Renante Midterm

Information Security Governance

is the system by which an organization directs, controls, and evaluates its information security efforts. It exists to ensure that security supports organizational goals, complies with laws and regulations, and is sustainable over time.

Computer Security Incident Response Team (CSIRT)

Is responsible for managing and coordinating the response once an incident is confirmed. While the SOC detects incidents, CSIRT takes control of the situation.

Digital Evidence

This includes system and application logs Emails and messages Disk images Memory captures Evidence must be: Accurate - faithfully represent original data Untampered - protected from alteration Reproducible - verifiable using repeatable methods

Policy Compliance

These are internal rules and procedures Legal requirements - privacy and due process laws Regulatory standards - sector-specific compliance

Heap

Used for dynamic memory allocation during runtime, such as objects and buffers created by programs.

Full Memory Dump

Captures all RAM, including user and kernel space. Useful for complete forensic investigations and malware analysis.

Process Dump

Captures the memory of a single running process. Helpful for reverse engineering or isolating malicious behavior within a specific application.

Physical (Bit-by-Bit) Acquisition

Creates an exact copy of the entire storage device. Includes: Active files Deleted files Unallocated space Slack space This is the gold standard in forensic investigations.

Logical Acquisition

Copies only: Visible files Active folders User-selected data Does NOT include: Deleted files Hidden sectors

Host Indicators

Can include file signatures, registry keys, process IDs, network connections, and other system data. Security analysts and cybersecurity experts use various methods, including manual analysis and automated scanning, to collect indicators of compromise from hosts.

Network Indicators

Are any data or activity on a network that could indicate that the network has been compromised. They can include forensic evidence such as abnormal traffic patterns, sudden changes in user behavior, access from malicious IP addresses, repeated incorrect log-ins, or malware infections.

Organizational Accountability

Means that specific individuals or roles are answerable when security controls fail. It prevents the common excuse of "everyone is responsible, so no one is responsible."

Governance

Sets security direction and priorities Defines acceptable and unacceptable risk Approves policies and resources Governance answers: "What matters most to protect?"

Risk Management

translates governance decisions into measurable, structured, and defensible security actions. While governance defines what the organization values and must protect, risk management determines what could go wrong, how likely it is to occur, and how severe the impact would be.

Threats

are potential events that can cause harm Examples: Phishing attacks Ransomware Insider misuse Natural disasters

Vulnerabilities

Are weaknesses that threats may exploit Examples: Weak authentication Unpatched systems Poor network segmentation Insecure IoT devices

Likelihood

How probable is it that the threat will occur?

NIST Risk Management Framework (NIST RMF)

Provides a formal, repeatable, and lifecycle-based approach to managing cybersecurity risk. It is widely adopted in government, critical infrastructure, and enterprise environments.

Security Operations

Handle day-to-day execution , including: Monitoring systems Applying patches Responding to incidents Enforcing technical controls Operations answer: "How do we protect it in practice?"

Security Policy

Is a high-level management statement that defines: Organizational intent Security expectations Consequences for non-compliance Policies are: Mandatory Approved by top management Enforceable Example: "All employees must protect company information assets."

Security Standards

Provide specific, measurable requirements that support policy enforcement. They are: Mandatory Often technical Used for audits and compliance Examples: Password must be at least 12 characters Systems must use encryption

Security Procedures

Explain how to comply with policies and standards. They: Provide step-by-step instructions Reduce confusion during incidents Enable consistent response Example: "How to report a suspected phishing email"

Security Guidelines

Offer best practices Allow flexibility Support, but do not replace, policies Example: "Best practices for working remotely"

Security Operations Center (SOC)

Is responsible for the continuous, real-time defense of the organization's information systems. It acts as the first line of defense against security incidents.

Digital Forensics and Incident Response (DFIR)

Is a combined cybersecurity methodology used to detect, contain, and analyze cyberattacks while preserving evidence. It integrates investigation (forensics) with swift mitigation (response) to understand how breaches occurred, minimize damages, and strengthen security, ensuring evidence is suitable for legal proceedings. DFIR bridges technical investigation and legal accountability . Its role is critical when incidents may lead to: Legal action Disciplinary measures Regulatory penalties

Malware

Refers to any malicious software designed to disrupt operations, steal data, or gain unauthorized access.

Ransomware

Is a specific type of malware that encrypts data and demands payment .

Phishing

Uses deception rather than technical exploits. Attackers manipulate users into: Revealing credentials Clicking malicious links Installing malware Social engineering is especially dangerous because it bypasses technical controls .

Insider Threats

It comes from employees, contractors, or partners with legitimate access. These threats may be: Malicious (intentional data theft) Negligent (accidental disclosure)

Data Leakage

Occurs when sensitive information is exposed to unauthorized parties, intentionally or accidentally.

Denial of Service (DoS)

It aims to disrupt availability by overwhelming systems or networks.

Unauthorized Access

Occurs when an attacker gains access to systems or data without permission.

Impact

Measures the business and legal consequences , such as: Financial losses Legal penalties Reputation damage Safety risks

Preparation

Is the most important phase and the most neglected. Includes: Documented incident response policies Defined roles and responsibilities Approved tools and technologies Training and simulations Without preparation: Teams panic Evidence is lost Decisions are delayed

Identification

Detecting suspicious activity Verifying whether it is a real incident Determining incident type and scope Example: The SOC confirms ransomware presence after correlating alerts, logs, and endpoint behavior.

