1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 250
Выбрать главу

c. Time each action occurred

d. What username was used to perform each action?

64. b. Event logs list all actions that were performed, the date and time each action occurred, and the result of each action. Event log entries might also include supporting information, such as what username was used to perform each action and what status code was returned. The returned status code provides more information on the result than a simple successful/failed status.

65. Spyware is often bundled with which of the following?

a. P2P file sharing client programs

b. Network service worms

c. Mass mailing worms

d. E-mail-borne viruses

65. a. Spyware is often bundled with software, such as certain peer-to-peer (P2P) file sharing client programs; when the user installs the supposedly benign P2P software, it then covertly installs spyware programs.

Network service worms are incorrect because they spread by exploiting vulnerability in a network service associated with an operating system or an application. Mass mailing worms and e-mail-borne viruses are incorrect because mass mailing worms are similar to e-mail-borne viruses, with the primary difference being that mass mailing worms are self-contained instead of infecting an existing file as e-mail-borne viruses do. After a mass mailing worm has infected a system, it typically searches the system for e-mail addresses and then sends copies of itself to those addresses, using either the systems e-mail client or a self-contained mailer built into the worm itself.

66. Which of the following is not an example of security software logs?

a. Intrusion prevention system logs

b. Vulnerability management software logs

c. Network quarantine server logs

d. File sharing logs

66. d. File sharing logs are an example of application logs. The other three choices are examples of security software logs.

67. Which of the following logs are most beneficial for identifying suspicious activity involving a particular host?

a. Network-based security software logs

b. Host-based security software logs

c. Operating system logs

d. Application system logs

67. c. Operating systems logs are most beneficial for identifying suspicious activity involving a particular host, or for providing more information on suspicious activity identified by another host. Operating system logs collect information on servers, workstations, and network connectivity devices (e.g., routers and switches) that could be useful in identifying suspicious activity involving a particular host.

The other three logs are not that beneficial when compared to the operating system logs. Both network-based and host-based security software logs contain basic security-related information such as user access profiles and access rights and permissions. Application system logs include e-mail logs, Web server logs, and file-sharing logs.

68. The chain of custody does not ask which of the following questions?

a. Who damaged the evidence?

b. Who collected the evidence?

c. Who stored the evidence?

d. Who controlled the evidence?

68. a. The chain of custody deals with who collected, stored, and controlled the evidence and does not ask who damaged the evidence. It looks at the positive side of the evidence. If the evidence is damaged, there is nothing to show in the court.

69. Software site licenses are best suited for:

a. Unique purchases

b. Fixed price license

c. Single purchase units

d. Small lots of software

69. b. Software site licenses are best suited for moderate to large software requirements where fixed price license or volume discounts can be expected. Discounts provide an obvious advantage. By obtaining discounts, an organization not only acquires more software for its investment but also improves its software management. Factors that expand the requirements past normal distribution/package practices are also prime candidates for site licenses. Examples of such factors are software and documentation copying and distribution, conversion, and training. Site licenses are not appropriate for software deployed in a unique situation, single purchase units, or small lots of software.

70. Which of the following statements about Cyberlaw is not true?

a. A person copying hypertext links from one website to another is liable for copyright infringement.

b. An act of copying of graphical elements from sites around the Web and copying them into a new page is illegal.

c. The icons are protected under copyright law.

d. There are no implications in using the Internet as a computer software distribution channel.

70. d. The Cyberlaw precludes commercial rental or loan of computer software without authorization of the copyright owner. It is true that a person constructing an Internet site needs to obtain permission to include a link to another’s home page or site. There may be copyrightable expressions in the structure, sequence, and organization of those links. A person copying those links into another website could well be liable for copyright infringement. Although it is quite easy to copy graphics from sites around the Web and copy them into a new page, it is also clear that in most cases such copying constitutes copyright infringement. Icons are part of graphics and are protected by copyright laws.

71. Which of the following is a primary source for forensic identification of infected hosts?

a. Spyware detection and removal utility software

b. Network device logs

c. Sinkhole routers

d. Network forensic tools

71. a. Spyware detection and removal utility software is a primary source along with antivirus software, content filtering, and host-based IPS software.

Network device logs, sinkhole routers, and network forensic tools are incorrect because they are examples of secondary sources. Network device logs show specific port number combinations and unusual protocols. A sinkhole router is a router within an organization that receives all traffic that has an unknown route (e.g., destination IP addresses on an unused subnet). A sinkhole router is usually configured to send information about received traffic to a log server and an IDS; a packet sniffer is also used sometimes to record the suspicious activity. Network forensic tools include packet sniffers and protocol analyzers.

72. Which of the following is not an example of security software logs?

a. Intrusion detection system logs

b. Authentication server logs

c. E-mail server logs

d. Honeypot logs

72. c. E-mail logs are an example of application logs. The other three logs are examples of security software logs.

73. Logs can be useful for which of the following reasons?

~ 250 ~