CompTIA Security+ Study Guide

(SY0-501)
Chapter 12:
Disaster Recovery and Incident Response
Chapter 12: Disaster Recovery and
Incident Response
• Explain penetration testing concepts
• Explain vulnerability scanning
concepts
• Given a scenario, follow incident
response procedures
• Summarize basic concepts of
forensics
• Explain disaster recovery and
continuity of operation concepts
 Penetration Testing
• Penetration testing
– Goal: to simulate an attack and look
for holes that exist in order to be able
to fix them
• Steps in penetration testing
– Verify a threat exists
– Bypass security controls
– Actively test security controls
 Vulnerability Scanning
• Vulnerability scanning
– Involves looking for weaknesses in
networks, computers, or even applications
• Five major tasks
– Passively testing security controls
– Interpreting results
– Identifying vulnerability
– Identifying lack of security controls
– Identifying common misconfigurations
 Business Continuity
• Business continuity planning (BCP)
– The process of implementing policies,
controls and procedures to counteract the
effects of losses, outages, or failures of
critical business processes

• Critical business functions (CBFs)

• Two key components of BCP

– Business impact analysis (BIA)
– Risk assessment
 Storage Mechanisms
• Working copy backups
– Are partial or full backups that are
kept at the computer center for
immediate recovery purposes

• On-site storage
– Usually refers to a location on the site
of the computer center that is used
to store information locally
Chapter 12: Disaster Recovery and
Incident Response
• Disaster recovery
– The ability to recover system
operations after a disaster

• Backups
– Are duplicate copies of key
information, ideally stored in a
location other than the one where
the information is currently stored
 Backup Plan Issues
• A disaster-recovery plan
– Helps an organization respond
effectively when a disaster occurs

• Understanding backup plan issues

– Database systems
– User files
– Applications
 Knowing Backup Types
• Full backup
– A complete, comprehensive backup of all files on a
disk or server
• Incremental backup
– A partial backup that stores only the information
that has been changed since the last full or the last
incremental backup

• Differential backup
– Backs up any files that have been altered since the
last full backup; it makes duplicate copies of files
that haven’t changed since the last differential
backup
 Developing a Backup Plan
• Grandfather, Father, Son method
– Based on the philosophy that a full backup
should occur at regular intervals, such as
monthly or weekly
• Full Archival method
– Works on the assumption that any information
created on any system is stored forever
• Backup Server method
– Establishes a server with large amounts of disk
space whose sole purpose is to back up data
Chapter 12: Disaster Recovery and
Incident Response
• Recovering a system
• Backout vs. backup
• Alternate or backup sites
• Hot site
• Warm site
 Chapter 12: Disaster Recovery and
Incident Response

• Incident response plan (IRP)

– Outlines what steps are needed and who is
responsible for deciding how to handle a situation

• Incident
– Is the occurrence of any event that endangers a
system or network

• Incident response
– Encompasses forensics and refers to the process of
identifying, investigating, repairing, documenting,
and adjusting procedures to prevent another incident
Incident Response Process
• Step 1: Identifying the incident
• Step 2: Investigating the incident
• Step 3: Repairing the damage
• Step 4: Documenting and reporting the
response
• Step 5: Adjusting procedures
 Forensics from the Security+
Perspective
• Act in order of volatility
• Capture system image
• Document network traffic and logs
• Capture video
• Record time offset
• Take hashes
• Capture screenshots
• Talk to witnesses
• Track man-hours and expenses
Chapter 12: Disaster Recovery and
Incident Response

• Table-top exercises
– Simulate disaster