1. Memory contents 2. Swap files 3. Network processes 4. System processes 5. File system information 6. Raw disk blocks

Domain 7 - Security Operations Flashcards by William Boshoff

What is Exigent Circumstances?

Evidence can legally be collected if it is danger of being destroyed

How well did you know this?

Not at all

Perfectly

During a forensic investigation, what is the difference in outcome between examination and analysis?

Examination provides data, analysis gives information.

How well did you know this?

Not at all

Perfectly

What makes a copy backup different from a full backup?

The archive bit is not reset when performing a copy backup

How well did you know this?

Not at all

Perfectly

Evidence process

Evidence must be: identified, preserved, collected, examined, analyzed. Findings must be presented and a decision made.

How well did you know this?

Not at all

Perfectly

Forensic Investigation steps

Identification
Presentation
Collection
Examination
Analysis
Presentation
Decision

How well did you know this?

Not at all

Perfectly

Forensic investigation - Step 1: Identification

The computer system is a crime scene. Identify and secure the crime scene. Review audits, logs, monitoring systems, user complaints, and analysis detection. Preserve and retain all evidence. When the computer is unavailable, capture related information (IP address, user names, and other identifiers).

How well did you know this?

Not at all

Perfectly

Forensic investigation - Step 2: Preservation

Make system images, start the Chain of Custody (CoC), document evidence, and record timestamps.

How well did you know this?

Not at all

Perfectly

Forensic investigation - Step 3: Collect Evidence

Note the order of volatility before collecting.
Create bit level images.
Remove system from production.
Use MDs to ensure data integrity.
Capture data stored in the cache, process tables, memory, and registry.
Use a bound wire notebook to keep notes.
Use an evidence field kit (tags, bags, labels, pens, and supplies).

How well did you know this?

Not at all

Perfectly

Order of Volatility

Memory contents
Swap files
Network processes
System processes
File system information
Raw disk blocks

How well did you know this?

Not at all

Perfectly

Forensic investigation - Step 4: Examine; Step 5: Analysis

Collect and analyze using scientific methods. Review characteristics like timestamps, identification properties. Reconstruct and document the crime scene evidence was collected

How well did you know this?

Not at all

Perfectly

Forensic investigation - Step 6: Present Findings

Prepare the evidence to be presented in court. Keep details but avoid non-tech jargon so the jury can understand.

How well did you know this?

Not at all

Perfectly

Step 7: Decision (forensics investigation)

After the verdict, conduct lessons learned. Determine what can be done better next time. Evidence is not retained after the verdict.

How well did you know this?

Not at all

Perfectly

IOCE and SWGDE functions

Establishes standards for digital forensics on mobiles, computers, and other computing systems. International Organization on Computer Evidence and the Scientific Working Group on Digital Evidence.

How well did you know this?

Not at all

Perfectly

NIST SP 800-86 Guide to Investigating Forensic Techniques into Incident Response.

Guidelines on data collection, examination, analysis, reporting, selecting team personnel, incident response handling, and processes to follow in investigations.

How well did you know this?

Not at all

Perfectly

Crime Scene

Environment in which potential evidence exists; can be multiple environments. Should be secured, systems isolated, not powered down until image is created. Access should be tightly controlled.

How well did you know this?

Not at all

Perfectly

Motive, Opportunity, Means (MOM) This helps investigators narrow down the suspects. Any suspect must have all parts of this construct.

Used by investigators to narrow down a suspect, who must have all parts of this construct.

How well did you know this?

Not at all

Perfectly

Motive

Explains why a crime was committed and who committed the crime.

How well did you know this?

Not at all

Perfectly

Opportunity

Explains where and when a crime occurred.

How well did you know this?

Not at all

Perfectly

Means

Explains how a crime was carried out by a suspect.

How well did you know this?

Not at all

Perfectly

Chain of Custody (CoC)

Document used to ensure integrity of evidence is maintained and admissibility of evidence in court. Records all persons who secured, obtained, and accessed controlled evidence.

How well did you know this?

Not at all

Perfectly

Interviewing and interview

Controlled by one person, who ensures the suspect understands their rights and why they are going through the process, which is to gather evidence. Process should be recorded. HR and management reps should be present. Only an employee senior to the subject can conduct this meeting.

How well did you know this?

Not at all

Perfectly

evidence concepts

relevant, reliable, preservation, tagging, and five rules of evidence

How well did you know this?

Not at all

Perfectly

Relevant (relevance)

This proves admissible evidence is material related to a crime. It describes MOM and can verify when the crime occurred.

How well did you know this?

Not at all

Perfectly

Reliable (reliability)

Admissible evidence meets the criterial that it has not been modified or tampered with.

How well did you know this?

Not at all

Perfectly

Preserved (preservation)

Admissible evidence meets the criteria that it has not been damaged or destroyed.

tagging evidence

Documents how the evidence was transported from the crime scene to storage. Includes complete descriptions of the evidence condition when found and all who accessed the evidence.

Five Rules of Evidence

Digital evidence is volatile and must be: authentic, accurate, complete, convincing, an admissible.

Investigators

These roles should understand the types of evidence that can be obtained, used in court, media types, devices, hardware, embedded devices, and guidelines on surveillance.

What are the types of evidence?

Best, secondary, direct, conclusive, circumstantial, opinion, hearsay, and corroborative.

Best Evidence

Only original documents or recordings can be accepted as evidence unless there is a legitimate reason not to use the original or a judge rules a copy as admissible evidence.

Secondary Evidence

Evidence that has been reproduced from original or substituted for original items. Copies of oral testimony is considered this type of evidence.

Direct Evidence

Proves or disproves a fact through oral testimony based on information gathered through the witness's sense of touch, sight, smell, or feeling.

Conclusive Evidence

Requires no other corroboration and cannot be contradicted.

Circumstantial Evidence

Infers information learned from other intermediate relevant factors. Used by a jury to conclude that another fact is true or untrue.

Corroborative Evidence

Supports another piece of evidence to verify a witness testimony as true or untrue.

Opinion Evidence

Based on what the witness thinks, feels, or infers regarding facts. Expert evidence from a doctor or etc. is not considered this type of evidence.

Hearsay Evidence

Second-hand; witnesses lacks direct knowledge of asserted facts but learned information from another person. When an expert cannot testify to the accuracy and integrity of the evidence, computer-based evidence can fall into this category.

Surveillance

Monitoring behavior, activities, or other changing information of either people or computers.

Physical Surveillance

Monitoring a person's actions by CCTV or by direct observation.

Computer Surveillance

Monitoring a person's actions captured on a computer using digital information such as logs.

