Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
75 Cards in this Set
- Front
- Back
What is the main difference between the two approaches to Incident Response?
|
Cost
|
|
The two approaches to Incident Response are: _____ and _____ as well as Apprehend and Prosecute.
|
Protect and Forget
|
|
The two approaches to Incident Response are: Protect and Forget as well as _____ and _____.
|
Apprehend and Prosecute
|
|
Detection, logging, and analysis of events are steps for which approach to Incident Response?
|
Both Protect and Forget & Apprehend and Prosecute
|
|
Recover and prevent recurrence are steps for which approach to Incident Response?
|
Both Protect and Forget & Apprehend and Prosecute
|
|
Identifying and apprehending the intruder are steps for which approach to Incident Response?
|
Apprehend and prosecute
|
|
Preserving potential evidence for prosecution are steps for which approach to Incident Response?
|
Apprehend and prosecute
|
|
The Steps: Figure out vulnerability > Patch > Move on are most closely related to which approach to Incident Response?
|
Protect and forget
|
|
The Steps: Forensics involved, chain of evidence, preservation of evidence most closely related to which approach to Incident Response?
|
Apprehend and prosecute
|
|
Disabling compromised user accounts is a _____.
|
Incident Containment Strategies
|
|
Reconfiguring a firewall to block the problem traffic is a _____.
|
Incident Containment Strategies
|
|
Temporarily disabling the compromised process or service is a _____.
|
Incident Containment Strategies
|
|
Taking down the conduit application or server is a _____.
|
Incident Containment Strategies
|
|
Stopping all computers and network devices _____.
|
Incident Containment Strategies
|
|
Containment strategies focus on two tasks: _____ the _____ and Recovering control of the affected systems.
|
Stopping the incident
|
|
Containment strategies focus on two tasks: Stopping the incident and _____ _____ of the _____ _____.
|
Recovering control of the affected systems
|
|
The four steps in the recovery phase following and incident are:_____ and _____ _____, Restore Data, Restore Services and Processes, Restore Confidence Across the Organization.
|
Identify and Resolve Vulnerabilities
|
|
The four steps in the recovery phase following and incident are: Identify and Resolve Vulnerabilities, Restore _____, Restore Services and Processes, Restore Confidence Across the Organization.
|
Data
|
|
The four steps in the recovery phase following and incident are: Identify and Resolve Vulnerabilities, Restore Data, Restore _____ and _____, Restore Confidence Across the Organization.
|
Services and Processes
|
|
The four steps in the recovery phase following and incident are: Identify and Resolve Vulnerabilities, Restore Data, Restore Services and Processes, Restore _____ _____ the _____.
|
Confidence Across the Organization
|
|
Documents the lessons learned and generates IR plan improvements is one of the things a _____ provides
|
AAR (After-Action Review)
|
|
Historical record of events, for possible legal proceedings is one of the things a _____ provides
|
AAR (After-Action Review)
|
|
Becomes a case training tool is one of the things a _____ provides
|
AAR (After-Action Review)
|
|
Provides closure to the incident is one of the things a _____ provides
|
AAR (After-Action Review)
|
|
Business resumption (BR) plan consists of a _____ _____ plan and Business continuity (BC) plan.
|
Disaster recovery (DR)
|
|
Business resumption (BR) plan consists of a Disaster recovery (DR) plan and _____ _____ plan.
|
Business continuity (BC)
|
|
Lists and describes the efforts to resume normal operations at the primary places of business.
|
Disaster Recovery Plan (DRP)
|
|
Steps for implementing critical business functions using alternate mechanisms until normal operations can be resumed at the primary site or elsewhere on a permanent basis
|
Business Continuity Plan (BCP)
|
|
Which of the five procedural mechanisms in restoration and continuation of business involves backup and storage of data?
|
Delayed protection
|
|
Which of the five procedural mechanisms in restoration and continuation of business involves RAID, Mirroring and redundancies?
