c. 3 and 4

d. 1, 2, 3, and 4

23. a. Most organizations use several types of network-based and host-based security software to detect malicious activity and protect systems and data from damage. Accordingly, security software is the primary source of computer security log data for most organizations.

24. Which of the following logs record significant operational actions?

a. Network-based security software logs

b. Host-based security software logs

c. Operating system logs

d. Application system logs

24. d. Many applications record significant operational actions such as application startup and shutdown, application failures, and major configuration changes. The other three logs do not provide significant operational actions.

25. Which of the following is not an example of security software logs?

a. Packet filter logs

b. Web server logs

c. Firewall logs

d. Antimalware software logs

25. b. Web server logs are an example of application logs. The other three logs are examples of security software logs.

26. Which of the following logs is primarily useful in analyzing attacks against desktops or workstations?

a. Antimalware software logs

b. Packet filter logs

c. Firewall logs

d. Authentication server logs

26. a. The antimalware software logs have higher accuracy of data than operating system logs from desktops or workstations. Accordingly, these logs are primarily useful in analyzing attacks. The other three logs have a secondary usage.

27. Which of the following provides a secondary source in analyzing inappropriate usage?

a. Authentication server logs

b. E-mail server logs

c. Web server logs

d. File sharing logs

27. a. Authentication server logs are a part of security software logs, whereas all the other logs are examples of application logs. These application logs generate highly detailed logs that reflect every user request and response, which provide a primary source in analyzing inappropriate usage. Authentication servers typically log each authentication attempt, including its origin, success or failure, and date and time. Application logs capture data prior to authentication server logs, where the former is a primary source, and the latter is a secondary source.

28. All the following can make log generation and storage challenging except:

a. Distributed nature of logs

b. Log management utility software

c. Inconsistent log formats

d. Volume of logs

28. b. The distributed nature of logs, inconsistent log formats, and volume of logs all make the management of log generation and storage challenging. For example, inconsistent log formats present challenges to people reviewing logs. A single standard format is preferred. Log management utility software may fail or mishandle the log data when an attacker provides binary data as input to a program that is expecting text data. The problem with the log management utility software is not as challenging as with the other three choices.

29. Which of the following solutions to overcome log management challenges address both peak and expected volumes of log data?

a. Prioritize log management function.

b. Establish policies and procedures for log management.

c. Maintain a secure log management infrastructure.

d. Provide training for all staff with log management responsibilities.

29. c. It is critical to create and maintain a secure log management infrastructure robust enough to handle not only expected volumes of log data, but also peak volumes during extreme situations, such as widespread malware incident, penetration testing, and vulnerability scans. The other three choices do not handle peak and expected volumes of log data.

30. Which of the following are the major reasons for reduced volume of logs?

1. Log analysis is a low-priority task.

2. Logs are analyzed in a batch mode.

3. Log analysis is treated as reactive.

4. Log analysis is not cost-effective.

a. 1 and 2

b. 2 and 3

c. 1, 2, and 3

d. 1, 2, 3, and 4

30. d. Log analysis has often been treated as a low-priority task by system or security administrators and management alike. Administrators often do not receive training on doing it efficiently and effectively. Administrators consider log analysis work to be boring and providing little benefit for the amount of time required. Log analysis is often treated as reactive rather than proactive. Most logs have been analyzed in a batch mode, not in a real-time or near-real-time manner.

31. Which of the following Organization for Economic Co-Operation and Development’s (OECD’s) principles state that information systems and the requirements for its security change over time?

a. Proportionality

b. Integration

c. Reassessment

d. Timeliness

31. c. The reassessment principle of OECD states that the security of information system should be reassessed periodically, as information systems and the requirements for its security vary over time.

32. Routine log analysis is beneficial for which of the following reasons?

1. Identifying security incidents

2. Identifying policy violations

3. Identifying fraudulent activities

4. Identifying operational problems

a. 1 only

b. 3 only

c. 4 only

d. 1, 2, 3, and 4

32. d. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activities, and operational problems.

33. Which of the following is not one of the log management infrastructure tiers?

a. Log generation

b. Decentralized log storage

c. Centralized log consolidation and storage

d. Centralized log monitoring

33. b. Log management infrastructure typically uses the following three tiers, such as log generation, centralized log consolidation and storage, and centralized log monitoring. Decentralized log storage is not one of the three tiers, but eventually transferred to the centralized log consolidation and storage.

34. Regarding log management infrastructure functions, log viewers provide which of the following capabilities?

1. Log filtering

2. Log aggregation

3. Log normalization

4. Log correlation

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4