Incident Response: Disaster Recovery Plan
49 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the primary focus of a Business Continuity Plan (BCP)?

  • To develop detailed guidance for information systems
  • To keep an organization functioning during disruptions (correct)
  • To respond to specific incidents like fires and floods
  • To execute a full recovery to normal operations
  • Which of the following is NOT typically covered by a Disaster Recovery Plan?

  • Incident-focused responses
  • Retaining employee job functions during recovery (correct)
  • Full recovery to normal operations
  • Systematic testing of plans and procedures
  • What stage in the NIST 800-34 process involves identifying key assets for a business?

  • Planning maintenance of the plan
  • Developing a policy statement
  • Conducting a business impact analysis (BIA) (correct)
  • Creating contingency strategies
  • Which standard addresses business continuity management in the context of information security?

    <p>ISO 27001</p> Signup and view all the answers

    What is a critical component of the Incident Response Plan (IRP)?

    <p>Addressing specific incidents thoroughly</p> Signup and view all the answers

    How often should the testing and training of the recovery plans typically be conducted?

    <p>Annually</p> Signup and view all the answers

    Which of the following is an element of the contingency planning guide provided by NIST?

    <p>Identifying preventative controls</p> Signup and view all the answers

    What does NFPA 1600 pertain to in the context of planning?

    <p>Standards on Disaster/Emergency Management and Business Continuity</p> Signup and view all the answers

    What is the highest score indicating a very easy exploitability of an attack?

    <p>10</p> Signup and view all the answers

    Which rating indicates a critical vulnerability that should be addressed immediately?

    <p>40-50</p> Signup and view all the answers

    During the detection phase of an incident response process, what is the main goal?

    <p>Determine affected systems</p> Signup and view all the answers

    How is the overall threat rating calculated?

    <p>Summing scores across five key areas</p> Signup and view all the answers

    What is the primary objective during the containment phase of incident response?

    <p>Limit the incident's impact</p> Signup and view all the answers

    Which score indicates that the vulnerability is hard to discover?

    <p>0</p> Signup and view all the answers

    What is considered a low risk threat rating?

    <p>Low (1-10)</p> Signup and view all the answers

    What is a critical step in the eradication phase of incident response?

    <p>Patch vulnerabilities</p> Signup and view all the answers

    What is the primary purpose of a Business Impact Analysis (BIA)?

    <p>To contemplate likely disasters and their impact on the organization</p> Signup and view all the answers

    Which of the following must always be lower than the Maximum Tolerable Downtime (MTD)?

    <p>All of the above</p> Signup and view all the answers

    What is the difference between a differential backup and an incremental backup?

    <p>Differential backup includes all changes since the last full backup; incremental backup includes all changes since the last backup of any type.</p> Signup and view all the answers

    What does Recovery Point Objective (RPO) refer to?

    <p>The maximum amount of data loss an organization can tolerate</p> Signup and view all the answers

    Which of the following represents the highest level of damage potential according to the criteria provided?

    <p>10: Destruction of an information system; data or application unavailability</p> Signup and view all the answers

    How are vulnerabilities effectively described when discussing a computer incident?

    <p>Through the vulnerabilities that led to the incident</p> Signup and view all the answers

    Which backup type captures all changes since the last backup of any type?

    <p>Incremental backup</p> Signup and view all the answers

    Which component reflects the average time it takes to repair an item?

    <p>Mean Time to Repair (MTTR)</p> Signup and view all the answers

    What is the maximum amount of RAM that a 32-bit system can address?

    <p>4 GB</p> Signup and view all the answers

    Which files are essential during the boot process of a Windows system?

    <p>Min.drivers</p> Signup and view all the answers

    What does the Windows swap file help to augment?

    <p>Random Access Memory</p> Signup and view all the answers

    Which command would be used to identify currently loaded DLLs on a Windows machine?

    <p>ListDLLs</p> Signup and view all the answers

    What kind of data does Index.dat store?

    <p>Web addresses and search queries</p> Signup and view all the answers

    Which of the following is NOT one of the five Windows registry hives?

    <p>Internet</p> Signup and view all the answers

    What is a primary characteristic of volatile memory?

    <p>Requires constant power to retain data</p> Signup and view all the answers

    What term describes the file that stores items from memory temporarily on the hard disk in a Windows system?

    <p>pagefile.sys</p> Signup and view all the answers

    What is the primary purpose of capturing a memory dump in forensic analysis?

    <p>To analyze active processes and potential malware</p> Signup and view all the answers

    What do the properties of MAC in file systems refer to?

    <p>File modified, created, and accessed dates</p> Signup and view all the answers

    What technique is used to inject a malicious DLL into a legitimate process?

    <p>DLL Injection</p> Signup and view all the answers

    What is the purpose of the Pslist command in Volatility?

    <p>Listing running processes</p> Signup and view all the answers

    Which memory capturing tool offers a graphical interface?

    <p>RAM Capturer</p> Signup and view all the answers

    What does the term 'hollowed processes' refer to?

    <p>Legitimate processes that have been hijacked by malware</p> Signup and view all the answers

    Which of the following best describes the stack in computer memory?

    <p>Automatically managed memory for temporary variables</p> Signup and view all the answers

    What is the function of the Memory Address Register (MAR)?

    <p>Stores memory addresses to fetch data</p> Signup and view all the answers

    In Linux forensics, which command is essential for undeleting files?

