a. Denial-of-service

b. Malicious code

c. Unauthorized access

d. Inappropriate usage

194. d. Using file-sharing services (e.g., peer-to-peer, P2P) to acquire or distribute pirated software is an example of inappropriate usage actions. Inappropriate usage occurs when a person violates acceptable computing use policies.

A denial-of-service (DoS) attack prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. Malicious code includes a virus, worm, Trojan horse, or other code-based malicious entity that infects a host. Unauthorized access is where a person gains logical or physical access without permission to a network, operating system, application system, data, or device.

195. When should the incident response team become acquainted with its various law enforcement representatives?

a. After an incident has occurred

b. Before an incident occurs

c. During an incident is occurring

d. After the incident is taken to court

195. b. The incident response team should become acquainted with its various law enforcement representatives before an incident occurs to discuss conditions under which incidents should be reported to them, how the reporting should be performed, what evidence should be collected, and how the evidence should be collected.

196. Which of the following is the major reason for many security-related incidents not resulting in convictions?

a. Organizations do not properly contact law enforcement agencies.

b. Organizations are confused about the role of various law enforcement agencies.

c. Organizations do not know the attacker’s physical location.

d. Organizations do not know the attacker’s logical location.

196. a. The major reason that many security-related incidents do not result in convictions is that organizations do not properly contact law enforcement agencies. An organization should not contact multiple law enforcement agencies because of jurisdictional conflicts. Organizations should appoint one incident response team member as the primary point of contact with law enforcement agencies. The team should understand what the potential jurisdictional issues are (i.e., physical location versus logical location of the attacker).

197. Which of the following are used to capture and analyze network traffic that may contain evidence of a computer security incident?

1. Packet sniffers

2. Forensic software

3. Protocol analyzers

4. Forensic workstations

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 2 and 4

197. b. Packet sniffers and protocol analyzers capture and analyze network traffic that may contain malware activity and evidence of a security incident. Packet sniffers are designed to monitor network traffic on wired or wireless networks and capture packets. Most packet sniffers are also protocol analyzers, which mean that they can reassemble streams from individual packets and decode communications that use any of hundreds or thousands of different protocols. Because packet sniffers and protocol analyzers perform the same functions, they could be combined into a single tool.

Computer forensic software is used to analyze disk images for evidence of an incident, whereas forensic workstations are used to create disk images, preserve logs files, and save incident data.

198. Which of the following facilitates faster response to computer security incidents?

a. Rootkit

b. Tool kit

c. Computer kit

d. Jump kit

198. d. Many incident response teams create a jump kit, which is a portable bag containing materials such as a laptop computer loaded with the required software, blank media, backup devices, network equipment and cables, and operating system and application software patches. This jump kit is taken with the incident handler during an offsite investigation of an incident for faster response. The jump kit is ready to go at all times so that when a serious incident occurs, incident handlers can grab the jump kit and go, giving them a jump start.

A rootkit is a set of tools used by an attacker after gaining root-level access to a host. The rootkit conceals the attacker’s activities on the host, permitting the attacker to maintain root-level access to the host through covert means. Rootkits are publicly available, and many are designed to alter logs to remove any evidence of the rootkit’s installation or execution. Tool kit and computer kit are generic terms without any specific value here.

199. Which of the following statements about security controls, vulnerabilities, risk assessment, and incident response awareness is not correct?

a. Insufficient security controls lead to slow responses and larger negative business impacts.

b. A large percentage of incidents involve exploitation of a small number of vulnerabilities.

c. Risk assessment results can be interpreted to ignore security over resources that are less than critical.

d. Improving user awareness regarding incidents reduces the frequency of incidents.

199. c. Risk assessments usually focus on critical resources. This should not be interpreted as a justification for organizations to ignore the security of resources that are deemed to be less than critical because the organization is only as secure as its weakest link.

If security controls are insufficient, high volumes of incidents may occur, which can lead to slow and incomplete responses which, in turn, are translated to a larger negative business impacts (e.g., more extensive damage, longer delays in providing services, and longer system unavailability). Many security experts agree that a large percentage of incidents involve exploitation of a relatively small number of vulnerabilities in operating systems and application systems (i.e., an example of Pareto’s 80/20 principle). Improving user awareness regarding incidents should reduce the frequency of incidents, particularly those involving malicious code and violations of acceptable use policies.

200. Some security incidents fit into more than one category for identification and reporting purposes. An incident response team should categorize incidents by the use of:

a. Access mechanism

b. Target mechanism

c. Transmission mechanism

d. Incident mechanism

200. c. When incidents fit into more than one category, the incident response team should categorize incidents by the transmission mechanism used. For example, a virus that creates a backdoor that has been used to gain unauthorized access should be treated as a multiple component incident because two transmission mechanisms are used: one as a malicious code incident and the other one as an unauthorized access incident.

201. What is incorrectly classifying a malicious activity as a benign activity called?

a. False negative

b. False positive

c. False warnings

d. False alerts

201. a. Forensic tools create false negatives and false positives. False negatives incorrectly classify malicious activity as benign activity. False positives incorrectly classify benign activity as malicious activity. False warnings and false alerts are generated from intrusion detection system sensors or vulnerability scanners.