Info Security Exam 3

IR Team

Incident Response team

Responsible for developing an incident response plan. Utilizes existing plans, policies, and procedures during IR preparation.

Incident Response Plan (IRP)

A set of processes an organization follows to recognize, respond, and recover from an incident.

Containment

An IR Strategy used to prevent an incident from impacting other network resources.

Isolation

An IR Strategy used to limit an incident’s impact to a single network resource.

Segmentation

An IR strategy used to limit an incident’s impact to a small group of network resources.

Incident Recovery

A return to normal operation following an incident’s eradication.

Lessons Learned

Process of reviewing a recent task, incident, or event to identify an opportunity for improvement.

Root Cause Analysis (RCA)

A systematic approach used to determine an incident’s root causes.

Command-line interface (CLI)

A text-based, or command-line interface used to execute commands via a keyboard.

Graphical user Interface (GUI)

A graphical interface used to interact with menus and icons via a pointing device

Network Platform

A proprietary CLI or GUI used to execute a command or access software on a vendor-specific device.

Bandwidth Monitor

Used to measure the amount of data a connection transfers.

Netflow

A Cisco-proprietary protocol system that collects inbound and outbound traffic, or flow, on Cisco devices.

Sampled Flow (sFlow)

Randomly Samples and collects a network’s inbound and outbound traffic.

IP flow information export (IPFIX)

An industry standard for collecting and visualizing IP flow

Protocol Analyzer

A monitor software used to intercept and classify network traffic by protocol.

Metadata

Data describing or identifying other data

Traffic log

A device’s recording of incoming and outgoing network traffic events.

Audit Log

A device’s recording of system-related events such as failed and successful user login attempts

System logging protocol or Syslog

A network protocol enabling a device or application to send log entries to a Syslog server.

Syslog Server

A node configured to receive logs from Syslog-configured devices and appliations.

Emergency (Level 0)

Indicates a system is unusable.

Alert (Level 1)

Indicates an emergency event is likely to occur.

Critical (Level 2)

indicates an alert event is likely to occur

Error (Level 3)

Indicates a non-critical event occurred.

Warning (Level 4)

indicates a error event is likely to occur.

Notification (Level 5)

Indicates a normal event requiring further attention occurred.

Informational (Level 6)

Indicates a normal event NOT requiring further attention occurred.

Debug (Level 7)

Recording a background event that is normally hidden.

Syslogd

A legacy syslog daemon used on older Linux Distributions.

Syslog Next generation (syslog-ng)

A syslog daemon providing advanced features and capabilities.

Rsyslog

A syslog damon used on most modern Linux Distributions

Journalctl Log

A querying service for Linux’s system manager known as systemd.

Dump File

A point-in-time system or application status quickly captured in a text file.

Session initiation Protocol (SIP) log

A log containing events for voice, video, and messaging sessions.

Quarantine

The process of isolating a compromised endpoint or data to prevent further compromise.

Application Approved List

A policy and configuration of a list of allowed applications for an organization.

Application Deny List or Application Blocklist

A policy and a configuration of a list of disallowed application for a organization.

Mobile Device Management (MDM)

Hardware and software resources used to centralize the configuration, monitoring, and management of mobile devices.

Security Orchestration, automation and response (SOAR)

Helps coordinate, execute and automate tasks in a single platform between people and tools.

MITRE Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK)

MITRE corporation’s attack framework that includes a database of attacks and organization can use for IR exercises.

Diamond Model of intrustion Analysis

An Attack framework focused on understanding the relationships among an incident’s core components.

Cyber Kill Chain

An attack framework focused on understanding the steps an attacker must take to be successful.

IR Exercise

The use of an attack framework and an organization’s IRP to evaluate an organization’s IR efforts.

Tabletop Exercise

An IR exercise type where the IR team talks through each IRP step

Walkthrough Exercise

An IR exercise type where the IR team walks through each IRP step without taking action.

Simulation Exercise

An IR exercise type where the IR team executes the IRP on a simulated incident.

Failover

The process of automatically switching to redundant systems or resources to maintain uninterrupted operation in case of a primary system failure.

Parallel Processing

Involves simultaneously using multiple computing resources to perform tasks.

Digital Foresnsics

Focuses on collection, examination, analysis, and reporting on electronically stored and/or processed data.

Digital evidence

Electronic Data of value to an investigation that is stored on, processed, received, or transmitted by an electronic device.

Timestamp

A digital record of the date and time an event occurred.

Time Offset

The time difference between a system’s local time and Greenwich Mean time (GMT)

Chain of Custody

Process of tracking the movement of evidence through the evidence’s collection, preservation, and analysis.

Provenance

A record describing the origin and historical information about a piece of data.

Digital Evidence Acquisition

The process of collecting relevant data to a forensic investigation, while preserving data integrity.

Forensic Artififact

Any data that may potentially be used as digital evidence.

Data Volatility

A measure of how long data is retained on an electronic component in absence of power.

Order of Volatility

The sequence of data acquisition in a forensic investigation based on data volatility.

Right-to-audit

A legal contract that grants one party the right to perform an audit of the records, operations, or processes, of another party.

Data Jurisdiction

The legal and regulatory framework that determines which laws have jurisdiction over data.

Data Breach Notification

The process of informing individuals, organizations, or authorities when a data breach has occurred, possibly exposing sensitive or personal information.

Checksum

A string of letters and numbers derived from a data block for the purpose of detecting accidental errors and intentional modifications of data during the data’s storage or transmission.

File Carving

The process of identifying and recovering files in the absence of filesystem metadata by analyzing file formats in a storage media’s un-allocated space.

File signature or Magic Number

A sequence of bytes at the beginning of a file that uniquely identifies the file type.

E-discovery or Electronic Discovery

The process of identifying, preserving, collecting, and producing electronically stores information (ESI) in legal proceedings or investigations.