Question | Answer |
What is the first step in deciding how to respond to a computer attack? | Determine if and when an attack has taken place |
What's the second step once the occurrence of an incident has been determined? | Conduct an investigation and collect evidence |
Types of investigations | Operational, criminal, civil, regulatory |
This type of investigation examines issues related to the organization's computing infrastructure and primary goal is to resolve operational issues | Operational investigations |
This type of investigation is typically conducted by law enforcement personnel to look into alleged legal violations | Criminal investigation |
This type of investigation typically involves internal employees and outside consultants working on behalf of a legal team to prepare evidence necessary to resolve a dispute between two parties | Civil investigations |
This type of investigation is performed by government agencies when they believe administrative law has been violated | Regulatory investigation |
This investigation has the loosest standards for collection of information | operational investigations |
Evidence that demonstrates the outcome of the case is more likely than not, also called preponderance of the evidence standard, is good enough for which kind of investigation | civil investigations |
What are the 9 steps in the Electronic Discovery (eDiscovery) Reference Model that describes a standard process for conducting eDiscovery | information governance, identification, preservation, collection, processing, review, analysis, production, presentation |
What is media analysis | A branch of computer forensic analysis involving the identification and extraction of info fro storage media |
Why is it difficult to reconstruct activities that took place over a network for forensic analysis? | It's difficult due to the volatility of network data. It has to be deliberately recorded at the time it occurs in log files as it is generally not preserved. |
Major categories of computer crime | military and intelligence attacks, business attacks, financial attacks, terrorist attacks, grudge attacks, thrill attacks |
Primary focus of business attacks | Business attacks focus on illegally obtaining an organisation's confidential information |
Primary focus of financial attacks | Financial attacks aim to unlawfully obtain money or services and are the most commonly reported |
What are advanced persistent threats? | Sophisticated highly effective attacks against a very focused target. The attackers are well funded, have advanced technical skilled and resources. |
What are military and intelligence attacks? | Military and intelligence attacks aim to obtain secret and restricted information from law enforcement or military and technological research resources. |
What is an incident? | An event that has a negative outcome affecting the CIA of an organization's data |
List the general categories of incidents | Scanning, compromises, malicious code, denial of service |
What are scanning attacks? | Scanning attacks are reconnaissance attacks that usually precede a more serious attack. |
How might scanning attacks be identified? | Look for any unusual activity on any port or from any single address. Automate evidence collection by setting up the firewall to log rejected traffic. |
What is a system compromise? | A system compromise is any unauthorized access to the system or information the system stores. |
How can system compromises be detected? | Difficult but usually the data custodian notices unusual action performed on the data. |
How to detect a malicious code incident? | Implement virus and spyware scanner, implement a security policy that addresses the introduction of outside code, end user may report suspicious behaviour caused by the malicious code |
How to detect DoS incidents? | The easiest to detect. A user or automated tool reports that a service or machine is unavailable |
What are the primary responsibilities of a computer incident response team (CIRTs)? | determine scope and level of damage caused by incident, determine if confidential info was compromised, implement any necessary recovery procedures, supervise implementation of any improvement security measures |
Steps in the incident response process | 1. detection and identification 2. response and reporting 3. recovery and remediation |
Tools to monitor for events potentially pointing to security incidents | intrusion detection / prevention systems, antivirus software, firewall logs, system logs, physical security systems, file integrity monitoring software |
What source of data to gather or confiscate when gathering evidence | computer systems involved in the incident, logs from the security system, logs from network devices, physical access logs, other relevant sources of information |
Want to create your own Flashcards for free with GoConqr? Learn more.