|
Real-time protection
|
|
Which of the five procedural mechanisms in restoration and continuation of business involves Bare Metal?
|
Server recovery
|
|
Which of the five procedural mechanisms in restoration and continuation of business involves one failing and a secondary taking over? (Hint: Look for the word, Application)
|
Application Recovery
|
|
Which of the five procedural mechanisms in restoration and continuation of business involves Bulk data transfers, Remote journaling, and Database/Databank shadowing? (Hint: Look for the word, Site)
|
Site Recovery
|
|
A complete backup of the entire system, including all applications, operating systems components, and data.
|
Full Backup
|
|
The storage of all files that have changed or been added since the last full backup.
|
Differential Backup
|
|
A back that archives files that have been modified that day, and thus requires less space and time to create than the differential backup.
|
Incremental Backup
|
|
What is RAID is not helpful in production environments?
|
RAID 0
|
|
What RAID is used for mirroring and disk duplexing?
|
RAID 1
|
|
What RAID is most commonly used in production environments and can be hot swapped?
|
RAID 5
|
|
The bulk transfer of data in batches to an off-site facility is called _____ _____.
|
electronic vaulting
|
|
Transferring data to server archives offsite (vaults) is called _____ _____
|
electronic vaulting
|
|
Freebie: The purpose of the DRP
|
True
|
|
Fully configured computer facility
|
Hot site
|
|
Duplicates computing resources, peripherals, phone systems, applications, and workstations
|
Hot site
|
|
Can be 24/7 if desired
|
Hot site
|
|
Can be a mirrored site that is identical to the primary site
|
Hot site
|
|
Provides some of the same services and options as a hot site
|
Warm site
|
|
May include computing equipment and peripherals but not workstations
|
Warm site
|
|
Has access to data backups or off-site storage
|
Warm site
|
|
Lower cost than a hot site, but takes more time to be fully functional
|
Warm site
|
|
Provides only rudimentary services and facilities
|
Cold site
|
|
No computer hardware or software are provided
|
Cold site
|
|
Communications services must be installed when the site is occupied
|
Cold site
|
|
Often no quick recovery or data duplication functions on site
|
Cold site
|
|
Primary advantage is cost
|
Cold site
|
|
Leased site shared with other organizations
|
Timeshare
|
|
Possibility that more than one organization might need the facility simultaneously
|
Timeshare
|
|
Service agency that provides physical facilities in the event of a disaster
|
Service bureaus
|
|
May provide off-site data storage
|
Service bureaus
|
|
Contract between two organizations to provide mutual assistance in the event of a disaster
|
Mutual agreement
|
|
Each organization is obligated to provide facilities, resources, and services to the other
|
Mutual agreement
|
|
Good for divisions of the same parent company, between business partners, or when both parties have similar capabilities and capacities
|
Mutual agreement
|
|
A memorandum of agreement (MOA) should be drawn up with specific details
|
Mutual agreement
|
|
Balances safety and redundancy against costs
|
RAID Level 5
|
|
Stripes data across multiple drives
|
RAID Level 5
|
|
Parity is interleaved with data segments on all drives
|
RAID Level 5
|
|
Hot-swappable: drives can be replaced without shutting down the system
|
RAID Level 5
|
|
Uses twin drives in a system
|
RAID Level 1 (disk mirroring)
|
|
All data written to one drive is written to the other simultaneously
|
RAID Level 1 (disk mirroring)
|
|
Is expensive and is an inefficient use of disk space
|
RAID Level 1 (disk mirroring)
|
|
Vulnerable to a disk controller failure
|
RAID Level 1 (disk mirroring)
|
|
Disk duplexing: mirroring with dual disk controllers
|
RAID Level 1 (disk mirroring)
|
|
Not redundant
|
RAID Level 0 (disk striping without parity)
|
|
Spreads data across several drives in segments called stripes
|
RAID Level 0 (disk striping without parity)
|
|
Failure of one drive may make all data inaccessible
|
RAID Level 0 (disk striping without parity)
|