CISSP Flashcards: Security Operations, Incident Response, Forensics, Logging

The NIST incident response lifecycle has four phases. Preparation involves establishing policies, procedures, teams, tools, and communication plans before incidents occur. Detection and analysis involves identifying potential incidents through monitoring, alerts, and user reports, and determining scope and severity. Containment, eradication, and recovery involves isolating affected systems to prevent spread, removing the threat, restoring systems from clean backups, and validating normal operations.

The order of volatility determines the sequence for collecting digital evidence, starting with the most volatile data that will be lost first. From most to least volatile: CPU registers and cache, system memory or RAM, network state and routing tables, running processes, disk storage, remote logging and monitoring data, physical configuration and network topology, and archival media. Forensic investigators collect evidence in this order to preserve data before it disappears. RAM contents are lost when power is removed. Disk data persists but can be overwritten.

The chain of custody is a documented record tracking the possession, handling, and movement of evidence from the time it is collected until it is presented in court or disposed of. It records who collected the evidence, when and where it was collected, who had possession at each point, and how it was stored and protected from tampering. A broken chain of custody can render evidence inadmissible in court because its integrity cannot be verified. Every transfer of evidence must be documented with signatures, dates, times, and reasons.

A Security Information and Event Management system, or SIEM, collects, normalizes, correlates, and analyzes log data from across an organization's IT infrastructure in real time. SIEMs aggregate logs from firewalls, servers, endpoints, applications, and network devices into a centralized platform. Correlation rules and analytics identify patterns that indicate security incidents, such as multiple failed login attempts followed by a successful login from an unusual location. SIEMs provide alerting, dashboards, reporting for compliance, and forensic investigation capabilities.

A hot site is a fully equipped alternate facility with hardware, software, data, and network connections that can take over operations within minutes to hours, offering the fastest recovery but at the highest cost. A warm site has hardware and network infrastructure but requires data restoration from backups before operations can resume, typically taking hours to days. A cold site is an empty facility with basic utilities like power and cooling but no equipment, requiring days to weeks to become operational. The choice depends on the organization's recovery time objective and budget.

Recovery Point Objective, or RPO, defines the maximum acceptable amount of data loss measured in time, answering the question "how much data can we afford to lose?" An RPO of four hours means backups must occur at least every four hours. Recovery Time Objective, or RTO, defines the maximum acceptable downtime before operations must be restored, answering "how quickly must we recover?" An RTO of two hours means the system must be operational within two hours of a disruption. RPO drives backup frequency and strategy, while RTO drives the type of recovery infrastructure needed.

Separation of duties divides critical tasks among multiple people so that no single individual can complete a high-risk process alone, preventing fraud and errors. For example, the person who requests a purchase should not be the same person who approves payment. In IT, the developer who writes code should not be the same person who deploys it to production. This control requires collusion between multiple individuals to commit fraud, making it significantly more difficult.

A business continuity plan ensures that critical business functions continue during and after a disruption. Key components include a business impact analysis that identifies critical functions and their recovery priorities, risk assessment of threats to those functions, recovery strategies defining how each function will be restored, plan documentation with step-by-step procedures, communication plans for notifying employees, customers, and stakeholders, testing and exercises to validate the plan works, and maintenance procedures to keep the plan current. ---