Activity that requires a judge-approved warrant, after using corroborative evidence to prove a crime has been committed. Activity is allowed in emergency situation without a warrant, but must provide reasons in court.

Seizure

Taking physical custody of digital components obtained with a warrant.

Media Analysis

Recovery of disk imaging, slack space analysis, content analysis, and steganography.

Disk Imaging

Performed during media analysis, the creation of an exact image of the contents of the hard drive.

Slack Space Analysis

A computer's hard drive space that has been marked unusable, where data marked for deleting potentially resides and is still retrievable. Conducted during Media Analysis.

Content Analysis

Conducted during media analysis; provides details of the type of data by percentage contained in the hard drive.

Steganography

Process of hiding a message inside another object, such as a document in a picture. Media analysis is done to confirm if files have been altered or encrypted.

This involves the process of decompiling code. It looks at the content to determine why the software was created. It looks at reverse engineering to retrieve the source code of the program to see how it works and what the program can do. It looks at the author identification to discover who the author is. Last, it looks at the context and analyzes the environment the software was found in to discover clues.

software analysis allowed forensics techniques - concepts

Tools and techniques are used to preserve logs and activity for evidence. Communication analysis captures communication on the network and searches for particular types of activity. Log analysis is done to analyze network traffic. Last, the path traces a particular traffic packet or traffic type to discover the attacker's route.

network analysis of communications, logs, and path tracing

A vendor can provide tools and assistance such as: log analysis, OS analysis, and memory inspections. NIST recommends the following: 1. Don't change data during analysis. 2. Only trained investigators access data. 3. Document all steps (leave an audit trail). 4. The lead investigator is responsible for all persons involved to follow all steps. 5. All activity needs to be available for review.

hardware/embedded device analysis

investigation types

operations, criminal, civil, regulatory, and eDiscovery

An investigation into an event or incident that does not result in any criminal, civil, or regulatory issue. It uses root cause analysis and lessons learned. It is used to ensure that the appropriate changes are made to prevent such an incident from occurring again, including putting in place security controls.

operations investigations

Part of operations investigations. The goal is determination of the root cause by breaking down the incident until only the answer remains. It is a type of investigation completed to determine what ultimately caused the issue so that stop can be taken to prevent this incident in the future.

root-cause analysis

An investigation that is carried out because a federal, state, or local law has been violated. Law enforcement should be brought in early with these types of investigations. The crime should be properly documented. The investigation could result in a criminal trial.

criminal investigation

An investigation that occurs when one organization or party suspects another organization of civil wrong doing. It can only be filed by a government prosecutor.

civil investigation

An investigation that occurs when a regulator body investigates and organization for a regulatory infraction. Failure to comply with a regulatory investigation can result in charges being files agains the organization and the personnel involved.

regulatory investigation

Litigation or government investigations that deal with the exchange of information in electronic format as part of the discovery process. It involves electronically stored information (ESI) such as email, files, websites, voicemail, audio files, database records, and etc., information that must be preserved to prevent spoilage and or tampering. ESI must be safely stored for later review.

electronic discovery (eDiscovery)

Audit and reviews; IDS and IPS; SIEM; continuous monitoring; egress monitoring

logging and monitoring activities

When asking questions log forms should be used for example: IDS, IPS, HIDS, SIEM, continuous monitoring and egress monitoring. The questions should consider: 1. Are user's accessing information or performing tasks unnecessary to their jobs? 2. Are repetitive mistakes being made? 3. Do too many users have special rights or privileges?

Questions to ask during audit and review.

1. Does the audit trail provide a trace of user actions? 2. Is access to online logs strictly controlled? 3. Is there speration now duties between security personnel who administer the access control function and those who administer the audit trail?

Questions to ask when accessing controls over audit logs and audit trails.

A technical control, this is a system that sends an alert when unauthorized activity is detected (has logs for audit reviews).

Intrusion Detection Systems

A preventative technical control system that sends an alert when unauthorized activity is detected and works to fix the issue (has logs for audit review).

Intrusion Prevention Systems

Examines the operations on an individual system to detect intrusions. Alerts after infection and cannot prevent infection (has logs for audit reviews).

host intrusion detection system (HIDS)

A group of technologies that aggregates information about access controls and selected system activity to store (stores raw data) for analysis and correlation. As a result, this requires extensive protection because these are central repositories that attract hackers. This collects logs to comply with regulatory requirements, provide internal accountability, provide risk management, and perform monitoring (and trending).

Security Information and Event Management (SIEM)

This should be part of an organization's monitoring program. It should be guarded as critical infrastructure of the organization. Activities should be recorded.

continuous monitoring and continuous monitoring as a service (CMaaS) for cloud services

A monitoring technique where all outbound information from various networks is monitored, usually through firewalls that can control any traffic leaving the system. Monitoring that occurs when an organization monitors the outbound flow of information from one network to another. It uses data loss prevention (DLP).

egress monitoring

Software that attempts to prevent data leakage. It does this by maintaining an awareness of actions that cannot be taken with a document. This uses egress filters to identify sensitive information to prevent leaks. It can be implemented in two locations: Network and Endpoint.

data loss prevention (DLP) software

Network DLP: installed at the network egress points near the perimeter. Endpoint DLP: Runs on end user workstations or servers. These determine sensitive using precise (content registration trigger almost like a false positive) and imprecise methods (keywords and such).

Locations where DLP can be implemented.

Asset inventory; configuration management; physical assets; virtual assets; cloud assets; and applications.

resource provisioning concepts

The process in security operation which ensures that the organization deploys only the assets that it currently needs. The organization must maintain accurate asset inventory and user appropriate configuration management processes.

resource provisioning

Any item of value to an organization, including physical devices, digital information, and personnel.

asset

Maintain an accurate inventory to know when theft has occurred. Fully document all asset information. Keep hard and electronic copies of the asset inventory. Lock away devices that can be stolen; track these with GPS. Use remote wiping and remote locking features. Guard media devices from unauthorized access and theft. Encrypt data on all devices.

Important practices regarding assets.

