a. Disk duplexing and mirroring

b. Server consolidation

c. LAN consolidation

d. Disk distribution

221. a. Disk duplexing means that the disk controller is duplicated. When one disk controller fails, the other one is ready to operate. Disk mirroring means the file server contains duplicate disks, and that all information is written to both disks simultaneously. Server consolidation, local-area network (LAN) consolidation, and disk distribution are meaningless to fault tolerance; although, they may have their own uses.

222. Performing automated deployment of patches is difficult for which of the following?

a. Homogeneous computing platforms

b. Legacy systems

c. Standardized desktop systems

d. Similarly configured servers

222. b. Manual patching is useful and necessary for many legacy and specialized systems due to their nature. Automated patching tools allow an administrator to update hundreds or even thousands of systems from a single console. Deployment is fairly simple when there are homogeneous computing platforms, with standardized desktop systems, and similarly configured servers.

223. Regarding media sanitization, degaussing is an acceptable method for which of the following?

a. Disposal

b. Clearing

c. Purging

d. Disinfecting

223. c. Degaussing is demagnetizing magnetic media to remove magnetic memory and to erase the contents of media. Purging is the removal of obsolete data by erasure, by overwriting of storage, or by resetting registers. Thus, degaussing and executing the firmware Secure Purge command (for serial advanced technology attachment (SATA) drives only) are acceptable methods for purging.

The other three choices are incorrect. Disposal is the act of discarding media by giving up control in a manner short of destruction and is not a strong protection. Clearing is the overwriting of classified information such that that the media may be reused. Clearing media would not suffice for purging. Disinfecting is a process of removing malware within a file.

224. Regarding a patch management program, which of the following should be done before performing the patch remediation?

a. Test on a nonproduction system.

b. Check software for proper operation.

c. Conduct a full backup of the system.

d. Consider all implementation differences.

224. c. Before performing the remediation, the system administrator may want to conduct a full backup of the system to be patched. This allows for a timely system restoration to its previous state if the patch has an unintended or unexpected impact on the host. The other three choices are part of the patch remediation testing procedures.

225. Regarding a patch management program, an experienced administrator or security officer should perform which of the following?

a. Test file settings.

b. Test configuration settings.

c. Review patch logs.

d. Conduct exploit tests.

225. d. Conducting an exploit test means performing a penetration test to exploit the vulnerability. Only an experienced administrator or security officer should perform exploit tests because this involves launching actual attacks within a network or on a host. Generally, this type of testing should be performed only on nonproduction equipment and only for certain vulnerabilities. Only qualified staff who are thoroughly aware of the risk and who are fully trained should conduct the tests.

Testing file settings, testing configuration settings, and reviewing patch logs are routine tasks a less experienced administrator or security officer can perform.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 8.

The GRO Company will face an audit by a federal regulatory body in 30 days. The last update for its policies and procedures was made one year ago after the last audit. It has 50% of the controls in place described in the last audit, and 45% will be turned on before the auditors arrive. The remaining 5% of controls (audit trail software for computer operating systems) will break the financial systems if turned on for more than one hour.

1. Who initiates audit trails in computer systems?

a. Functional users

b. System auditors

c. System administrators

d. Security administrators

1. a. Functional users have the utmost responsibility in initiating audit trails in their computer systems for tracing and accountability purposes. Systems and security administrators help in designing and developing these audit trails. System auditors review the adequacy and completeness of audit trails and issue an opinion whether they are effectively working. Auditors do not initiate, design, or develop audit trails due to their independence in attitude and appearance as dictated by their Professional Standards.

2. An inexpensive security measure is which of the following?

a. Firewalls

b. Intrusion detection

c. Audit trails

d. Access controls

2. c. Audit trails provide one of the best and most inexpensive means for tracking possible hacker attacks, not only after attack, but also during the attack. One can learn what the attacker did to enter a computer system, and what he did after entering the system. Audit trails also detect unauthorized but abusive user activity. Firewalls, intrusion detection systems, and access controls are expensive when compared to audit trails.

3. What is an audit trail an example of?

a. Recovery control

b. Corrective control

c. Preventive control

d. Detective control

3. d. Audit trails show an attacker’s actions after detection; hence they are an example of detective controls. Recovery controls facilitate the recovery of lost or damaged files. Corrective controls fix a problem or an error. Preventive controls do not detect or correct an error; they simply stop it if possible.

4. Which of the following statements is not true about audit trails from a computer security viewpoint?

a. There is interdependency between audit trails and security policy.

b. If a user is impersonated, the audit trail will establish events and the identity of the user.

c. Audit trails can assist in contingency planning.

d. Audit trails can be used to identify breakdowns in logical access controls.

4. b. Audit trails have several benefits. They are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, audit trails collect events and associate them with the perceived user (i.e., the user ID provided). If a user is impersonated, the audit trail establishes events but not the identity of the user.

It is true that there is interdependency between audit trails and security policy. Policy dictates who has authorized access to particular system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails.