

(E-Discovery)

Data Retention policies

Answer 8

any data marked as legally requested data for destruction are immediately and indefinitely suspended until all relevant litigation has concluded

Question 9

(Data Breach)

Answer 9

The release of information to an unauthorized party or environment

Question 10

(Data Breach)

Detection and collection

Answer 10

examination of hardware and software alerts, surveillance cameras, logs, network traffic, error messages, and feedback from employees and customers

Question 11

(Data Breach)

Data analytics

Answer 11

classifying the breach and assigning a priority level in order to ensure that the appropriate levels of attention and resources are provided to the incident

Question 12

(Data Breach)

Mitigation

Answer 12

Encryption is gold standard

Encryption can protect data during storage, transit, and processing

Question 13

(Data Breach)

Minimize

Answer 13

data minimization efforts can play a key role in both operational efficiency and security
“Dont keep what you dont need”

Question 14

(Data Breach)

isolation

Answer 14

containing the incident to a limited area to prevent spreading

Question 15

(Data Breach)

Recovery/reconstitution

Answer 15

?

Question 16

(Data Breach)

Disclosure

Answer 16

the company must disclose all relevant data breach details to business stakeholders such as managers, human resources, and team leads

Question 17

(Data Breach)

Response

Answer 17

when a data breach occurs, the firm must be ready to respond immediately

Question 18

(Facilitate incident detection and response)

Hunt teaming

Answer 18

a comprehensive process of security teams seeking out any signs of attack against the organizational network

Question 19

(Facilitate incident detection and response)

Behavioral Analytics

Answer 19

process of measuring and identifying how entities typically act, or behave, and later comparing these measured behaviors to future samples of potentially spot deviations

Question 20

(Facilitate incident detection and response)

Heuristic Analytics

Answer 20

intelligently gathers data points from various host and network data sources within a specific environment
- it then scores each of these data point relative to one another to determine if the entity is threatening or not

Question 21

(Facilitate incident detection and response)

Establish and review system, audit, and security logs

Answer 21

SIEM solutions are critical components of automated security systems used in continuous monitoring

Question 22

(Incident and emergency response)

Chain of custody

Answer 22

detailed record of evidence handling, from its collection, preservation, and analysis, to representation in court and disposal

Question 23

(Incident and emergency response)

Forensic analysis of compromised system

Answer 23

digital forensics is the application of scientific methods to electronic data systems for the purposes of gathering specific information from a system

Question 24

(Incident and emergency response)

Continuity of operations

Answer 24

a continuity of operations plan refers to a government’s processes for maintaining functionality in the event of a serious public event

Question 25

(Incident and emergency response)

Disaster Recovery

Answer 25

involves the policies, staff, tools, and procedures to enable the timely recovery of an organization’s technological infrastructure from disruptive events

Question 26

(Incident and emergency response)

Incident Response team

Answer 26

a group of people who prepare for and respond to any emergency incident, such as a natural disaster or an interruption of business operations

Question 27

(Incident and emergency response)

Order of volatility

Answer 27

describes the order in which digital evidence should be collected before it disappears

Question 28

(Incident response support Tools)

dd

Answer 28

used for converting and copying files

Question 29

(Incident response support Tools)

tcpdump

Answer 29

Linux command used to capture network packets transferred over network

Question 30

(Incident response support Tools)

nbstat

Answer 30

tool that allows troubleshooting NetBIOS-related issues by displaying TCP/IP connections and protocol statistics based on NetBIOS network activity

Question 31

(Incident response support Tools)

netstat

Answer 31

command-line tool designed to display generalized network connections and protocol statistics for the TCP-IP protocol suite

Question 32

(Incident response support Tools)

netcat

Answer 32

linux command-line utility designed to connect to or host various types of network connections with other systems

Question 33

(Incident response support Tools)

memdump

Answer 33

linux command-line utility that can dump physical and kernel memory contents to both local storage and network locations

Question 34

(Incident response support Tools)

tshark

Answer 34

network protocol analyzer that captures network traffic from a live network or can read packets that were previously captured and saved into capture files

Question 35

(Incident response support Tools)

foremost

Answer 35

a forensic data recovery command-line tool used on linux primarily for law enforcement to recover deleted or corrupted data from drives

Question 36

(Severity of incident or breach)

Scope

Answer 36

defines the extent of an area affected or how widespread an incident or breach is

Question 37

(Severity of incident or breach)

Impact

Answer 37

defines the effect of an incident on business processes

Question 38

(Severity of incident or breach)

Cost

Answer 38

must take direct and indirect cost factors to consider, such as losing customer data, company downtime, and legal fees.

Question 39

(Severity of incident or breach)

Downtime

Answer 39

involves managing and delivering on expectations in terms of the amount planned and unplanned availability customers can expect during a given time

Question 40

(Severity of incident or breach)

Legal ramifications

Answer 40

involve stiff fines, penalties, and/or jail tie

Question 41

(Post-incident response)

Root-cause analysis

Answer 41

seeks to determine the root cause (or causes) of a problem

Question 42

(Post-incident response)

Lessons learned

Answer 42

give us the opportunity to evaluate mistakes, successes, assess what happened during the incident

Question 43

(Post-incident response)

After-action report

Answer 43

implements the security recommendations gleaned from the lessons learned report