The process of identifying and documenting components, software, and their associated settings. The goal is to establish and maintain the integrity of the item on a recurring basis thought its lifecycle.

configuration management

Anything that can be "touched" (i.e. servers, desktops, laptops, mobile devices, and network devices). Track these in the asset inventory and decommission properly as part of the configuration management process.

physical assets

Software defined assets. This includes virtual storage-area networks (SANs), guest virtual machines (VMs), and virtual routers. (Other may include: virtual storage, block virtualization, file virtualization, host-base virtual storage, and storage-device-based virtual storage).

virtual assets

Configuration management ensures assets are being billed correctly, provisioned, monitored, and that monitoring policies are in place to ensure only needed resources are deployed.

cloud assets

These are locally installed as web services and SaaS. Configuration management of this ensures an appropriate number of licenses are maintained; periodically reviews licenses; ensure only personnel with a valid need of the software has access rights.

application

Need-to-know/least privilege; managing accounts, groups, and roles; separation of duties; job rotation; sensitive information procedures; records retention; monitor special privileges; information life cycle; and service level agreement (SLA).

security center operations - concepts

A security principles that defines the minimum for each job or business function. The default setting is "no access." It is used in Role-based access control (RBAC) and discretionary access control (DAC).

need-to-know

This manages users, groups, and roles that pertain to the following: root/built-in admin account, service account, regular admin account, power user account, and regular user accounts. For example, every user has one account. Group accounts have permissions configured to access resources. Users are assigned to a group and inherit the group's permissions (the user can only do what the group as a whole can do). Users are also assigned to roles. Roles are used by applications.

managing accounts, groups, and roles

This is the most powerful account type. It is best to disable this account as it is often attacked by hackers. If keeping the account is needed, then change the user name and use a complex password. This account should only be used when performing account duties. The use of this account should always be audited.

root account / built-in account

This account is used to run system services and applications. This account's access should be limited to system(s). Research the default user accounts that are being used. Regularly change the passwords on these accounts. Use of this type of account should always be audited.

service account

This account is created and or assigned to an individual. A suer with an admin account should also have a day-to-day normal account. Use this account only for admin-level duties. Always audit this type of account.

regular administration account

This account has more privileges and permissions than normal accounts. It is for users with higher-level permissions. It is best to entirely remove these types of accounts. Modern operating systems limit this type of user's account abilities.

power user account

This account is used for daily accounts. It has limited permissions and should be set at least privilege.

regular user accounts

This grants users only the access that is required to perform their job functions. It is also referred to as need-to-know.

least privilege

This is a preventative security control (dual control). This is the concept of having a single task that requires at least two people to complete. This security measure involves dividing sensitive operations among multiple users so that no one user has rights/access to carry out the operation alone. It ensures no one person can compromise the organization's security. It is also used as an internal control to prevent fraud by distributing the tasks, rights, and privileges of users.

separation of duties

This is an administrative control, implemented to reduce the risk of collusion and fraud between individuals. Implementing this control may uncover activities that an individual is performing outside of normal operating procedures, revealing errors, or fraudulent behaviors. This may be difficult to implement in smaller companies because of the cost or lack of the required skills. It requires mandatory vacations employees.

job rotation

Users are trained in back-up procedures in case of emergencies. It provides protection agains fraud and collusion. It results in a cross-training of employees.

Benefits of using job rotation.

This is an administrative control used to detect potential illicit activities by requiring employees to be aware for a set period of time. It is used in conjunction with job rotation controls.

mandatory vacation

Customer and employee data needs to be protected. Access controls can prevent unauthorized access sensitive data. Questions to ask when reviewing procedures and policies regarding sensitive data should include: 1) Is data available to the user that is not required for his or her job? 2) Do too many users have access to sensitive data?

sensitive information procedures

Proper access control requires auditing. Monitor the most sensitive activities and retain and review all records. Laws and regulations require records to be retained. Configure automatic logs not to overwrite data. It is advisable to have a server shut down if the logs are full.

record retention

Users such as the Help Desk or IT, may need special privileges, such as changing passwords on accounts. These positions require high ethics and accountability. Monitoring and recording of these activities should also be logged and reviewed due to human-type vulnerabilities and risk.

monitoring special privileges

Creation, distribution, usage, maintenance, and disposal of information. After information is gathered it must be classified to ensure that only authorized personnel can access the information.

information life-cycle

A document describing the level of service expected by a customer from a supplier, laying out the metrics by which that service is measured, and the remedies or penalties should the agreed upon levels not be achieved. It reviews service metrics that are transferable (not as in law) and can be internal or external. It defines the ability and the timeframes to respond to problems as defined within agreement levels.

service level agreement (SLA)

Protecting tangible and intangible assets; asset management; backup and recovery systems; identity and access management; media management; media history; media labeling; sanitizing and disposing of media; network and resource management.

resource protection: concepts

These are assets such as intellectual property, data, and organizational mutation that are vital to a comply but are not physical assets. They can include company secret recipes, formulas, and trade secrets. These should be included in a comprehensive protection plan.

resource protection: intangible assets

These types of assets can be physical touched and include computers (hardware and software to run the hardware), facilities, supplies, information), and personnel.

resource protection: tangible assets

Most often this is the largest asset. It should also be included in vulnerability testing. The HVAC, fire detection, water, sewage, term control, power and backup power, communications equipment, and intrusion detection should all be protected and regularly tested. Vulnerability testing addresses the following questions regarding this type of asset: 1) Do the doors close automatically, does the alarm sound if the door are help open for too long? 2) Are the protection methods of sensitive areas working? Are they sufficient? 3) Does the fire suppression system work? 4) Are sensitive documents being shredded?

resource protection: facilities

This type of tangible asset includes all device and all infrastructure devices (i.e., routers, switches, and firewall appliances). These are managed remotely but need to be protected (to include the data contained) as commands go through the network. Guidelines for protecting this type of asset includes: 1) Change the default admin password on devices. 2) Limit the number of users with access to remote devices. 3) Use encrypts SSH rather than cleartext or Telnet. 4) Manage critical systems locally. 5) Limit physical access to these devices.

resource protection: hardware

This type of tangible asset includes all proprietary applications, scripts, or batch files that are developed in-house and are critical to the organization's operations. Secure the codes and the access to the software used to write the codes. Monitor the use of software to include commercial applications to prevent an unintentional breach of license.

resource protection: software

This type of asset includes recipes, processes, trade secrets, and anoint other plan that helps the organization be competitive in markets and industry. Principles of data classification and access control apply to these type os assets. The dollar value of these assets may be difficult to determine (and may be based on what they are worth to the company in terms of what it would cost to replace these assets).

information assets

The activities that support continual (daily basis) maintenance of the security of a system. The primary purpose of this type of security is to safeguard information assets that are resident in the system.

operations security

Redundancy, fault tolerance, back-up and recovery; identity and access; media and media history. Access to assets must be controlled to prevent deletion, theft, corruption (of data), and physical damage. Must meet the Availability standard of CIA Triad.

asset management - concepts

This refers to the providing of multiple instances of either a physical or logical component such that a second component is available if the first fails. Must meet the Availability standard of the CIA Triad.

redundancy

This is the ability of a system to continue to operating in the even of a component failures (for processes/system to continue running). Must meet the Availability standard of the CIA Triad.

fault tolerance

A fault tolerance counter measure desired to combat threats and to improve reliability. Data is written across multiple disks (arrays) for quick access without need to use back-ups. Not all types of these arrays provide redundancy. The systems must be capable of detecting and correction faults.

