143. d. One basic aim of a computer-security incident-response capability (CSIRC) is to mitigate the potentially serious effects of a severe computer security-related problem. It requires not only the capability to react to incidents but also the resources to alert and inform the users. It requires the cooperation of all users to ensure that incidents are reported and resolved and that future incidents are prevented.
An organization can augment existing computer security capabilities, such as help desks, self-help information, or site security offices, with CSIRC capability. A telephone hotline or e-mail address provides a single point of contact for users with centralized reporting. It is then possible to respond to all incidents and to determine whether incidents are related. With centralized reporting, a CSIRC can also develop accurate statistics on the size, nature, and extent of the security problems within the organization.
144. A computer security incident is any adverse event whereby some aspect of computer security is threatened. Which of the following is the best characteristic of security incident response capability?
a. Proactive
b. Reactive
c. Proactive and reactive
d. Detective
144. c. A computer-security incident-response capability (CSIRC) can help organizations resolve computer security problems in a way that is both efficient and cost-effective. Combined with policies for centralized reporting, a CSIRC can reduce waste and duplication while providing a better posture against potentially devastating threats. A CSIRC is a proactive approach to computer security, one that combines reactive capabilities with active steps to prevent future incidents from occurring.
When not responding to incidents, a CSIRC can take proactive steps to educate its users regarding pertinent risks and threats to computer security. These activities can prevent incidents from occurring. They include informing users about vulnerabilities and heightening awareness of other security threats, procedures, and proper maintenance of their systems. A CSIRC is not solely a reactive capability; it is also a proactive approach to reducing an organization’s computer security risk. Detective is not correct because prevention is better than detection, and detection works only in some circumstances.
145. Automatic tools exist to test computer system vulnerability and to detect computer security incidents. Vulnerability testing tools analyze which of the following events?
a. Recurring events
b. Current state of the system
c. Historical events
d. Nonrecurring events
145. b. Security is affected by the actions of both the users and the system administrators. Users may leave their files open to attack; the system administrator may leave the system open to attack by insiders or outsiders. The system can be vulnerable due to misuse of the system’s features. Automated tools can search for vulnerabilities that arise from common administrator and user errors. Vulnerability testing tools analyze the current state of the system (a snapshot), which is a limitation. These test tools review the objects in a system, searching for anomalies that might indicate vulnerabilities that could allow an attacker to (i) plant Trojan horses, (ii) masquerade as another user, or (iii) circumvent the organizational security policy.
The other three choices are incorrect because they represent a state that is not accessible by the vulnerability testing tools. Generalized audit software or special utility programs can handle such events better.
146. What is oral testimony?
a. Cumulative evidence
b. Proffered evidence
c. Direct evidence
d. Negative evidence
146. c. Evidence means testimony, writings, material objects, or other things presented to the senses that are offered to prove the existence or nonexistence of a fact. Direct evidence proves a fact without having to use presumptions or inferences to establish that proof (e.g., oral testimony of a witness to a fact). It proves a consequential fact.
The other three choices are incorrect because they do not use oral testimony. Cumulative evidence is evidence introduced to prove a fact for which other evidence has already been introduced. Proffered evidence is evidence that a party seeks to introduce as evidence to prove or defeat some crime, claim, or defense. This can be pros or cons. Negative evidence is evidence that something did not happen or does not exist.
147. Which of the following phases of a security incident investigation process determines whether a computer crime has occurred?
a. Initiating the investigation
b. Testing and validating the incident hypothesis
c. Analyzing the incident
d. Presenting the evidence
147. c. There are four phases in the investigation process. Initiating the investigation (phase 1) includes securing the crime scene, collecting evidence, developing incident hypothesis, and investigating alternative explanations. Testing and validating the incident hypothesis (phase 2) deals with proving or disproving prior assumptions, opinions, conditions, and situations; and validating the accuracy of a computer system’s prior security parameters such as configuration settings, firewall rulesets, and account access privileges and authorizations. Analyzing the incident (phase 3) covers analysis of the evidence collected in the previous phases to determine whether a computer crime has occurred. Presenting the evidence (phase 4) involves preparing a report with findings and recommendations to management or law enforcement authorities.
The correct order of the investigation process is gather facts (phase 1), interview witnesses (phase 1), develop incident hypothesis (phase 1), test and validate the hypothesis (phase 2), analyze (phase 3), and report the results to management and others (phase 4).
148. Which of the following investigative tools is most effective when large volumes of evidence need to be analyzed?
a. Interviews
b. Questionnaires
c. Forensic analysis
d. Computer analysis
148. d. Computers can be used to collect and compile and analyze large amounts of data and provide statistics, reports, and graphs to assist the investigator in analysis and decision making. Forensic analysis is the art of retrieving computer data in such a way that will make it admissible in court. Interviews and questionnaires are examples of structured approach used in interrogations.
149. Which of the following methods is acceptable to handle computer equipment seized in a computer crime investigation?
a. Exposing the magnetic media to radio waves
b. Laying the magnetic media on top of electronic equipment
c. Subjecting the magnetic media to forensic testing
d. Leaving the magnetic media in the trunk of a vehicle containing a radio unit
149. c. Forensic analysis is the art of retrieving computer data in such a way that makes it admissible in court. Exposing magnetic media to magnetic fields, such as radio waves, may alter or destroy data. Do not carry magnetic media in the trunk of a vehicle containing a radio unit, and do not lay magnetic media on top of any electronic equipment.
150. To preserve the integrity of collected evidence in a criminal prosecution dealing with computer crime, who should not be invited to perform data retrieval and analysis of electronically stored information on a computer?