Security+ 3 Flashcards
(7 cards)
When conducting any forensic data capture investigators should take note of current time from reliable source and compare it to time of device (recording the time offset).
Write Blockers : prevent accidental modification of disk during imaging.
NetFlow : captures high level info about all communications on network. includes : IP addresses and ports, timestamp. amount of data transferred, but not payload of actual packets; routers and firewalls capture NetFlow data.
info …
Operational Investigations : look into technology issues, resolve normal operations as quickly as possible, use very low standards of evidence, involve root cause analysis.
Digital Forensics : techniques that collect, preserve, analyze and interpret digital evidence.
Order of Volatility : network traffic, memory contents, system and process data, files, logs, and archived records.
info …
Eradication and Recovery : remove effects of incident and return to normal operations. Technical Recovery ex : rebuild compromised systems, remove malware, disable breached accounts, restore corrupted or deleted data.
Incident Reconstitution : identify and remediate vulnerabilities, ex : applying security patches, updating firewall rules, implementing intrusion prevention, strengthening access controls.
info …
Triaging Incidents : low impact : minimal potential to affect security, normally handled by 1st responders, dont require after hours response, Moderate impact : significant potential to affect security, trigger incident response team activation, require prompt notification to management, High impact : may cause critical damage to info or systems, gets immediate full response, requires immediate notification to senior management, demand full mobilization to incident response team.
Incident Mitigation : control damage and loss to org. through containment, consider : damage potential, evidence preservation, service availability, resource requirements, expected effectiveness, solution timeframe.
info …
Incident Data Sources : IDS/IPS, firewalls, authentication systems, integrity monitors, vulnerability scanners, system event logs, NetFlow records, anti-malware packages, etc …
Escalation and Notification Objectives : escalate incident severity based on impact, escalate response to appropriate level, notify management and other stakeholders.
info …
Incident Response Procedures : contains detail of the plan and tactical guidance to incident responders. ex : notification, escalation, reporting, system isolation, forensic analysis, and evidence handling.
Communications with : senior executives, legal counsel, public relations, regulatory agencies, law enforcement. Components of IR team : management, info security, subject matter experts, legal counsel, public affairs, HR, physical security staff. Also have test scenarios to test staff capabilities etc …
info …
Supply Chain Assessment : Security professionals should pay careful attention to managing vendor relationships that protects confidentiality, integrity, and availability of their org.’s info and IT systems.
info …