    <p>extundelete</p> Signup and view all the answers

    Which term refers to the memory that is lost when the device is powered off?

    <p>Volatile memory</p> Signup and view all the answers

    Which command in Volatility is specifically used for identifying malware?

    <p>Malfind</p> Signup and view all the answers

    Which shell was originally the default shell for UNIX systems?

    <p>Bourne shell (sh)</p> Signup and view all the answers

    What are the three main sections of a network packet?

    <p>Header, Payload, Footer</p> Signup and view all the answers

    Which command is used to check the current configuration of a router?

    <p>Show running-config</p> Signup and view all the answers

    Why should a forensic investigator not shut down a router when gathering evidence?

    <p>It can erase valuable evidence</p> Signup and view all the answers

    Which protocol operates on port 25?

    <p>SMTP</p> Signup and view all the answers

    What type of data can TCP header synchronization bits provide?

    <p>Interesting forensic data</p> Signup and view all the answers

    Study Notes

    Incident Response: Disaster Recovery Plan

    • Disaster recovery plans are in place to respond to various events like fires, floods, hurricanes, tornadoes, hard drive failures, network outages, malware infections, data theft, or data deletion.
    • Business Continuity Plans (BCP) aim to keep organizations functioning as optimally as possible until full recovery is achieved.
    • Incident Response Plans (IRP) focus on handling specific incidents.
    • Disaster Recovery Plans (DRP) concentrate on restoring normal operations to full functionality.

    Federal Standards for BCPs

    • ISO 27001: A broad standard for information security management systems, including business continuity management.
    • NIST 800-34: A guide for contingency planning in information technology systems, outlining a seven-step process for BCP/DRP projects (policy statement, business impact analysis, preventative controls, contingency strategies).

    Business Impact Analysis (BIA)

    • BIA is a process where the disaster recovery team considers potential disasters and their impact on the organization.
    • BIA identifies critical systems, priority of response, and maximum tolerable downtime (MTD).
    • Maximum Tolerable Downtime (MTD) is the maximum amount of time a system or organization can be down before recovery is impossible.
    • Mean Time To Repair (MTTR) is the average time to repair an item.
    • Mean Time To Failure (MTTF) is the amount of time on average before a system fails during normal use.
    • Recovery Point Objective (RPO): Tied to backups, determines the amount of data loss allowed.
    • Annualized Loss Expectancy (ALE): Calculated by multiplying Single Loss Expectancy (SLE) and Annualized Rate of Occurrence (ARO)
    • Single Loss Expectancy (SLE): calculated by multiplying Asset Value (AV) and Exposure Factor (EF).

    Types of Backups

    • Full Backup: All changes since the last full backup
    • Differential Backup: All changes since the last full backup
    • Incremental Backup: Changes made since the last backup
    • Hierarchical Storage Management: Continuous backup system.

    Describing a Computer Incident

    • CVSS Score Metrics: Scoring system for measuring computer incidents.
    • Damage Potential: Measures the severity of damage from an attack, ranging from no damage to severe destruction.
    • Reproducibility: Measures how easily the attack can be reproduced (difficult to impossible).
    • Exploitability: Measures the difficulty in launching the attack (e.g., requiring advanced skills or readily available tools).
    • Affected Users: Determines the number of users affected by the incident (e.g., individual user, many users).
    • Discoverability: Measures how easily the threat is discovered.

    Incident Response Process

    • Detection: Identifying affected systems.
    • Containment: Limiting the incident's spread.
    • Eradication: Removing the threat.
    • Recovery: Returning to business as usual.
    • Follow-up: Evaluating and improving future responses.

    Windows Forensics

    • 32-bit vs. 64-bit processing: Differences in memory addressing capacity.
    • Boot Process: BIOS, POST, MBR, etc.
    • Volatile Data: Analyzing running memory.
    • Volatile memory analysis: analysis of running memory.

    Types of Memory

    • Stack: Allocated based on last-in, first-out.
    • Heap: Area where programs allocate memory dynamically.
    • Memory Address Register (MAR): Holds memory addresses.
    • Memory Data Register (MDR): Holds memory data in transit.

    Linux Forensics

    • Linux file systems and logs.
    • Forensically interesting directories.
    • Important shell commands: ls, cp, mkdir, cd, rm, rmdir

    Linux Shells

    • Bourne shell (sh)
    • Bourne-again shell (Bash)
    • C shell (csh)
    • Korn shell (ksh).

    Network Forensics

    • Understanding Network Packets (Header, Payload, Footer)
    • Packet Analysis
    • Capturing Packets
    • Conducting router forensics
    • Firewall logs
    • Common Ports: FTP(20,21), SSH(22), Telnet(23), SMTP(25), DNS(53),HTTP(80),POP3(110).
    • Router Commands: show version, show running-config, show stacks, show interfaces to analyze the router's information.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Forensics Final Notes PDF

    Description

    This quiz explores key concepts of disaster recovery and business continuity planning. It covers the distinctions between Business Continuity Plans (BCP), Incident Response Plans (IRP), and Disaster Recovery Plans (DRP), along with relevant federal standards like ISO 27001 and NIST 800-34. Test your understanding of the principles involved in ensuring organizational resilience during crises.

    Use Quizgecko on...
    Browser
    Browser