ISM6326 - Chapter 14

Active Logging

Maintaining active logs regarding the reconnaissance activities conducted by the attacker

After-Action Report

A report to analyze the exercise results with the purpose of identifying strengths to be maintained and weaknesses to be addressed for improvement

Alternative Business Practices

Workaround activities that can temporarily substitute for normal business activities

Alternative Processing Site

A different location to be used for processing data

Backup Utilities

Software that can be used for performing backups

Business Continuity

The ability of an organization to maintain its operations and services in the face of a disruptive event

Capture Video

Using a video camera to clearly document the entire process of a forensics investigation

Capturing the System Image

Taking a snapshot of the current state of the computer that contains all current settings and data

Chain of Custody

A process of documentation that shows that the evidence was always under strict control and no unauthorized individuals were given the opportunity to corrupt the evidence

Cold Site

A remote site that provides office space; the customer must provide and install all the equipment needed to continue operations

Containment

An action step in the incident response process that involves limiting the damage of the incident and isolating those systems that are impacted to prevent further damage

Cyber-Incident Response Team

A group responsible for responding to security incidents

Data Backup

The process of copying information to a different medium and storing it at an offiste location so that it can be used in the event of a disaster

Data Sovereignty

The concept that data stored in a digital format is subject to the laws of the country in which the storage facility resides

Differential Backup

A backup that copies any data that has changed since last full backup

Disaster Recovery Plan (DRP)

A written document that details the process for restoring IT resources following an event that causes a significant disruption in service

Distance

A factor in the location selection of an off-site backup

Documented Incident Definitions

An outline that defines in detail what is and is not an incident that requires a response

Electromagnetic Interference (EMI)

Electromagnetic fields emitted from technology devices that can result in interference

Electromagnetic Pulse (EMP)

A short duration burst of energy by the source

Eradication

An action step in the incident response process that involves finding the cause of the incident and temporarily removing any systems that may be causing damage

Exercises

Simulated attack activites

Failover

Moving data input and output processes from the primary location to the alternative processing site

Faraday Cage

A metallic enclosure that prevents the entry or escape of an electromagnetic field

Fault Tolerance

A system’s ability to deal with malfunctions

Fire Suppression

Attempts to reduce the impact of a fire

Forensics (Forensic Science)

The application of science to questions that are of interest to the legal profession

Full Backup

The starting point for all backups that copies the entire set of data

High Availability

A system that can function for an extended period of time with little downtime

Hot Aisle/Cold Aisle

A layout in a data center that can be used to reduce heat by managing air flow

Hot Site

A duplicate of the production site that has all the equipment needed for an organization to continue running, including office space and furniture, telephone jacks, computer equipment, and a live telecommunications link

Identification of Critical Systems

Distinguishing important functions that make up the mission-essential functions in an organization

Impact on Finance

The impact of a loss of monetary funding on business operations

Impact on Life

The impact on human wellbeing

Impact on Property

The impact of a loss of tangible assets on business operations

Impact on Reputation

The impact of a loss of status on business operations

Impact on Safety

The impact of a loss of physical protection on business operations

Incident Response Plan (IRP)

A set of written instructions for reacting to a security incident

Incident Response Process

Action steps to be taken when an incident occurs

Incremental Backup

A backup that copies any data that has changed since last full backup or last incremental backup

Legal Hold

A notification sent from the legal team to employees instructing them not to delete electronically stored information or paper documents that may be relevant to an incident

Legal Implications

Consequences as determined by law of off-site backups

Lessons Learned

An action step in the incident response process that involves completing incident documentation and performing detailed analysis to increase security and improve future response efforts

Location Selection

A consideration of where an off-site backup should be stored

Mean Time Between Failures (MTBF)

A statistical value that is the average time until a component fails, cannot be repaired, and must be replaced

Mean Time to Recovery (MTTR)

The average time for a device to recover from a failure that is not a terminal failure

Mission-Essential Function

The activity that serves as the core purpose of the enterprise

Network Traffic Logs

Recorded information about any network activity used in a forensics investigation

Off-Site Backup

A backup should be stored at a different location

Order of Restoration

The sequence in which different systems are reinstated

Order of Volatility

The sequence in which volatile data must be preserved in a computer forensic investigation

Preparation

An action step in the incident response process that involves equipping IT staff, management, and users to handle potential incidents when they arise

Preservation of the Evidence

Ensuring the important proof is not destroyed

Privacy Impact Statement

Part of a BIA that is used to identify and mitigate privacy risks

Privacy Threshold Assessment

Part of a BIA that is used to determine if a system contains PII, whether a privacy impact assessment is required, and if any other privacy requirements apply to the IT system

RAID (Redundant Array of Independent Drives)

A technology that uses multiple hard disk drives for increased reliability and performance

Recovery

The maximum length of time that an organization can tolerate between backups

Recovery Point Objective (RPO)

The maximum length of time that an organization can tolerate between backups

Recovery Time Objective (RTO)

The length of time it will take to recover data that has been backed up

Redundancy

The use of duplicated equipment to improve the availability of the system

Reporting Requirements/Escalation

A process for indicating to whom information should be distributed and at what point the security event has escalated to the degree that specific actions should be implemented

Roles and Responsibilities

Clearly designated duties of the members of a cyber-incident response team

Screenshot

Capturing the current image on the screen in a forensic investigation

Single Point of Failure

A component or entity in a system which, if it no longer functions, would adversely affect the entire system

Snapshot

1. A backup composed of a series of “reference markers” of the data a ta specific point in time 2. An image of a virtual machine

Strategic Counterintellgience

An in depth application of strategic intelligence that involves gaining information about the attacker’s intelligence collection capabilities

Strategic Intelligence

The collection, processing, analysis, and dissemination of intelligence for forming policy changes

Tabletop Exercises

Exercises that simulate an emergency situation but in an informal and stress-free environment

Time Offset

The amount of time added to or subtracted from UTC to arrive at the current local time

Track Man Hours

Monitoring time in a forensics investigation

Warm Site

A remote site that contains computer equipment but does not have active internet or telecommunication facilities, and does not have backups of data

Witness Interviews

Speaking with those present who saw the event or had access to the system in question