Containment

Aims to limit damage while preserving evidence. It includes: Isolating affected systems Blocking malicious traffic Preventing lateral movement Example: Disconnecting infected machines from the network while keeping them powered on for forensic analysis.

Eradication

It removes the root cause of the incident. Actions include: Deleting malware Removing attacker access Patching vulnerabilities

Recovery

Restoring systems to normal operation Validating system integrity Monitoring for reinfection Example: Restoring systems from clean, verified backups and monitoring logs post-recovery.

Lessons Learned (Post Incident Activity)

These ensure continuous improvement. Activities include: Post-incident review Policy updates Training improvements Example: After a phishing attack, email security controls and user awareness programs are strengthened.

Chain of Custody

Is the documented history of evidence handling . It records: Who collected the evidence When and how it was collected Where it was stored and transferred Purpose: Prevent tampering Maintain integrity Ensure court admissibility

Memory Forensics

Is the structured forensic process of capturing, preserving, and analyzing volatile memory (RAM) to identify evidence of system activity that cannot be reliably recovered from disk. Unlike hard drives, RAM is a temporary workspace used by the operating system and applications. Anything currently executing, decrypted, or actively communicating must exist in memory at some point.

Volatile Memory

Refers to stored data that holds system and user-level data while the computer runs. When the system is powered off or restarted, this data is lost. A common spot for this type of memory is the RAM (Random Access Memory) RAM temporarily stores everything from open files and running processes to encrypted data. Since this data only exists while the system is active, investigators often prioritize capturing RAM as early as possible during an investigation.

Virtual Memory

Is a system-managed memory space where the operating system maps a program's virtual addresses to physical RAM or to disk-based swap space when RAM is full. Swap space temporarily stores inactive data, allowing more processes to run than RAM alone can support. This makes each process appear to have its own dedicated memory while the OS dynamically moves data between RAM and disk based on system demand.

RAM

Is usually the memory on which investigations will focus. It is divided into two broad areas: kernel space and user space . Kernel space is reserved for the operating system and low-level services. It manages resources like device drivers and memory access. User space contains processes launched by the user or applications. Each process gets its own separate space, protected from others.

Stack

Stores temporary data like function arguments and return addresses. It grows and shrinks as functions are called and returned.

Executable

Stores the actual code or instructions the CPU runs.

RAM Analysis

The analysis of RAM offers a snapshot of what a system is doing at a particular moment. This includes: Running processes and loaded executables Open network connections and ports Logged-in users and recent commands Decrypted content, including encryption keys Injected code or fileless malware

Pagefile and Swap Analysis

Systems offload some memory content to disk when RAM is full. On Windows, this is stored in pagefile.sys, and on Linux, in the swap partition or swapfile . These can contain fragments of data that were once in RAM, offering additional context.

Digital Forensics

Prioritizes methodology and integrity over speed . Actions taken without proper forensic consideration may permanently destroy evidence or invalidate an investigation.

NIST SP 800-86

This guide recommends a four-step process for digital forensics: (1) identify, acquire and protect data related to a specific event; (2) process the collected data and extract relevant pieces of information from it; (3) analyze the extracted data to derive additional useful information; and (4) report the results of the analysis. Lessons learned during the forensic process should be incorporated in future forensic efforts.

Hash

Is a digital fingerprint of data. Examples: MD5 SHA-1 SHA-256 Even a one-bit change produces a completely different hash.

NTFS (Windows)

Detailed metadata Multiple timestamps Supports file recovery

FAT / exFAT

Common on USB devices Limited metadata Often used in data exfiltration

OS Artifacts

Are digital traces automatically created when users interact with a system. They exist even if users: Delete files Clear folders Attempt to hide activity Artifacts are often created without the user's awareness .

Behavioral Indicators

of compromise are patterns of suspicious behavior and activity that can suggest a user account or system has been compromised. These might include attempts to access unauthorized resources, unusual login times, or unexpected changes in user behavior. Security teams can identify potential threats and respond quickly by monitoring for these behavioral clues.

Adware

Adware is unwanted software designed to display or download advertising materials on your computer.

Trojans

Also known as trojan horses, Trojans are malicious code or programs that disguise themselves as legitimate software to trick users into downloading it.

Spyware

is software that uninstalls itself on your computer. It monitors your online behaviour and gathers information about you to forward to a third party.

Worms

is a malicious program replicating itself to spread throughout a network. Unlike viruses, this malware can spread to other computers within a network by exploiting security vulnerabilities.

Static Analysis

Involves examining the malware's code without actually running it. Think of it as studying a blueprint to understand how a machine works. You upload the malware file into a special tool, like a disassembler or debugger, to inspect its code line by line.

Dynamic Analysis

Involves running the malware in a safe, isolated environment to observe its behavior in real-time. This is like turning the machine on to see what it actually does. How it works: You execute the malware inside a secure "sandbox," typically a virtual machine, and monitor its actions. You watch for changes to the file system, registry, network connections it tries to make, and any processes it creates.

Process Masquerading

Masquerading is an adversary technique to alter the features of their malicious artifacts to appear as legitimate and trusted ones. Code signatures, names, locations of malware, task names, and services are examples of these features. After masquerading, malicious artifacts such as malware files appear legitimate to users and security controls.

Email indicators

Are red flags that go off in your email inbox should you receive suspicious emails. These indicators can range from an unexpected increase in spam to emails with strange file attachments, suspicious files, or unrecognized file names. If you see any of these unusual file activity signs, you must immediately protect your computer from further infection.