LATEST GCIH EXAM WITH 100% SOLUTION

What people should be brought in as an incident response team? - ANSWER * Security * Systems Admin * Network Management * Legal * HR * Public Affairs * Disaster Recovery * Union Rep How should the incident response team be organized? - ANSWER With onsite people Establish a baseline for response What are some ways to prepare for issues? - ANSWER * System build checklists per system type * Establish comp time for the team - What should go into an emergency communications plan? - ANSWER * Create a call list and establish methods of informing people quickly * Get a conference bridge number that can be set up * Print credit-card sized list of incident response team contact info * Testing to verify people answer the phone What should a war room contain? - ANSWER * Locking door * Locking file cabinet * No windows What are the main training issues when training an incident response team? - ANSWER * Creating forensics images under fire * keyboard skills under fire What should go into a jump bag? - ANSWER * Binary image creation software: dd, windd, netcat * forensic software * Diagnosis software * Bootable media * USB Token RAM Device * External Hard drive * Ethernet Tap * Patch Cables * Laptop with Multiple OS * Call list * anti-static plastic bags * Desiccants for moisture * Notebooks * Jumpers * Flashlight * Screwdrivers * female to female RJ-45 What is the goal of the identification phase? - ANSWER * gather events, analyze them, determine whether or not there is an incident What are some trends in the underground community? - ANSWER * Attack tools getting easier to use * High-quality, extremely functional tools * Rise of the anti-disclosure movement * Rise of hacktivism What are software distro site attacks? - ANSWER * Software on a repository is hacked into and software is altered to include a back door. * ISR-Evilgrade listens to software to request update * sends response with malware * Currently supports Java, Winzip, WinAmp, OSX, OpenOffice, itunes, etc Software distro site defenses - ANSWER * Check hashes across multiple mirrors - check both MD5 and SHA-1 * Check PGP signatures if available - be sure the key is trustworthy * Test software before putting it in production What are some general trends in attacking? - ANSWER * Worms are increasingly being used to carry bots, backdoors, password crackers, and scanners * Botnets are growing with self replicating code * Distributed co-op attackers are very popular What is reconnaissance? - ANSWER * Basically casing the joint * generally script kiddies or people out to get a specific site * gathering as much information as possible from open sources What information can be gathered from domain name registration? - ANSWER * Address * Phone numbers * Points of contact * authoritative domain name servers How can WHOIS be used for research? - ANSWER * can gather contact names, DNS information * has information on registrar * has information on IP blocks owned by the registrar Whois recon defenses - ANSWER * Preparation - Just live with it, because that's the internet - have real contact information with up to date records * Identification - can't really tell that anyone has looked you up What is a DNS zone transfer? - ANSWER * dumps all records from DNS servers and can show the attacker which machines are accessible on the internet How is a zone transfer done in Windows? - ANSWER nslookup server authoritative server IP or name set type=any ls -d target domain How is a zone transfer done in Unix? - ANSWER dig @DNS server IP target domain -t AXFR What are DNS recon defenses? - ANSWER * Preparation - do not allow zone transfers from just any system - limit zone transfers so primary accepts these requests only by secondary and tertiary servers - use split DNS - external name info in external server - internal name info in internal servers - make sure DNS servers are hardened * Identification - Look for zone transfers in logs from port 53 What sites can be used for reconnaissance? - ANSWER * target's own sites * press releases * white papers * design documents * sample deliverables * open positions * key people