This section covers Exam Objective 4 of the CompTIA Security+ SY0-701 exam. It focuses on maintaining security posture through continuous monitoring and effectively responding to security incidents when they occur.
🚒 Incident Response Process
A structured approach to handling security incidents is crucial to minimize damage and recovery time. The standard lifecycle includes:
- ▸ Preparation: Establishing policies, tools, and a response team (CSIRT) before an incident occurs.
- ▸ Detection & Analysis: Monitoring systems to identify and validate potential security incidents.
- ▸ Containment, Eradication, & Recovery: Isolating affected systems, removing the threat, and restoring normal operations.
- ▸ Post-Incident Activity: Conducting a "Lessons Learned" review to improve future response efforts.
🔍 Digital Forensics
Forensics involves collecting and analyzing evidence to understand the scope and cause of an incident. Key concepts include:
- ▸ Chain of Custody: Documenting the handling of evidence to ensure its integrity and admissibility in court.
- ▸ Order of Volatility: Collecting evidence from most volatile (CPU cache, RAM) to least volatile (Disk, Archival Media).
- ▸ Data Acquisition: Creating bit-by-bit images of storage devices for analysis without altering the original data.
👁️ Security Monitoring
Continuous monitoring allows for the early detection of threats. This involves analyzing logs and traffic from various sources.
Data Sources
- ▸ SIEM: Centralized log management and correlation.
- ▸ Flow Data: Network traffic statistics (NetFlow/IPFIX).
- ▸ Packet Captures: Full payload analysis (Wireshark).
Key Metrics
- ▸ False Positives: Benign activity flagged as malicious.
- ▸ False Negatives: Malicious activity that is missed.
- ▸ Alert Fatigue: Desensitization to frequent alarms.
💾 Backup & Recovery
Ensuring business continuity requires robust backup strategies to recover data after corruption, deletion, or ransomware attacks.
- ▸ Backup Types: Full (complete copy), Incremental (changes since last backup), Differential (changes since last full backup).
- ▸ 3-2-1 Rule: 3 copies of data, on 2 different media types, with 1 copy offsite.
- ▸ Testing: Regularly verifying backups to ensure they can be successfully restored.
📚 Additional Resources
🎯 Ready to Test Your Knowledge?
Take our free Security+ Practice Quiz and see how well you understand operations and incident response!
Start Practice Quiz →