1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 253
Выбрать главу

c. Western Europe

d. Argentina

91. c. Computer software is properly protected by trade secrets in addition to copyright in European Community member nations. Brazil has no specific laws, and Argentina may have some specific laws of trade secret protection. Mexico has laws protecting industrial secrets but not for trade secrets in computer software.

92. Which of the following logs have a secondary usage in analyzing logs for fraud?

a. Antimalware software logs

b. Intrusion detection system logs

c. Intrusion prevention system logs

d. File sharing logs

92. d. File transfer protocol (FTP) is used for file sharing where the FTP is subjected to attacks and hence is not a primary source for analyzing fraud. File sharing logs have secondary usages. The other three logs are primarily useful in analyzing fraud.

93. Data diddling can be prevented by all the following except:

a. Access controls

b. Program change controls

c. Rapid correction of data

d. Integrity checking

93. c. Data diddling can be prevented by limiting access to data and programs and limiting the methods used to perform modification to such data and programs. Rapid detection (not rapid correction) is needed—the sooner the better—because correcting data diddling is expensive.

94. From a malicious code protection mechanism viewpoint, which of the following is most risky?

a. Electronic mail

b. Removable media

c. Electronic mail attachments

d. Web accesses

94. b. Malicious code includes viruses, Trojan horses, worms, and spyware. Malicious code protection mechanisms are needed at system entry and exit points, workstations, servers, and mobile computing devices on the network. The malicious code can be transported by electronic mail, e-mail attachments, Web accesses, and removable media (e.g., USB devices, flash drives, and compact disks). Due to their flexibility and mobility, removable media can carry the malicious code from one system to another; therefore it is most risky. Note that removable media can be risky or not risky depending on how it is used and by whom it is used. The other three choices are less risky.

95. Regarding signs of an incident, which of the following is not an example of indications?

a. The Web server crashes.

b. A threat from a hacktivist group stating that the group will attack the organization.

c. Users complain of slow access to hosts on the Internet.

d. The system administrator sees a filename with unusual characters.

95. b. “A threat from a hacktivist group stating that the group will attack the organization” is an example of precursors because it deals with a future incident. The other three choices are examples of indications dealing with past and present indications.

96. Regarding log management data analysis, security event management (SEM) software does not do which of the following?

a. Generate original event data.

b. Identify malicious activity.

c. Detect misuse of systems and networks.

d. Detect inappropriate usage of systems and networks.

96. a. Security event management (SEM) software is capable of importing security event information from various network traffic-related security event data sources (e.g., IDS logs and firewall logs) and correlating events among the sources. It generally works by receiving copies of logs from various data sources over secure channels, normalizing the logs into a standard format, and then identifying related events by matching IP addresses, timestamps, and other characteristics. SEM products usually do not generate original event data; instead, they generate meta-events based on imported event data. Many SEM products not only can identify malicious activity, such as attacks and virus infections; they can also detect misuse and inappropriate usage of systems and networks. SEM software can be helpful in making many sources of network traffic information accessible through a single interface.

97. As incident handlers become more familiar with the log entries and security alerts, which of the following are more important to investigate?

1. Usual entries with minor risk

2. Unusual entries

3. Unexplained entries

4. Abnormal entries

a. 1 and 2

b. 2 and 3

c. 2, 3, and 4

d. 1, 2, 3, and 4

97. c. Incident handlers should review log entries and security alerts to gain a solid understanding of normal behavior or characteristics of networks, systems, and applications so that abnormal behavior can be recognized more easily. Incident handlers should focus more on major risks such as unusual entries, unexplained entries, and abnormal entries, which are generally more important to analyze and investigate than usual entries with minor risk. This follows the principle of management by exception, which focuses on major risks because management time is limited.

98. Information regarding an incident can be recorded in which of the following places?

1. Firewall log

2. Network IDS logs

3. Host IDS logs

4. Application logs

a. 1 only

b. 2 and 3

c. 4 only

d. 1, 2, 3, and 4

98. d. Information regarding an incident can be recorded in several places such as firewall, router, network intrusion detection system (IDS), host IDS, and application logs. However, they all record different information at different times.

99. Which of the following is not an effective way of managing malicious code protection mechanisms?

a. Automatic updating of signature definitions

b. Preventing nonprivileged users from circumventing controls

c. Managing malicious code protection mechanisms locally or in a decentralized environment

d. Testing with a known benign, nonspreading test case

99. c. An organization must centrally manage the malicious code protection mechanisms, similar to managing the flaw remediation process. This includes centrally managing the content of audit records generated, employing integrity verification tools, managing spam protection mechanisms, and installing software updates automatically. This is because malicious code protection mechanisms are installed at many system entry and exit points, workstations, servers, and mobile computing devices on the network. A decentralized management approach cannot work efficiently and effectively considering the various system entry and exit points. The other three choices are effective.

100. Which of the following is effective at stopping malware infections that exploit vulnerabilities or insecure settings?

a. Host hardening and patching measures

~ 253 ~