1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 252
Выбрать главу

83. Which of the following statements are correct about signs of an incident?

1. Not every attack can be detected through precursors.

2. Some attacks have no precursors.

3. Some attacks that generate precursors cannot always be detected.

4. There are always indicators with some attacks.

a. 1 and 2

b. 1and 3

c. 2 and 3

d. 1, 2, 3, and 4

83. d. A precursor is a sign that an incident may occur in the future (future incident). An indicator is a sign that an incident may have occurred (past incident) or may be occurring now (present incident). It is true that not every attack can be detected through precursors. Some attacks have no precursors, whereas other attacks generate precursors that the organization fails to detect. If precursors are detected, the organization may have an opportunity to prevent the incident by altering the security posture through automated or manual means to save a target from attack. It is true that there are always some attacks with indicators.

84. Which of the following is not used as primary source of precursors or indications?

a. Operating system logs

b. Services logs

c. Network device logs

d. Application logs

84. c. Logs from network devices such as firewalls and routers are not typically used as a primary source of precursors or indications. Network device logs provide little information about the nature of activity.

Frequently, operating system logs, services logs, and application logs provide great value when an incident occurs. These logs can provide a wealth of information, such as which accounts were accessed and what actions were performed.

85. Which of the following records the username used to attack?

a. Firewall logs

b. Network intrusion detection software logs

c. Host intrusion detection software logs

d. Application logs

85. d. Evidence of an incident may be captured in several logs. Each log may contain different types of data regarding the incident. An application log may contain a username used to attack and create a security incident. Logs in the other three choices do not contain a username.

86. Which of the following records information concerning whether an attack that was launched against a particular host was successful?

a. Firewall logs

b. Network intrusion detection software logs

c. Host intrusion detection software logs

d. Application logs

86. c. Evidence of an incident may be captured in several logs. Each log may contain different types of data regarding the incident. A host intrusion detection sensor may record information whether an attack that was launched against a particular host was successful. Logs in the other three choices may also record host-related information but may not indicate whether a host is successful.

87. When applying computer forensics to redundant array of independent disks (RAID) disk imaging, acquiring a complete disk image is important proof as evidence in a court of law. This is mostly accomplished through which of the following?

a. Ensuring accuracy

b. Ensuring completeness

c. Ensuring transparency

d. Using a hash algorithm

87. d. In the field of computer forensics and during the redundant array of independent disks (RAID) disk imaging process, two of the most critical properties are obtaining a complete disk image and getting an accurate disk image. One of the main methods to ensure either or both of these properties is through using a hash algorithm. A hash is a numerical code generated from a stream of data, considerably smaller than the actual data itself, and is referred to as a message digest. It is created by processing all of the data through a hashing algorithm, which generates a fixed length output. Here, transparency means that the data is widely accessible to non-proprietary tools.

88. Computer security incidents should not be prioritized according to:

a. Current effect of the incident

b. Criticality of the affected resources

c. First-come, first-served basis

d. Future effect of the incident

88. c. Computer security incidents should not be handled or prioritized on a first-come, first-served basis due to resource limitations. Incident handlers should consider not only the current negative technical effect of the incident, but also the likely future technical effect of the incident if it is not immediately contained. The criticality of a resource (e.g., firewalls and Web servers) is based on the data it contains or services it provides to users. The other three choices are the factors to consider during incident prioritization.

89. Which of the following indications is not associated with a malicious action such as a worm that spreads through a vulnerable service infecting a host?

a. No links to outside sources

b. Increased network usage

c. Programs start slowly and run slowly

d. System instability and crashes

89. a. There should not be any links to outside sources, and it is an example of possible indications of a malicious action, such as a user who receives a virus hoax message. The other three choices are examples of possible indications of a worm that spreads through a vulnerable service infecting a host.

90. Which of the following phases of a computer forensic process dealing with computer incidents most often uses a combination of automated tools and manual methods?

a. Collection

b. Examination

c. Analysis

d. Reporting

90. b. A computer forensic process dealing with computer incidents is composed of four phases: collection, examination, analysis, and reporting. The examination phase most often involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data.

The collection phase is mostly automated in identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following guidelines, policies, and procedures. The analysis phase is manual in analyzing the results of the examination phase, using legally justifiable methods and techniques. The reporting phase is manual in reporting the results of the analysis phase, which may include describing the actions performed and explaining how tools and procedures were selected.

91. Computer software is properly protected by trade secrets in addition to copyright laws in which of the following countries or regions of the world?

a. Brazil

b. Mexico

~ 252 ~