Network-based IDS is incorrect because they indicate which server was attacked and on what port number, which indicates which network service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that the worm traffic may have passed through, such as routers, VPN gateways, and remote access servers may record information similar to that logged by network-based firewalls.
3. Which of the following parties is usually not notified at all or is notified last when a computer security incident occurs?
a. System administrator
b. Legal counsel
c. Disaster recovery coordinator
d. Hardware and software vendors
3. b. The first part of a response mechanism is notification, whether automatic or manual. Besides technical staff, several others must be notified, depending on the nature and scope of the incident. Unfortunately, legal counsel is not always notified or is notified thinking that involvement is not required.
4. An organization just had a computer security incident. Who generally reacts most negatively?
a. E-Partners
b. Suppliers
c. Investors
d. Trading partners
4. c. Investors will punish the organization that was subject to a computer security incident such as hacking. They have the most to lose, thereby negatively impacting the company’s valuation. The other parties do not have the same stake.
5. A computer security incident was detected. Which of the following is the best reaction strategy for management to adopt?
a. Protect and preserve
b. Protect and recover
c. Trap and prosecute
d. Pursue and proceed
5. b. If a computer site is vulnerable, management may favor the protect-and-recover reaction strategy because it increase defenses available to the victim organization. Also, this strategy can bring normalcy to the network’s users as quickly as possible. Management can interfere with the intruder’s activities, prevent further access, and begin damage assessment. This interference process may include shutting down the computer center, closing of access to the network, and initiating recovery efforts. Law enforcement authorities and prosecutors favor the trap-and-prosecute strategy. It lets intruders continue their activities until the security administrator can identify the intruder. In the mean time, there could be system damage or data loss.
Sources and References
Anti-Spam Laws. (www.oecd-antispam.org).
“Computer Security Incident Handling Guide (NIST SP800-61 Revision 1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, March 2008.
Corley, Lee Reed, and Shedd. 1993. The Legal and Regulatory Environment of Business , Ninth Edition. McGraw-Hill, Inc.
European Union (EU) Laws. (http://europa.eu/scadplus/leg/en).
“Guide to Computer Security Log Management (NIST SP800-92),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, September 2006.
“Guide to Integrating Forensic Techniques into Incident Response (NIST SP800-86),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, August 2006.
“Guidelines on Cell Phone Forensics (NIST SP800-101),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, May 2007.
International Safe Harbor Privacy Principles. (www.ita.doc.gov).
OECD Guidelines for the Security of Information Systems. (www.oecd.org).
Privacy Laws - Organization for Economic Co-operation and Development (OECD). (www.oecd.org).
“Sawyers Internal Auditing by The Institute of Internal Auditors,” Altamonte Springs, Florida, 1988.
Stephenson, Peter. 2000. Investigating Computer-Related Crime. Boca Raton, FL: CRC Press LLC.
Domain 10
Physical and Environmental Security
Traditional Questions, Answers, and Explanations
1. Regarding physical security of cryptography, which modules are used the most in the production, implementation, and operation of encrypting routers?
a. Single-chip cryptographic modules
b. Multiple-chip standalone cryptographic modules
c. Software cryptographic modules
d. Hardware cryptographic modules
1. b. Multiple-chip standalone cryptographic modules are physical embodiments in which two or more integrated circuits (IC) chips are interconnected and the entire enclosure is physically protected. Examples of such implementations include encrypting routers or secure radios. Note that the security measures provided to these modules vary with the security levels of these modules.
The other three choices are incorrect because they are not used in the implementation of encrypting routers or secure radios. Single-chip cryptographic modules are physical embodiments in which a single IC chip may be used as a standalone module or may be embedded within an enclosure or a product that may not be physically protected. Cryptographic modules can be implemented in software, hardware, firmware, and hybrid.
2. Regarding cryptographic modules, which of the following refers to an attack on the operations of the hardware module that does not require physical contact with components within the module?
a. Timing analysis attack
b. Noninvasive attack
c. Differential power analysis attack
d. Simple power analysis attack
2. b. A noninvasive attack can be performed on a cryptographic module without direct physical contact with the module. Non-invasive attacks attempt to compromise a cryptographic module by acquiring knowledge of the module’s critical security parameters without physically modifying or invading the module.
The other three choices are incorrect because their actions are different than a non-invasive attack. A timing analysis attack is an attack on a cryptographic module that is based on an analysis of time periods between the time a command is issued and the time the result is obtained. A differential power analysis attack considers the variations of the electrical power consumption of a cryptographic module to correlate to cryptographic keys used in a cryptographic algorithm. A simple power analysis attack considers the patterns of instruction execution to reveal the values of cryptographic keys.
3. Regarding physical security of cryptography, which of the following modules are used the most in production, implementation, and operation of adapters and expansion boards?
a. Single-chip cryptographic modules
b. Multiple-chip standalone cryptographic modules
c. Multiple-chip embedded cryptographic modules