1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 127
Выбрать главу

101. Security impact analyses are performed in which of the following configuration management processes?

a. Baseline configuration

b. Configuration change control

c. Monitoring configuration changes

d. Configuration settings

101. c. An organization monitors changes to the information system and conducts security impact analyses to determine the effects of the changes. The other three choices are incorrect because they occur prior to the monitoring.

102. Application partitioning is achieved through which of the following?

1. User functionality is separated from information storage services.

2. User functionality is separated from information management services.

3. Both physical and logical separation techniques are employed.

4. Different computers and operating systems are used to accomplish separation.

a. 1 and 2

b. 3 only

c. 1, 2, and 3

d. 1, 2, 3, and 4

102. d. The information system physically or logically separates the user functionality (including user interface services) from information storage and management services (for example, database management). Separation may be accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, or a combination of these methods.

103. Reconciliation routines in application systems are a part of which of the following?

a. Authorization controls

b. Integrity or validation controls

c. Access controls

d. Audit trail mechanisms

103. b. Integrity or validation controls, which are a part of technical control, include reconciliation routines in application systems. Authorization and access controls, which are a part of technical control, enable authorized individuals to access system resources. Audit trail mechanisms include transaction monitoring.

104. Which of the following is the most effective approach in identifying infected hosts with malware incidents and in striking a balance between speed, accuracy, and timeliness?

a. Forensic identification

b. Active identification

c. Manual identification

d. Multiple identifications

104. d. Malware is malicious software and malicious code. In many cases, it is most effective to use multiple identification approaches simultaneously or in sequence to provide the best results for striking a balance between speed, accuracy, and timeliness. Multiple identifications include where a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts (for example, DoS and DDoS attacks).

Forensic identification is effective when data is recent; although, the data might not be comprehensive. Active identification produces the most accurate results; although, it is often not the fastest way of identifying infections due to scanning every host in an organization. Manual identification is not feasible for comprehensive enterprise-wide identification, but it is a necessary part of identification when other methods are not available and can fill in gaps when other methods are insufficient.

105. Traditionally, which of the following malware attacker tools is the hardest to detect?

a. Backdoors

b. