1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 255
Выбрать главу

c. Unauthorized access

d. Inappropriate usage

109. a. A denial of service (DoS) attack prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. An attacker can send specially crafted packets to a Web server.

Malicious code includes a virus, worm, Trojan horse, or other code-based malicious entity that infects a host. Unauthorized access is where a person gains logical or physical access without permission to a network, operating system, application system, data, or device. Inappropriate usage occurs when a person violates acceptable computing use policies.

110. Initial analysis revealed that an employee is the apparent target of or is suspected of causing a computer security incident in a company. Which of the following should be notified first?

a. Legal department

b. Human resources department

c. Public affairs department

d. Information security department

110. b. When an employee is the apparent target of or is suspected of causing a computer security incident in a company, the human resources department should be notified first because it can assist with disciplinary actions or employee counseling depending on the nature and extent of the incident. Note that incidents can be accidental/intentional, small/large, or minor/major, and each has its own set of disciplinary actions and proceedings based on the due process.

The other three choices are incorrect because these departments are not the ones that should be notified first, even though they are involved later. The role of the legal department is to review incident response plans, policies, and procedures to ensure their compliance with laws and regulations. The legal department comes into play when an incident has legal ramifications, including evidence collection, prosecution of a suspect, or potential for a lawsuit. The role of the public affairs department is to inform the media and the law enforcement authorities depending on the nature and impact of an incident. The role of the information security department is to conduct the initial analysis of incidents and later to contain an incident with altering network security controls (such as firewall rulesets).

111. Which of the following solutions to overcome log management challenges address periodic audits and testing and validation?

a. Prioritize log management function.

b. Establish policies and procedures for log management.

c. Maintain a secure log management infrastructure.

d. Provide training for all staff with log management responsibilities.

111. b. Periodic audits are one way to confirm that logging standards and guidelines are being followed throughout the organization. Testing and validation can further ensure that the policies and procedures in the log management process are being performed properly. The other three choices do not address the periodic audits, testing, and validation.

112. A well-defined incident response capability helps the organization in which of the following ways?

1. Detect incidents rapidly.

2. Minimize loss and destruction.

3. Identify weaknesses.

4. Restore IT operations rapidly.

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

112. d. A well-defined incident response capability helps the organization to detect incidents rapidly, minimize loss and destruction, identify weaknesses, and restore IT operations rapidly. Proper execution of the incident response plan is important.

113. Regarding incident containment, which one of the following items makes the other items much easier to accomplish?

a. Strategies and procedures

b. Shutting down a system

c. Disconnecting a system from the network

d. Disabling certain system functions

113. a. An essential part of incident containment is decision making, such as shutting down a system, disconnecting it from the network, or disabling certain system functions. Such decisions are much easier to make if strategies and procedures for containing the incident have been predetermined.

114. Which of the following statements is not true about computer security incidents?

a. After a resource is successfully attacked, it is not attacked again.

b. After a resource is successfully attacked, other resources within an organization are attacked in a similar manner.

c. After an incident has been contained, it is necessary to delete malicious code.

d. After an incident has been contained, it is necessary to disable breached user accounts.

114. a. After a resource is successfully attacked, it is often attacked again or other resources within the organization are attacked in a similar manner. After an incident has been contained, eradication may be necessary to eliminate components of the incident, such as deleting malicious code and disabling breached user accounts.

115. A reliable way to detect superzapping of work is by:

a. Comparing current data files with previous data files

b. Examining computer usage logs

c. Noting discrepancies by those who receive reports

d. Reviewing undocumented transactions

115. a. Superzapping, which is an IBM utility program, leaves no evidence of file changes, and the only reliable way to detect this activity is by comparing current data files with previous generations of the same file. Computer usage logs may not capture superzapping activity. Users may not detect changes in their reports. It is difficult to find, let alone review, the undocumented transactions. Even if these transactions are found, there is no assurance that the task is complete.

116. With respect to computer security, a legal liability exists to an organization under which of the following conditions?

a. When estimated security costs are greater than estimated losses.

b. When estimated security costs are equal to estimated losses.

c. When estimated security costs are less than estimated losses.

d. When actual security costs are equal to actual losses.

116. c. Courts do not expect organizations to spend more money than losses resulting from a security flaw, threat, risk, or vulnerability. Implementing countermeasures and safeguards to protect information system assets costs money. Losses can result from risks, that is, exploitation of vulnerabilities. When estimated costs are less than estimated losses, then a legal liability exists. Courts can argue that the organization’s management should have installed safeguards but did not, and that management did not exercise due care and due diligence.

When estimated security costs are greater than estimated losses they pose no legal liability because costs are greater than losses. When estimated security costs are equal to estimated losses the situation requires judgment and qualitative considerations because costs are equal to losses. The situation when actual security costs are equal to actual losses is not applicable because actual costs and actual losses are not known at the time of implementing safeguards.

~ 255 ~