1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 228
Выбрать главу

It is true that audit trails can assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files).

It is true that audit trails can be used to identify breakdowns in logical access controls. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity by identifying breakdowns in logical access controls or verifying that access control restrictions are behaving as expected.

5. Audit trails should be reviewed. Which of the following methods is not the best way to perform a query to generate reports of selected information?

a. By a known damage or occurrence

b. By a known user identification

c. By a known terminal identification

d. By a known application system name

5. a. Damage or the occurrence of an undesirable event cannot be anticipated or predicted in advance, thus making it difficult to make a query. The system design cannot handle unknown events. Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers need to understand what normal activity looks like. Audit trail review is easier if the audit trail function can be queried by user ID, terminal ID, application system name, date and time, or some other set of parameters to run reports of selected information.

6. Audit trail records contain vast amounts of data. Which of the following review methods is best to review all records associated with a particular user or application system?

a. Batch-mode analysis

b. Real-time audit analysis

c. Audit trail review after an event

d. Periodic review of audit trail data

6. b. Audit trail data can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Audit analysis tools can be used in a real-time, or near real-time, fashion. A manual review of audit records in real time is not feasible on large multi-user systems due to the large volume of records generated. However, it might be possible to view all records associated with a particular user or application and view them in real time.

Batch-mode analysis is incorrect because it is a traditional method of analyzing audit trails. The audit trail data are reviewed periodically. Audit records are archived during that interval for later analysis. All these choices do not provide the convenience of displaying or reporting all records associated with a user or application.

7. An audit trail record should include sufficient information to trace a user’s actions and events. Which of the following information in the audit trail record can help determine if the user was a masquerader or the actual person specified?

a. The user identification associated with the event

b. The date and time associated with the event

c. The program used to initiate the event

d. The command used to initiate the event

7. b. An audit trail should include sufficient information to establish what events occurred and who (or what) caused them. In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result. Date and timestamps can help determine if the user were a masquerader or the actual person specified.

8. Automated tools help in analyzing audit trail data. Which one of the following tools looks for anomalies in user or system behavior?

a. Trend analysis tools

b. Audit data-reduction tools

c. Attack signature-detection tools

d. Audit data-collection tools

8. a. Many types of tools have been developed to help reduce the amount of information contained in audit records, as well as to distill useful information from the raw data. Especially on larger systems, audit trail software can create large files, which can be extremely difficult to analyze manually. The use of automated tools is likely to be the difference between unused audit trail data and a robust program. Trend analysis and variance detection tools look for anomalies in user or system behavior.

Audit data-reduction tools are preprocessors designed to reduce the volume of audit records to facilitate manual review. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups. Attack signature-detection tools look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example is repeated failed log-in attempts. Audit data-collection tools simply gather data for analysis later.

Sources and References

“Creating a Patch and Vulnerability Management Program (NIST SP800-40V2),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2005.

“Engineering Principles for IT Security (NIST SP800-27 Revision A),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, June 2004.

“Guide to Malware Incident Prevention and Handling (NIST SP800-83),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2005.

“Guide to Storage Encryption Technologies for End User Devices (NIST SP800-111Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2007.

“Guidelines for Media Sanitization (NIST SP800-88 Revision 1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, September 2006.

Walden, Bob. “Data Storage Management.” An NSS Group’s White Paper, 1991–2001.

Domain 8

Business Continuity and Disaster Recovery Planning

Traditional Questions, Answers, and Explanations

1. Which of the following information technology (IT) contingency solution for servers minimizes the recovery time window?

a. Electronic vaulting

b. Remote journaling

c. Load balancing

d. Disk replication

1. d. With disk replication, recovery windows are minimized because data is written to two different disks to ensure that two valid copies of the data are always available. The two disks are called the protected server (the main server) and the replicating server (the backup server). Electronic vaulting and remote journaling are similar technologies that provide additional data backup capabilities, with backups made to remote tape or disk drives over communication links. Load balancing increases server and application system availability.

2. Which of the following IT contingency solutions for servers provides high availability?

a. Network-attached storage

b. System backups

c. Redundant array of independent disks

d. Electronic vaulting

2. a. Virtualization network-attached storage (NAS) or storage-area network (SAN) provide high availability because it combines multiple physical storage devices into a logical, virtual storage device that can be centrally managed. System backups provide low availability. A redundant array of independent disks and electronic vaulting provide availability levels between high and low.

~ 228 ~