Redundant Array of Independent Disks (RAID)

RAID, SAN, NAS, and HSM. This type of management is important to operation security because media is where the data is stored.

media management - concepts

RAID can be implemented with either software or hardware. When software RAID is used, it is a function of the operating system. RAID 0 and RAID 1 provide simple striping with mirroring and performs well in software because hardware-level parity is not used. RAID 3 and RAID 5 work faster with the hardware.

types of RAID levels

This type of RAID has no added redundancy for disk failures. If one disk fails, all the disks will be lost. This RAID allows for increased read/write speeds. It should be used for systems with high availability needs/requests. It is the fastest of the RAID configurations and is the most suitable for temporary storage. It is also a method that writes the data across multiple drives but while is improves performance it does not improve fault tolerance (no redundancy).

RAID 0 with Disk Striping w/out mirroring (parity bits)

This RAID type creates mirrored drives without using striping or a parity bit. Redundancy is provide at this level. The array will operate as long as at least one drive is functioning. This is a method that uses at least two disks and write a copy of the data to both disks, providing fault tolerance in the case of a single drive failure.

RAID 1 with Disk Mirroring

In this RAID, data is striped across all drives at the bit level and uses a hamming code for error detection. Hamming codes can detect up to two-bit errors or correct one-bit errors without detection of uncorrected errors.

RAID 2 with Striping

This RAID method requires at least three drives. The data is written across all drives like striping, and then parity information is written to a single dedicated drive. The "parity information" is used to regenerate the data in the case of a single drive failure. The parity drive is a single point of failure (SPOF) if it goes bad.

RAID 3 with Dedicated Parity Disk

This RAID requires at least three drives and uses parity across disks. It consists of striping at the block level with a parity bit. It requires all drives, except one, to be present in order to operate. If one drive fails, this RAID can use its parity to ensure no data is lost. Each disk has a parity block, and the parity information is used to regenerate the data in case of a single drive failure.

RAID 5 with Distributed Parity

This is not a standard RAID. It uses the RAID 5 processes but enables the drive array to continue operating if any disk or any path to any disk fails. The multiple disks in this array operate as a single virtual disk.

RAID 7 - Proprietary

This is a combine of two RAID types: RAID 0+1 creates striping across the drives, then mirrors them; RAID 1+0 creates striped sets from already mirrored drives. This RAID type can handle multiple drive losses as long as no mirror loses all of its drives. Overall, this RAID is better than RAID 0+1 in all aspects, including speed and redundancy. This RAID requires a minimum of two disks (one striped, and one mirrored).

RAID 10 - Disk Mirroring with Striping (DISK 0 + 1)

These are comprised of high-capacity storage devices that are connected by a high-speed private network (separate from the LAN) using storage-specific switches. This storage information architecture addresses the collection of data, management of data, and the use of data. Only devices that can connect use a Fibre Channel SCSI network to access data, typically done through a server.

Storage Area Networks (SAN)

This is a form of storage that uses the existing LAN network for access using files access protocols such as NFS or SMB. This type of storage serves the same function as the SAN but any machine connected to the LAN/WAN can use protocols: NFS/CIFS/or HTTPS to connect to a NAS and share files.

Network Attached Storage (NAS)

This is a type of backup management system than provides a continuous online backup by using optical or tape "jukeboxes." It operates automatically moving data between high-cost and low-cost storage media as the data ages. It uses the proper media depending on the situation. It provides a good alternative to tape backups when 24/7 access is needed. It can use CDR with optical disk storage that can be faster than tape backups.

Hierarchical Storage Management System (HSM)

Accurately keep and maintain media library logs. All media types have a maximum number of times they can be safely used. Track backups and OS installations and other instances of how the media was used and how many times it was used. Track the age of the media to prevent loss of data through media degeneration. Inventory the media regularly.

media history practices

Plainly label all forms of media storage. Media begins to degenerate at or above 100 degree Fahrenheit. Guidelines of media control include: 1) Accurately and promptly mark all data storage media. 2) Ensure proper environmental storage of media. 3) Ensure safe and clean handling of media. 4) Log data media to provide inventory control.

Media Labeling and Storage practices

This is the practice of sanitizing and disposing of media. It is the most reliable method to remove all data from media. It exposes the media to high, powerful, alternating magnetic fields. It leaves the media magnetically randomized (blank). Other disposal concepts related to this process include data purging, data clearing, and romance.

Degaussing

This is a method to sanitizes or make data unavailable or recoverable, even agains laboratory attacks (forensics).

data purging

This is an attack that renders information unrecoverable using a keyboard. This type of attack extracts information from data storage media by executing software utilities, keystrokes, or other systems resource from a keyboard.

data clearing

This is any data left over after the media has been erased.

remanence

Redundant hardware, fault tolerance technologies, MTBF and MTTR, and SPOF. The goal of these concepts it to maintain Availability. These should be used to design and maintain processes and systems with the goal of providing and sustaining Availability.

network and resource management concepts

Devices will eventually fail. It is good to have a redundant system, devices, hardware, and components that can be hot-swapped or quickly replaced. Faster replacement means less downtime and minimizing a complete disruption of production and access.

redundant hardware

Examples of this type of technology includes clustering of servers and grid computing. Redundant technologies are based on multiple computing systems working together to provide uninterrupted access, even in the event of a failure of one of the systems.

fault tolerant technologies

Published by vendors as part of the SLA, the MTBF describes the value for a product's estimated time of failure (the average or how often the component is predicted to fail). The second metric is part of the SLA and outlines a time estimate of how long it will take to repair the device or component, to get it back on line, or into production again to maintain operations.

Mean Time Between Failure and Meant Time To Repair (MTBF and MTTR)

The ultimate goal of all network and resource management is to avoid this type of mistake. Every device, groups of components, or software should be examined for this type of potential condition. All instances of this condition should be mitigated in some way.

single point of failure (SPOF)

This is the first step to all investigations.

Incident Management: incident response

Any change that occurs within an organization. The state of the change can be negative or positive. For example, incident response focuses on the negative. This state can only be detected through auditing or monitoring mechanism.

Incident Management: event(s)

Select technically knowledgeable members who understand the organization's security policy. They should have strong communication skills. They should have received training in investigations and incident response processes.

Considerations when selecting an Incident Response Team.

This group's primary goal is to contain or repair damage caused by an incident. Their actions include following, step-by-step, an incident response plan.

Incident Response Team.

Directions to: (1) Immediately start security isolation when an incident is identified or discovered. (2) To secure and preserve all evidence. (3) Contact appropriate authorities. (4) List the team roles and responsibilities, internal contact list, and a list of expert investigators to contact for additional help. (5) Immediately contact authorities if a crime has been committed.

Information that should be included in the incident response plan.

This pertains to incident response teams as outlined and documented by the organization.

Rules of Engagement, Authorization, and Scope

This defines which actions are acceptable and unacceptable to take if an incident has occurred. These are guidelines to ensure the team does not cross a line to enticement or entrapment.

Rules of Engagement

This provides the incident response team with the authority to perform an investigation within the allowable scope of any investigation the team must undertake.

Authorization and Scope

A type of engagement used to lure an attacker to perform an illegal action. It occurs when the opportunity for illegal action is provided. It is legal, but raised ethical arguments and might not be admissible in court.

enticement

An illegal form of encouragement where an attacker is encouraged to commit a crime with the possibility that they had not desire or intention of performing. This practice is illegal.

entrapment

Incident Response Procedures

1. Detect the incident. 2. Respond to the incident. 3. Report the incident to the appropriate personnel. 4. Recover from the incident. 5. Remediate all components affected by the incident to ensure all traces of the incident have been removed. 6. Review the incident and document all findings.

Detect the incident and determine how the server was affected. Then perform appropriate triage. It could be that a false-positive occurred. If an attack did occur, the next step is to respond, which leads to an investigation. the worst type of incident is one that goes unnoticed.

Incident Response: Step 1 - Detect

Respond to the incident. Contain and quarantine to protect other systems. The response should be appropriate to the type of incident. A DoS attack requires a different response than other cases. Establish a standard response ahead of time. Prepare mitigation response in advance.

Incident Response: Step 2 - Respond and Mitigate

Report the incident to the appropriate personnel. The reporting should be timely and reflect the seriousness of the type of incident. Establish a list of incidents types and who to report the incident to.

Incident Response: Step 3 - Report

This involves reaction designed to make the network or system that is affected, functional again. The goal is to make all resources available as soon as possible. Delay putting anything back into production until it can be protected from whatever initially caused the incident. It is critical to test everything first.

Incident Response: Step 4 - Recover

Remediate all components affected by the incident to ensure all traces of the incident have been removed. For example, scanning all systems for a virus outbreak.

Incident Response: Step 5 - Remediate

Review the incident and document all findings. Review and discover what can be learned and what procedures can be improved. Document the findings.

Incident Respons: Step 6 - Review (lessons learned)

Clipping levels; deviations from standards, unusual or unexplained events; unscheduled reboots; unauthorized disclosure; trusted paths; input/output controls; system hardening; vulnerability management systems; IDS/IPS; firewalls; whitelisting/blacklisting; third-party security services; sandboxing; honeypots/honeynets; anti-malware/anti-virus.

Preventative Measures - concepts

A preventative measure that is a baseline for normal use errors and violations exceeding thresholds that will be recored for analysis. These are used to: 1) Reduce the amount of data to be evaluated in audit logs; 2) Provide a baseline of users above which violations will be recorded.

clipping level(s)

A preventative measure that can be used to identify performance problems that arise from baseline-type errors, and DoS attacks as they occur. This can aid in identifying systems that might need upgrading before the situation effects productivity.

deviations for standards

An event can occur with no logical cause. The goal is to get the system up and running. Identify the root cause, identify the issue. It is inadvisable to implement a quick workaround to remedy an event. When time permits, find the cause and address the root problem and fix.

unusual or unexplained events

Viewed in light of preventative measures, this typically indicates a hardware problem. Overheating causes many reboots. Overheating can be the result of a DoS attack. Analysis and monitoring should be in place to investigate reboots that are not human initiated or the result of a upgrade.

unscheduled reboots

This could result in the destruction of information; interruption of service; theft of information; and the improper modification of information. A preventative measure is to deploy enterprise solutions and monitor for any potential disclosure of information.

unauthorized disclosure

A preventative measure used by a server to recover information in a way that the server remains in a secure state. The response of a system to a failure (such as a crash or freeze) that leaves the system in a secure state. Orange Book requires all systems to be capable of a trusted recovery for all systems rated B3 or A1.

trusted recovery

A preventative measure, a trust worthy software channel between two process to ensure that attackers cannot intercept information being communicated. A secured shell (trusted shell) is a user interface channel between the user or the program through which he or she is working and the trusted computer base. Trusted paths must first be validated (patches, VLANS, logs, audits, integrity checks). Covert channels are not protected.

trusted path

The goal is to apply controls to check what is being allowed on the system. This is done via input validation on all accepted information into a system in an insecure state. Outputs can include reports, printouts, and such. All sensitive output should request a receipt before release and have proper access controls applied regardless of format.

input/output controls

A preventative measure, from a logical perspective, that includes the following actions: 1. Remove unnecessary applications. 2. Disable unnecessary services. 3. Block unnecessary parts. 4. Tightly control the connection of external storage devices / media.

system hardening

This is software that centralizes and automates the process of continually monitoring/testing the network for vulnerabilities. It can scan a network for vulnerabilities, report the vulnerabilities, and remediates some issues without human intervention.

vulnerability management systems

These are preventative measures. They should be updated on a regular basis. Archive logs for analyzation in on a regular basis. These can detect and in some cases prevent the following: Responding appropriately; use of alarms / alerts to appropriate personnel; and organization's must respond to alerts / signals in a timely manner.

IDS/IPS and Intrusion Response

These enforce administrative security policies by filtering incoming traffic based on a set of rules. This can be physical or a software device that inspects and or controls the type of traffic allowed. They can be updated and configured to protect boundaries between networks, subnets, and or single systems.

firewalls as a preventative measure

This can be used with spam filters. It configures acceptable, allowed email addresses, Internet addresses, websites, applications, or some other identifiers as good sender or as allowed.

whitelisting

A new entity must pass through a server's test to determine whether it will be blacklisted or whitelisted.

graylisting

This is configuring unacceptable email addresses, Internet addresses, websites, applications, and some other identifiers as bad senders or as denied. It can be used with spam filters.

blacklisting

This is a preventative method use to isolate applications and processes in a virtual state so they cannot make any permanent changes to a system. This technique allows applications and processes to run in an isolated virtual environment. It can't protect agains malware. it can use virtualization software. It can time out with too many threads. It is considered a third-party security service.

