d. Business impact analysis

219. d. A fundamental concept of business continuity planning is business impact analysis (BIA), which refers to determining the impact of particular events. BIA information for an organization may be directly applicable to security incident prioritization.

The other three choices are not related to security incident prioritization. Gap-fit analysis deals with comparing actual outcomes with expected outcomes. Sensitive analysis focuses on “what if” conditions. Option analysis deals with choices available or not available.

220. From a computer-forensic viewpoint, which of the following is most useful in prosecution?

a. Disk image

b. Standard file system backup

c. Deleted files

d. File fragments

220. a. A disk image preserves all data on the disk, including deleted files and file fragments. A standard file system backup can capture information on existing files, which may be sufficient for handling many incidents, particularly those that are not expected to lead to prosecution. Both disk images and file system backups are valuable regardless of whether the attacker will be prosecuted because they permit the target to be restored while the investigation continues using the image or backup.

221. Which of the following indications is not associated with a network-based denial-of-service attack against a particular host?

a. Unexplained connection losses

b. Packets with nonexistent destination addresses

c. Increased network bandwidth utilization

d. Firewall and router log entries

221. b. Packets with nonexistent destination addresses are an example of possible indications for a network-based denial-of-service (DoS) attack against a network, not a host. The other choices are examples of indications for network-based DoS attacks against a particular host.

222. Which of the following indications is not associated with a malicious action such as root compromise of a host?

a. User reports of system unavailability

b. Highly unusual log messages

c. Unexplained account usage

d. Increased resource utilization

222. d. “Increased resource utilization” is an example of possible indications of malicious action such as unauthorized data modification. The other choices are examples of possible indications of root compromise of a host.

223. From a security incident viewpoint, countermeasures and controls cannot do which of the following?

a. Prevent

b. Detect

c. Respond

d. Recover

223. c. Countermeasures and controls prevent, detect, and recover from security incidents, not respond to them. Incident response emphasizes interactions with outside parties, such as the media/press, law enforcement authorities, and incident reporting organizations. It is not easy to exercise control over these outside parties.

224. Which of the following forensic tools and techniques are useful for complying with regulatory requirements?

a. Operational troubleshooting

b. Data recovery

c. Due diligence

d. Data acquisition

224. c. Regulations require many organizations to protect sensitive information and maintain certain records for audit purposes. Organizations can exercise due diligence and comply with regulatory requirements. Due diligence requires developing and implementing an effective security program to prevent and detect violation of policies and laws. The other three choices deal with day-to-day operations work, not with regulatory requirements.

225. Computer incident response process is a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

225. d. Computer incident response process is a part of corrective controls because it manages the unexpected security incidents in a systematic manner. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 5.

The ERD Company has just had a theft of 2.5 million dollars via the Internet. The IT management believes the cause to be malware installed by an attacker. This represents 2 percent of the company’s total assets. The senior executives have been notified, but they will not be available for the next 36 hours. The last policy update for incident response was 4 years ago. Since the update, the people in charge of incident handling have left the company. The contact information for the virtual team is not current.

1. A search of the malware database did not lead to the identification of the worm. In analyzing the current state of the host, the incident handler feels that the worm has created a backdoor. Which of the following aspects of the host’s current state can identify that backdoor?

a. Unusual connections

b. Unexpected listening ports

c. Unknown processes

d. Unusual entries

1. b. The analyst can look at several different aspects of the host’s current state. It is good to start with identifying unusual connections (e.g., large number, unexpected port number usage, and unexpected hosts) and unexpected listening ports (e.g., backdoors created by the worm). Other steps that may be useful include identifying unknown processes in the running process list, and examining the host’s logs to reveal any unusual entries that may be related to the infection.

2. A worm has infected a system. From a network data analysis perspective, which of the following contains more detailed information?

a. Network-based IDS and firewalls

b. Routers

c. Host-based IDS and firewalls

d. Remote access servers

2. c. Intrusion detection system (IDS) and firewall products running on the infected system may contain more detailed information than network-based IDS and firewall products. For example, a host-based IDS can identify changes to files or configuration settings on the host that were performed by a worm. This information is helpful not only in planning containment, eradication, and recovery activities by determining how the worm has affected the host, but also in identifying which worm infected the system. However, because many worms disable host-based security controls and destroy log entries, data from host-based IDS and firewall software may be limited or missing. If the software were configured to forward copies of its logs to centralized log servers, then queries to those servers may provide some useful information.