1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 265
Выбрать главу

187. Your organization is using PC-based local-area networks (LANs), and their use is growing. Management is concerned about the number of users using application software at any given time. At present, management does not have an accurate picture of how many users use an application system to help maintain site license agreements. What would you recommend?

a. Obtain software metering and monitoring tools to control application software usage.

b. Remind all users that only authorized people should use the software.

c. Conduct periodic audits by auditors.

d. Conduct random audits by the LAN administrator.

187. a. The maximum number of users allowed per application to help maintain site license agreements can be designated. It shows how people use applications and purchasing unnecessary copies of software can be avoided. If additional copies are needed, the software alerts LAN managers with a screen message. Reminding all users that only authorized people should use the software does not achieve the objective because some people may not follow the directions. Conducting periodic audits by auditors or LAN administrators may not be timely and may not cover all areas of the organization due to time and resource factors.

188. During detection of malware incidents, which of the following can act as precursors?

1. Malware advisories

2. Security tool alerts

3. System administrators

4. Security tools

a. 3 only

b. 4 only

c. 1 or 2

d. 3 and 4

188. c. Signs of an incident fall into one of two categories: precursors and indications. A precursor is a sign that an incident (e.g., malware attack) may occur in the future (i.e., future incident). Most malware precursors are either malware advisories or security tool alerts. Detecting precursors gives organizations an opportunity to prevent incidents by altering their security posture and to be on the alert to handle incidents that occur shortly after the precursor.

System administrators and security tools are examples of indications of malware incidents. An indication is a sign that an incident (malware attack) may have occurred or may be occurring. The primary indicators include users, IT staff such as system, network, and security administrators and security tools such as antivirus software, intrusion prevention systems, and network monitoring software.

189. From a legal standpoint, which of the following pre-logon screen banners is sufficient to warn potential system intruders?

a. No tampering

b. No trespassing

c. No hacking

d. No spamming

189. b. A “no trespassing” notice is an all-inclusive warning to confront potential system intruders. All the other three choices come under “no trespassing.”

190. Which of the following practices will not prevent computer security incidents?

a. Collecting incident data

b. Having a patch management program

c. Hardening all hosts

d. Configuring the network perimeter

190. a. Collecting incident data by itself does not prevent computer security incidents. A good use of the data is measuring the success of the incident response team. The other three choices prevent computer security incidents.

191. Which of the following is not the preferred characteristic of security incident-related data?

a. Objective data

b. Subjective data

c. Actionable data

d. Available data

191. d. Organizations should be prepared to collect a set of objective and subjective data for each incident. They should focus on collecting data that is actionable, rather than collecting data simply because it is available.

192. Which of the following cannot be of great value in automating the incident analysis process?

a. Event correlation software

b. Centralized log management software

c. Security software

d. Patch management software

192. d. Usually, a separate team, other than the incident response team provides patch management services, and the patch management work could be a combination of manual and computer processes. Automation is needed to perform an analysis of the incident data and select events of interest for human review. Event correlation software, centralized log management software, and security software can be of great value in automating the analysis process. The other three choices are used in the detection and analysis phase, which is prior to the recovery phase where patches are installed.

193. When applying computer forensics to redundant array of independent disks (RAID) disk imaging technology, which of the following are not used as a hash function in verifying the integrity of digital data on RAID arrays as evidence in a court of law?

1. Cyclic redundancy check-32 (CRC-32)

2. Checksums

3. Message digest 5 (MD5)

4. Secure hash algorithm1 (SHA1)

a. 1 only

b. 3 only

c. 1 and 2

d. 3 and 4

193. c. Both CRC-32 and checksums are not used as a hash function in verifying the integrity of digital data on RAID arrays as evidence in a court of law. To be complete and accurate in the eyes of the court, data must be verified as bit-bit match. Failure to provide the court assurance of data integrity can result in the evidence being completely dismissed or used in a lesser capacity as an artifact, finding, or as item of note. The court system needs an absolute confidence that the data presented to it is an exact, unaltered replication of the original data in question.

The CRC-32 is not a hash function, is a 32-bit checksum, and is too weak to be heavily relied upon. The main weakness is that the probability of two separate and distinct data-streams generating the same value using CRC-32 is too high. Checksums are digits or bits summed according to some arbitrary rules and are used to verify the integrity of normal data, but they are not hash functions, as required in disk imaging.

Both MD5 and SHA1 are used as a hash function in verifying the integrity of digital data on RAID arrays as evidence in a court of law. The MD5 is a 128-bit hash algorithm, and is not susceptible to the same weakness of CRC-32. The chances of any two distinct data-streams generating the same hash value using MD5 is extremely low. SHA-1 is a 160-bit hash algorithm, which is computationally stronger than the MD5. In relation to disk imaging, the benefit of using a hash algorithm is that if any bit is changed or missing between the source and the destination copy, a hash of the data-stream will show this difference.

194. A user providing illegal copies of software to others is an example of which of the following computer-security incident types?

~ 265 ~