1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 251
Выбрать главу

1. To establish baselines

2. To perform forensic analysis

3. To support internal investigations

4. To identify operational trends

a. 1 only

b. 3 only

c. 4 only

d. 1, 2, 3, and 4

73. d. Logs can be useful for establishing baselines, performing auditing and forensic analysis, supporting investigations, and identifying operational trends and long-term problems.

74. Network time protocol (NTP) servers are used to keep log sources’ clocks consistent with each other in which of the following log-management infrastructure functions?

a. Log filtering

b. Log aggregation

c. Log normalization

d. Log correlation

74. c. In normalization, log data values are converted to a standardized format and labeled consistently. One of the most common uses of normalization is storing dates and times in a single format. Organizations should use time synchronization technologies such as network time protocol (NTP) servers to keep log sources’ clocks consistent with each other. The other three choices do not deal with NTP servers.

75. Regarding log management infrastructure functions, which of the following is performed in support of incident handling or investigations?

a. Log clearing

b. Log retention

c. Log preservation

d. Log reduction

75. c. Log preservation is performed in support of incident handling or investigations because logs contain records of activity of particular interest.

The other three choices do not support incident handling. Log retention and log preservation are part of the log archival. Log clearing is removing all entries from a log that precede a certain date and time. Log reduction is removing unneeded entries or data fields from a log to create a new log that is similar.

76. Which of the following is most recommended to ensure log file integrity?

a. Message digest 5 (MD5)

b. Secure hash algorithm 1 (SHA-1)

c. User datagram protocol (UDP)

d. Transmission control protocol (TCP)

76. b. Although both MD5 and SHA-1 are commonly used message digest algorithms, SHA-1 is stronger and better than MD5. Hence, SHA-1 is mostly recommended for ensuring log file integrity. UDP is a connectionless and unreliable protocol used to transfer logs between hosts. TCP is a connection-oriented protocol that attempts to ensure reliable delivery of information across networks.

77. Regarding log management infrastructure, which of the following characterizes the security event management software?

1. Single standard data format

2. Proprietary data formats

3. High resource-intensive for hosts

4. Low resource-intensive for hosts

a. 1 and 3

b. 1 and 4

c. 2 and 3

d. 2 and 4

77. c. Unlike syslog-based centralized logging software, which is based on a single standard, security event management (SEM) software primarily uses proprietary data formats. Although SEM software typically offers more robust and broad log management capabilities than syslog, SEM software is usually much more complicated and expensive to deploy than a centralized syslog implementation. Also, SEM software is often more resource-intensive for individual hosts than syslog because of the processing that agents perform.

78. Which of the following network operational environment is the easiest in which to perform log management functions?

a. Standalone

b. Enterprise

c. Custom

d. Legacy

78. b. Of all the network operational environments, the enterprise (managed) environment is typically the easiest in which to perform log management functions and usually does not necessitate special consideration in log policy development. This is because system administrators have centralized control over various settings on workstations and servers and have a formal structure.

The other three choices require special considerations and hence difficult to perform log management functions. For example, the standalone (small office/home office) environment has an informal structure, the custom environment deals with specialized security-limited functionality, and the legacy environment deals with older systems, which could be less secure.

79. Which of the following are major factors to consider when designing the system-level log management processes?

1. Online and offline data storage

2. Security needs for the data

3. Initiating responses to identified events

4. Managing long-term data storage

a. 1 and 2

b. 1 and 4

c. 2 and 3

d. 3 and 4

79. d. The major system-level processes for log management are configuring log sources, providing ongoing operational support, performing log analysis, initiating responses to identified events, and managing long-term data storage. Online and offline data storage and security needs for the data deal with organizational-level log management processes.

80. Which of the following is an example of deploying malicious code protection at the application server level?

a. Workstation operating systems

b. Web proxies

c. E-mail clients

d. Instant messaging clients

80. b. Malicious code protection should be deployed at the host level (e.g., server and workstation operating systems), the application server level (e.g., e-mail server and Web proxies), and the application client level (e.g., e-mail clients and instant messaging clients).

81. Regarding signs of an incident, which of the following characterizes an indicator?

1. Future incident

2. Past incident

3. Present incident

4. All incidents

a. 2 only

b. 1 and 2

c. 2 and 3

d. 1, 2, 3, and 4

81. c. Signs of an incident fall into one of two categories: precursors and indications. An indicator is a sign that an incident may have occurred (past incident) or may be occurring now (present incident). A precursor is a sign that an incident may occur in the future (future incident). An indicator is not based on future incidents or not based on all incidents.

82. Regarding signs of an incident, which of the following is not an example of indicators?

a. The antivirus software alerts when it detects that a host is infected with a worm.

b. The user calls the help desk to report a threatening e-mail message.

c. Web server log entries that show the usage of a Web vulnerability scanner.

d. The host records an auditing configuration change in its log.

82. c. “Web server log entries that show the usage of a Web vulnerability scanner” is an example of precursor because it deals with a future incident. The other three choices are examples of indications dealing with the past and present incidents.

~ 251 ~