Sandboxing

This is a system with known vulnerabilities used as a decoy for hackers. These systems appear to house attractive information, but in reality are merely a distraction. It should only be used by organization's with high technical skills. It is configured to be attractive to attackers, to lure them into spending time attacking the system while information is gathered about the attack.

honeypot

Key topics in the patch management life cycle.

1. Patch prioritization. 2. Patch testing. 3. Patch installation. 4. patch assessment and audit.

Key topics in the change management process.

1. Formal request. 2. Analysis. 3. Review costs. 4. Develop steps. 5. Test and implement. 6. Documentation.

These systems should be redundant: critical systems; access to power; alternate locations; hardware equipment; secondary equipment; power redundancy UPS; power generators; spare components; cold spares, warm spares, and hot spares. [Recovery strategies]

Redundant systems, facilities, and power.

Adapter cards; storage drives; RAID drives; and fault tolerant components. [Recovery strategies]

Redundancy needed for fault tolerant technologies.

The purpose of insurance is to ensure that the organization will have access to additional financial resources to help in the recovery. Ensure key financial transaction continue (such as payroll, accounts payable, and recovery costs). This relates to insurance actual cost valuation (ACV) and business interruption insurance. [Recovery strategies]

insurance

This compensates property based on the value of the item on the data of loss plus 10%. Written material covered: printed, inscribed, manuscripts, and records. The second provides monetary protection for the expenses and lost earnings. [Recovery strategies]

Insurance Actual Cost Valuation (ACV) and Business Interruption Insurance

included in "high availability"

RAID arrays; SANs; failovers; fail soft; clustering; and load balancing.

A level of availability which ensures that data is always available, suing redundancy and fault tolerance. Usually part of the organizations DRP.

high availability

This is the capacity of a system to terminate non-critical processes when a failure occurs.

failsoft

The capacity of a system to switch over to a backup system if a failure occurs.

failover

Two or more members join a cluster and can each provide service simultaneously. It can offer high availability. It refers to a product that provides load-balancing service. One instance of an application server acts a a master controller and distributes request to multiple instances using round-robing, or least-connection algorithms.

clustering

In high availability, load balancing refers to a hardware product that provides load-balancing services. It uses application delivery controllers (ADCS) to number crunch processes: per server CPU, memory utilization, and fastest response time. It is a term used in regards to farms or spools.

load balancing

A technology that manages network resources to ensure a predefined level of service. It assigned traffic priorities to the different types of traffic on a network. It helps to work out bottlenecks in the networks.

Quality of Service (QoS)

The ability of a system, device, or data center to recover quickly and continue operating after an equipment failure, power outage, or the disruptions. One device/component fails, the other seamlessly takes over.

system resilience

1. High-level recovery: The order in which processes and functions are restored. 2. System-level: How a system should be restored. 3. BCP Committee: Defines high-level recovery list. 4. Business Recovery Plan: recovery procedures, personnel safety procedures, restoration procedures. 5. DRP Committee: Should contact vendors ahead of time; outing press briefings. 6. After Action includes costs assessments, investigation, and preventative measures.

Steps involved in creating recovery strategies.

Categorize Asset Recover Priorities that are derived from the BIA processes

Recovery Time Objective (RTO); Recovery Point Objective (RPO); and Work Recovery Time (WRT)

This is a collection of tasks that produce a specific service or product for a particular customer(s). Workflow documents should be provide to the DRP Committed for each business process.

Business Process Recovery

Facility Recovery: the main factors and what should be defined in the DRP.

1. Geographic location. 2. Organization's needs. 3. Location's cost. 4. Location's restoration effort. The following will be defined: Hot Site, Cold Site, Warm Site, Tertiary Site, Reciprocal agreements; Redundant sites.

This is a leased backup site, configured with hardware, software, and environmental needs. It can be up and running in a matter of hours. It is the most expensive backup site. It requires the same security controls as the regular operations. This leased facility contains all the resources needed for full operation, or needed to fully restore the organizations data. It is the fastest recovery option.

Hot Site

This is a building with no power, raised floors, and utilities. No systems are available. It is the cheapest option, but can take weeks to be operational. This leased facility contains only electrical and communications wiring, air conditioning, plumbing, and a raised floor. It is the slowest recovery option.

Cold Site

This site has everything to restore operations, except the computers. It is a less expensive site to operate, but takes more effort and time to be operational. This leased facility contains electrical and communications wiring, full utilities, and networking equipment.

Warm Site

A secondary backup site that provides an alternative in case the hot site, warm site, or cold site is unavailable.

Tertiary Site

These are an agreements between two companies or groups that one will share their location with the other in case of an emergency and vice versa. The two organizations will have similar technological needs and infrastructure.

reciprocal agreement

This is a backup facility that is owned by an organization that is an exact copy of their primary site. It is also called a "mirrored site." This type of site is configured identically to the primary site. It is the most expensive to maintain.

redundant site

Supply and technology recovery - concepts. The DRP should include information on the following assets that must be restored:

1. Hardware backups: client computers, switch, routers, firewalls and network device (the org 2. Software backups: OS, databases, applications, licenses, software escrow. 3. Human Resources: Offsite data on personnel. 4. HVAC information, blueprints, locations. etc. 5. Supplies that will be needed to restore ops. 6. Documentation.

It is important to keep data offsite that can be used in recovery process: information on every device, its contents, how it should be restored, if it a legacy device, a vendor contact list (to help restore devices), an estimate on how long it will take to restore or replace the devices. The operating systems and applications will also need to be documented to include backups, images, licensing (that should have been kept as offsite backups). DRP need to document the backups. The Human Resources department needs to monitor personnel for stress and other related emotions related to recovery and disaster. The payroll department needs to continue to process the payroll.

Considerations of supply and technology recovery.

A bit that when flipped, enables backup of the document, and when turned off, stops backing up that data. The backup file is updated, this bit for the file is enabled. [Data Recovery: backup types and schemes]

archive bit

This is a complete backup of information and the archive bit is flipped, and after the backup runs, the archive bit for each files is cleared. It takes the longest to run; uses the most space; and is the most appropriate for offsite archiving. All incremental and differential backups start with a full backup as a baseline. [Data Recovery: backup types and schemes]

full backup

This is a backup where the system is scanned for files marked with the archive bit. Anything that has been changed on the system since the last full backup will be archived. This type does not change the archive bit value. It is a backup in which all the files that have been changes since the las full backup are backups and the archive bit for each file is not cleared. [Data Recovery: backup types and schemes]

differential backup

This is a backup wherein the only files that are stored are those that have been altered since the last full or incremental backup. In this backup, all that files that have changed since the last backup (last full or last incremental) are backed up and the archive bit for each tile is cleared. [Data Recovery: backup types and schemes]

incremental backup

This type of backup is when the file's timestamp is used to determine whether it needs to be archived. Popular in mission-critical environments, because files are constantly updated. [Data Recovery: backup types and schemes]

daily backup

This is a backup that backs up all the files, much like a full back up, bit it does not reset the file's archive bit. [Data Recovery: backup types and schemes]

copy backup(s)

