CompTIA Security+ Study Guide (SY0-501) Chapter 12: Disaster Recovery and Incident Response

Chapter 12: Disaster Recovery and Incident Response Explain penetration testing concepts Explain vulnerability scanning concepts Given a scenario, follow incident response procedures Summarize basic concepts of forensics Explain disaster recovery and continuity of operation concepts

Penetration Testing Penetration testing Steps in penetration testing Goal: to simulate an attack and look for holes that exist in order to be able to fix them Steps in penetration testing Verify a threat exists Bypass security controls Actively test security controls

Vulnerability Scanning Involves looking for weaknesses in networks, computers, or even applications Five major tasks Passively testing security controls Interpreting results Identifying vulnerability Identifying lack of security controls Identifying common misconfigurations

Business Continuity Business continuity planning (BCP) The process of implementing policies, controls and procedures to counteract the effects of losses, outages, or failures of critical business processes Critical business functions (CBFs) Two key components of BCP Business impact analysis (BIA) Risk assessment

Storage Mechanisms Working copy backups On-site storage Are partial or full backups that are kept at the computer center for immediate recovery purposes On-site storage Usually refers to a location on the site of the computer center that is used to store information locally

Chapter 12: Disaster Recovery and Incident Response The ability to recover system operations after a disaster Backups Are duplicate copies of key information, ideally stored in a location other than the one where the information is currently stored

Backup Plan Issues A disaster-recovery plan Helps an organization respond effectively when a disaster occurs Understanding backup plan issues Database systems User files Applications

Knowing Backup Types Full backup A complete, comprehensive backup of all files on a disk or server Incremental backup A partial backup that stores only the information that has been changed since the last full or the last incremental backup Differential backup Backs up any files that have been altered since the last full backup; it makes duplicate copies of files that haven’t changed since the last differential backup

Developing a Backup Plan Grandfather, Father, Son method Based on the philosophy that a full backup should occur at regular intervals, such as monthly or weekly Full Archival method Works on the assumption that any information created on any system is stored forever Backup Server method Establishes a server with large amounts of disk space whose sole purpose is to back up data

Chapter 12: Disaster Recovery and Incident Response Recovering a system Backout vs. backup Alternate or backup sites Hot site Warm site

Chapter 12: Disaster Recovery and Incident Response Incident response plan (IRP) Outlines what steps are needed and who is responsible for deciding how to handle a situation Incident Is the occurrence of any event that endangers a system or network Incident response Encompasses forensics and refers to the process of identifying, investigating, repairing, documenting, and adjusting procedures to prevent another incident

Incident Response Process Step 1: Identifying the incident Step 2: Investigating the incident Step 3: Repairing the damage Step 4: Documenting and reporting the response Step 5: Adjusting procedures

Forensics from the Security+ Perspective Act in order of volatility Capture system image Document network traffic and logs Capture video Record time offset Take hashes Capture screenshots Talk to witnesses Track man-hours and expenses

Chapter 12: Disaster Recovery and Incident Response Table-top exercises Simulate disaster