1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 222
Выбрать главу

175. Regarding a patch management program, which of the following should be used when comparing the effectiveness of the security programs of multiple systems?

1. Number of patches needed

2. Number of vulnerabilities found

3. Number of vulnerabilities per computer

4. Number of unapplied patches per computer

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

175. d. Ratios, not absolute numbers, should be used when comparing the effectiveness of the security programs of multiple systems. Ratios reveal better information than absolute numbers. In addition, ratios allow effective comparison between systems. Number of patches needed and number of vulnerabilities found are incorrect because they deal with absolute numbers.

176. All the following are examples of denial-of-service attacks except:

a. IP address spoofing

b. Smurf attack

c. SYNflood attack

d. Sendmail attack

176. a. IP address spoofing is falsifying the identity of a computer system on a network. It capitalizes on the packet address the Internet Protocol (IP) uses for transmission. It is not an example of a denial-of-service attack because it does not flood the host computer.

Smurf, synchronized flood (SYNflood), and sendmail attacks are examples of denial-of-service attacks. Smurf attacks use a network that accepts broadcast ping packets to flood the target computer with ping reply packets. SYN flood attack is a method of overwhelming a host computer on the Internet by sending the host a high volume of SYN packets requesting a connection, but never responding to the acknowledgment packets returned by the host. Recent attacks against sendmail include remote penetration, local penetration, and remote denial of service.

177. Ping-of-death is an example of which of the following?

a. Keyboard attack

b. Stream attack

c. Piggyback attack

d. Buffer overflow attack

177. d. The ping-of-death is an example of buffer overflow attack, a part of a denial-of-service attack, where large packets are sent to overfill the system buffers, causing the system to reboot or crash.

A keyboard attack is a resource starvation attack in that it consumes system resources (for example, CPU utilization and memory), depriving legitimate users. A stream attack sends TCP packets to a series of ports with random sequence numbers and random source IP addresses, resulting in high CPU usage. In a piggybacking attack, an intruder can gain unauthorized access to a system by using a valid user’s connection.

178. Denial-of-service attacks compromise which one of the following properties of information systems?

a. Integrity

b. Availability

c. Confidentiality

d. Reliability

178. b. A denial-of-service (DoS) is an attack in which one user takes up so much of the shared resource that none of the resource is left for other users. It compromises the availability of system resources (for example, disk space, CPU, print paper, and modems), resulting in degradation or loss of service.

A DoS attack does not affect integrity because the latter is a property that an object is changed only in a specified and authorized manner. A DoS attack does not affect confidentiality because the latter is a property ensuring that data is disclosed only to authorized subjects or users. A DoS attack does not affect reliability because the latter is a property defined as the probability that a given system is performing its mission adequately for a specified period of time under the expected operating conditions.

179. Which of the following is the most complex phase of incident response process for malware incidents?

a. Preparation

b. Detection

c. Recovery

d. Remediation

179. c. Of all the malware incident-response life-cycle phases, recovery phase is the most complex. Recovery involves containment, restore, and eradication. Containment addresses how to control an incident before it spreads to avoid consuming excessive resources and increasing damage caused by the incident. Restore addresses bringing systems to normal operations and hardening systems to prevent similar incidents. Eradication addresses eliminating the affected components of the incident from the overall system to minimize further damage to it.

More tools and technologies are relevant to the recovery phase than to any other phase; more technologies mean more complexity. The technologies involved and the speed of malware spreading make it more difficult to recover.

The other three phases such as preparation, detection, and remediation are less complex. The scope of preparation and prevention phase covers establishing plans, policies, and procedures. The scope of detection phase covers identifying classes of incidents and defining appropriate actions to take. The scope of remediation phase covers tracking and documenting security incidents on an ongoing basis to help in forensics analysis and in establishing trends.

180. Which of the following determines the system availability rate for a computer-based application system?

a. (Available time / scheduled time) x 100

b. [(1 + available time) / (scheduled time)] x 100

c. [(Available time)/(1 – scheduled time)] x 100

d. [(Available time – scheduled time) / (scheduled time)] x 100

180. a. System availability is expressed as a rate between the number of hours the system is available to the users during a given period and the scheduled hours of operation. Overall hours of operation also include sufficient time for scheduled maintenance activities. Scheduled time is the hours of operation, and available time is the time during which the computer system is available to the users.

181. A computer security incident was detected. Which of the following is the best reaction strategy for management to adopt?

a. Protect and preserve

b. Protect and recover

c. Trap and prosecute

d. Pursue and proceed

181. b. If a computer site is vulnerable, management may favor the protect-and-recover reaction strategy because it increases defenses available to the victim organization. Also, this strategy brings normalcy to the network’s users as quickly as possible. Management can interfere with the intruder’s activities, prevent further access, and begin damage assessment. This interference process may include shutting down the computer center, closing of access to the network, and initiating recovery efforts.

Protect-and-preserve strategy is a part of a protect-and-recover strategy. Law enforcement authorities and prosecutors favor the trap-and-prosecute strategy. It lets intruders continue their activities until the security administrator can identify the intruder. In the mean time, there could be system damage or data loss. Pursue-and-proceed strategy is not relevant here.

~ 222 ~