A backup that captures all transaction that have occurred since the last backup. It is only used in environments where capturing all transactions that have occurred since the last full backup are important. It is the most common type in database environments. [Data Recovery: backup types and schemes]

transaction log back up

The newest back up is saved to the oldest media. It does not protect against errors. It is the simplest type of backup scheme. [Data Recovery: backup types and schemes]

First In / First Out (FIFO)

This uses three defined backups: Daily, Weekly, and Monthly. Sons: A daily backup (each week 1 son advances to the Father set). Fathers: A weekly backup (each week 1 Father advances to the Grandfather set). Grandfather: A monthly backup (must be a full backup). A five day rotation uses (typically) 21 tapes that are differential and incremental.

Grandfather, Father, Son (GFS) backup scheme

This type of backup solution backs up the data quicker, and more accurately. It is the best implementation when information often changes.

electronic backups

Electronic vaulting; remote journaling; tape vaulting; hierarchical storage management (HSM); optical juke box; and replication.

electronic backup types

A real time electronic back up that copies files when modified. It copies files to a back up location as medications occur in real time.

electronic vaulting

Copies the journal or transaction log offsite on a regular schedule. This method occurs in batches.

remote journaling

Creates backups over a direct communications line on a backup system at an offsite facility.

tape vaulting

Stores frequently accessed data on faster media and less frequently accessed data on slower media.

Hierarchical Storage Management (HSM)

Stores data on optical disks and uses robotics to load and unload the optical disks as needed. Ideal for 24/7 availability.

optical juke box

Copies data from one storage location to another. Synchronous replication uses constant data updates to ensure that locations are close to the same. Synchronous replication delays updates to a predefined schedule.

replication

Response, personnel, communications, assessment, restoration, and training and awareness.

Disaster Recovery topics

This is a subset of the BCP. It is made by an organization for recovery after any type of disruption. It pertains to the recovery of business operations.

Disaster Recovery Plan (DRP)

These are the top two priorities when a disaster occurs. First, the safety and health of personnel. Second, the mitigation of damages.

personnel and responses

This team is responsible for determine the disaster's causes and the amount of damage that has occurred to the assets. The team identifies all affected assets and critical assets functionality after the disaster. It determine which assets need to be restored and replaced and contact the appropriate teams that need to be activated.

damage assessment team

This team deals with all legal issues immediately following the dilate and during the recovery. It oversees media and public relations and drafts, prepares statements, delivered by the organization's media relations team. It ensure the organization complies with all federal and state laws and regulations.

legal team

This team updates and informs the public of emergencies beyond the organization's facilities. An emergency press site should be planned ahead of time. Team members speaking to the press should be honest, accurate about events and the effects. The team oversees a unified response from the organization. It addresses the audience which may include: media, unions, stakeholders, neighbors, employees, contractors, and competitors.

media relations team

The primary task fo this team is recovery of the critical business functions at the alternate facility. This team oversees all relation and restorations.

recovery team

This team oversees the actual transfer of assets between locations and the returning of assets after recovery.

relocation team

This team needs physical access to backups. It ensures assets and data are restored to operations.

restoration team

This team recovers assets from the primary site. It ensures the primary site returns to normal. It also cleans equipment, rebuilds the facility, and declares when the operations at the disaster site can resume.

salvage team

This team secures both the disaster and recovery sites. It ensures the security of personnel inside. Additional security personnel can be hired to maintain security outside of the facility.

security team

Assessment categories to determine the severity of an event.

non-incident, incident, and sever incident

This test involves the teams that are part of any revery plan. These teams read through the plan that has been deployed and attempts to identify any inaccuracies or omissions in the plan. [testing recovery plans]

read-through test

This test is a recovery plan test where the managers or leader of every team review the BCP. The BCP committed uses the manager notes to make changes to the plan. [testing recovery plans]

checklist test

This is a cost effective method to identify areas of overlap in the BPC and DRP. It is an information brain-storming session that encourages participation from business leaders and key employees. They agree to focus on a particular disaster scenario. [testing recovery plans]

table-top exercise

This test is designed to test an organization's response plan. Representatives from each functional area or department assemble to rehearse he plan from beginning to end. The test involves thoroughly reviewing the BCP's accuracy. [testing recovery plans]

structured walk-through test

This test is a recovery plan test where operations and support personnel follow a DRP in a role-playing scenario. This test identifies omitted steps and threats. [testing recovery plans]

simulation test

This test is one in which some systems are run at an alternate site. The test involves brining a recovery site to a state of operational readiness but maintaining operation at the primary site. [testing recovery plans]

parallel test

This is a test in which regular operations are stopped and processing is moved to an alternate site. The test involves shutting down the primary facility and brining the alternate facility up to full operation. [testing recovery plans]

full-interruption test

This is a test in which a single function or department is reviewed to see whether the functions in the DRP are complete. Testing requires the personnel that perform this function. [testing recovery plans]

functional drill

In this test, personnel follow procedures to evacuate, find shelter-in-place, or follow disaster guidelines. All persons should be trained to report to specific areas. Everyone should be accounted for. [testing recovery plans]

evacuation drill

BCP and exercises steps

1. Updated after all testing. 2. Maintain a list of successful, unsuccessful tests. 3. Delet obsolete plans. 4. Add any new information. 5. Modify content with new laws, protocols. 6. Use version control to ensure the latest BCP is ready for use if needed. 7. Ensure there are available off-site locations. 8. Multiple people should have a copy of the latest version, if primary people are unavailable.

This is a design or mechanism used to delineate between components inside and outside of the trusted computing base. It uses a concentric circle approach to creating security layers. [Physical Security]

security permitter or perimeter security

These are short concrete or steel pillars used to block vehicles from entering secured access to buildings.

bollards (barriers)

The standards for fences include the following: 3-4 feet tall to deter casual intruders. 6-7 feet tall are too tall to clime. 8 feet or taller deter more determined intruders (especially when using razing wire). Geofences are electronic fences used to track devices.

fences

A gate suitable for residential use.

Class 1 Gate

A gate suitable for commercial use.

Class 3 Gate

A detection system that operates by identify changes in heat waves in an area.

