163. Which of the following statements is not true about honeypots’ logs?

a. Honeypots are deceptive measures.

b. Honeypots collect data on indications.

c. Honeypots are hosts that have no authorized users.

d. Honeypots are a supplement to properly securing networks, systems, and applications.

163. b. Honeypots are deceptive measures collecting better data on precursors, not on indications. A precursor is a sign that an incident may occur in the future. An indication is a sign that an incident may have occurred or may be occurring now.

Honeypots are hosts that have no authorized users other than the honeypot administrators because they serve no business function; all activity directed at them is considered suspicious. Attackers scan and attack honeypots, giving administrators data on new trends and attack/attacker tools, particularly malicious code. However, honeypots are a supplement to, not a replacement for, properly securing networks, systems, and applications.

164. Each user is granted the lowest clearance needed to perform authorized tasks. Which of the following principles is this?

a. The principle of least privilege

b. The principle of separation of duties

c. The principle of system clearance

d. The principle of system accreditation

164. a. The principle of least privilege requires that each subject (user) in a system be granted the most restrictive set of privileges (or lowest clearances) needed to perform authorized tasks. The application of this principle limits the damage that can result from accident, error, and/or unauthorized use. The principle of separation of duties states that no single person can have complete control over a business transaction or task.

The principle of system clearance states that users’ access rights should be based on their job clearance status (i.e., sensitive or non-sensitive). The principle of system accreditation states that all systems should be approved by management prior to making them operational.

165. Which of the following intrusion detection and prevention system (IDPS) methodology is appropriate for analyzing both network-based and host-based activity?

a. Signature-based detection

b. Misuse detection

c. Anomaly-based detection

d. Stateful protocol analysis

165. d. IDPS technologies use many methodologies to detect incidents. The primary classes of detection methodologies include signature-based, anomaly-based, and stateful protocol analysis, where the latter is the only one that analyzes both network-based and host-based activity.

Signature-based detection is the process of comparing signatures against observed events to identify possible incidents. A signature is a pattern that corresponds to a known threat. It is sometimes incorrectly referred to as misuse detection or stateful protocol analysis. Misuse detection refers to attacks from within the organizations.

Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations and abnormal behavior.

Stateful protocol analysis (also known as deep packet inspection) is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. The stateful protocol is appropriate for analyzing both network-based and host-based activity, whereas deep packet inspection is appropriate for network-based activity only. One network-based IDPS can listen on a network segment or switch and can monitor the network traffic affecting multiple hosts that are connected to the network segment. One host-based IDPS operates on information collected from within an individual computer system and determines which processes and user accounts are involved in a particular attack.

166. The Clark-Wilson security model focuses on which of the following?

a. Confidentiality

b. Integrity

c. Availability

d. Accountability

166. b. The Clark-Wilson security model is an approach that provides data integrity for common commercial activities. It is a specific model addressing “integrity,” which is one of five security objectives. The five objectives are: confidentiality, integrity, availability, accountability, and assurance.

167. The Biba security model focuses on which of the following?

a. Confidentiality

b. Integrity

c. Availability

d. Accountability

167. b. The Biba security model is an integrity model in which no subject may depend on a less trusted object, including another subject. It is a specific model addressing only one of the security objectives such as confidentiality, integrity, availability, and accountability.

168. The Take-Grant security model focuses on which of the following?

a. Confidentiality

b. Accountability

c. Availability

d. Access rights

168. d. The Take-Grant security model uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject. It does not address the security objectives such as confidentiality, integrity, availability, and accountability. Access rights are a part of access control models.

169. Which of the following is based on precomputed password hashes?

a. Brute force attack

b. Dictionary attack

c. Rainbow attack

d. Hybrid attack

169. c. Rainbow attacks are a form of a password cracking technique that employs rainbow tables, which are lookup tables that contain pre-computed password hashes. These tables enable an attacker to attempt to crack a password with minimal time on the victim system and without constantly having to regenerate hashes if the attacker attempts to crack multiple accounts. The other three choices are not based on pre-computed password hashes; although, they are all related to passwords.

A brute force attack is a form of a guessing attack in which the attacker uses all possible combinations of characters from a given character set and for passwords up to a given length.

A dictionary attack is a form of a guessing attack in which the attacker attempts to guess a password using a list of possible passwords that is not exhaustive.

A hybrid attack is a form of a guessing attack in which the attacker uses a dictionary that contains possible passwords and then uses variations through brute force methods of the original passwords in the dictionary to create new potential passwords.

170. For intrusion detection and prevention system capabilities, anomaly-based detection uses which of the following?

1. Blacklists

2. Whitelists

3. Threshold

4. Program code viewing

a. 1 and 2

b. 1, 2, and 3

c. 3 only

d. 1, 2, 3, and 4

170. c. Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. Thresholds are most often used for anomaly-based detection. A threshold is a value that sets the limit between normal and abnormal behavior.