Passive Infrared System (PIR)

A detection system that is used to discover the distance, absence, or presence of an object by using a light transmitter (often infrared) and a photoelectric receiver. These are often used in industrial manufacturing. Three different types include: opposed (through beam), retro-reflective, and proximity-sensing (diffused)

photometric sensor

A detection system that is uses strategically placed microphones to detect any sound made during a forced entry. It works well in quiet places but may go off in a loud area due to a busy street, doors, and et cetera.

acoustical detection system

A detection system that generates a pattern in the area and detects motion that disturbs the pattern. Alarms will sound if the patter is interrupted. It uses capacitance (emits a magnetic filed). The alarm will sound if the capacitance field is broken.

wave motion detector

This is a system that uses a set of cameras that can either be monitored in real time or record days of activity that ban be viewed as needed at a later time. Types include: indoor/outdoor, infrared, fixed position, pan/tilt, dome, an IP. Important to note: lens resolution in frames per second (FPS) and compressions. Displays include a single image display, a split-screen, and a large-format.

closed circuit television system (CCTV)

Continuous lighting, stand-by lighting, moveable lighting, and emergency lighting.

types of lighting systems

An array of lights that provide an ben amount of illumination across an area.

continuous lighting

A type of light that illuminates only at a certain time(s) or on a schedule.

standby lightening

Lighting that can be repositioned as needed.

movable lighting

A type of lighting system with their own power source to use when the main power is out.

emergency lighting

Fluorescent, mercury vapor, sodium vapor, and quartz lamps. These are measured by "feet of illumination." For example, a lamp that illuminates 30 meters diameter when it is 5 meters high, means the distance between police will be 30 feet.

types of lighting - elements

A type of lighting system that uses a very low-pressure mercury vapor gas discharge lamp, with fluorescence to produce visible light.

fluorescent lighting

A type of lighting system that uses an electric arc through vaporized mercury to produce light.

mercury vapor lighting

A type of lighting system that uses sodium in an excited state to produce light.

sodium vapor lighting

A type of lighting consisting of an ultra-violet light source, such as mercury vapor, contained in a fused-silica bulb that transmits ultraviolet light with little absorption.

quartz lamp lighting

Duress, travel, and monitoring.

Personnel Privacy and Safety - concepts

This plan provides coordinated procedures for minimizing loss of life or injury and protecting property damage in response to a physical threat. Personnel safety is always the primary concern. The organizations responsible to protect employees and employee health data. Organization's should develop policies to address duress, traveling, and monitoring.

occupant emergency plan (OEP)

This is the concept of a person doing something or divulging something they normally would not under threat of harm. It is a situation that occurs when an employee is coerced by another party to commit an action. This is a particular concern for high-level management and employees with high security clearances, because they have access to extra assets.

duress

Employees should be trained regarding travel policies; keeping the organization-issues assets safe and being careful in public. They should also be trained to properly report lost and or stolen assets.

travel

The higher the clearance level, the more likely the employee will be monitored and should have no expectation to privacy. The organization should capture baseline behaviors for monitoring to be of any use.

monitoring

The three controls that can be implemented to minimize fraud, theft, abuse, and waste.

Job rotation, separation of duties, and mandatory vacation.

What is the purpose of separation of duties

To prevent and reduce conflicts of interest by distributing tasks and their associate rights and privilege between more than one user.

A comprehensive set of guidelines that address all phases of the software development life cycle. It describes a series of stateless or maturity levels that a development process can advance as it goes from the ad hoc (build and fix) model to a model that incorporates a budgeted plan for continuous improvement. There are five levels of these guidelines.

capability maturing model integration (CMMI)

Processes are unpredictable, poorly controlled, and reactive.

CMMI Level 1

Managed level, processor are characterized for projects, and is often very reactive.

CMMI Level 2

Defined level; processes are characterized for the organization, and is reactive.

CMMI Level 3

Quantitatively managed; processes are measured and controlled.

CMMI Level 4

Optimized and focuses on process improvement.

CMMI Level 5

This is a security measure that requires two employees to be available to complete a specific task. This security measure is part of the separation of duties.

dual control

In this mode, electric power is applied to lock the door. When there is no electricity or power the door remains unlocked. It leaves the system processes and components in a secure state when a failure occurs or is detected in the system.

fail safe (state)

In this mode, electric power is applied to unlock the door. When there is no power or electricity the door will remain locked.

fail secure (state)

A characteristic of this is that it examines the network layer for instructions.

Network Intrusion Detection System (NIDS)

This is considered the "low end" of firewalls, can enhance security, and are very fast. This is the fastest firewall but the lease security. It can be fooled by an ACK attack, because it only inspects the header of a packet for allowed IP addresses or port numbers.

packet filtering firewalls

Manages the user access request process and ensures that privileges are provided only to these individuals who have been authorized for access by applications, systems, and data owners.

Security Administrator

This is a type of IDS that examines the available information (logs or network traffic) to determine if it matches a known attack.

Signature-Based IDS

This is a firewall that is aware of the proper functioning of the TCP handshake, keeps track of the state of all connections, with respect to this process, and can recognize when packets are trying to enter the network that don't make sense in the context of the TCP handshake. This type of firewall paints the stat of traffic flow and works well for TCP applications. These cannot be terminate connections or be fooled by ACK scans like a packet-filtering firewall. These perform slower but are more secure than a packet-filtering firewall.

stateful firewalls

RAID 1 implemented with a single hard disk controller, where two hard disks are connected to the same hard dis controller, and a complete copy of each file is stored on each hard disk.

Disk Mirroring

RAID 1 implemented with a single hard disk controller, where two hard disks are connected to separate hard disk controllers; the use of the separate hard disk controllers provides increased fault tolerance.

Disk Duplexing

files on this type of array ares stored in stripes, which are small data blocks and parts of a large file might be stored on every disk in this array.

RAID 0

Disk Striping with parity.

RAID 5

One stripe stored on this array is a parity stripe and the data on this array can be reconstructed from the parity stripes stored on the other disks in the array.

RAID 5

Uses parity to provide fault tolerance through the array, so if one disk in it becomes corrupted, you can just hot swap it and plug in a spare disk on the bay. The array will automatically reconstruct the information on the new disk with the parity contained through the other disks in the array. This hot-swap capability is usually present in enterprise servers that require high availability.

RAID 5

Weather event not normally considered in a contingency plan.

hurricane

Types of incidents contained in a contingency plan.

Power outages, connection failure, server crashes, and software corruption

The practice of looking for vulnerabilities, threats, and risks to the organization's data and resources.

Due diligence

The act of protecting the organization's assets, resources, people, and data.

due care

When more than one person fulfill the duties of one job position.

job rotation

Used to prevent collusion and conflicts of interest.

separation of duties

Used to monitor user violations.

audit logs and IDS logs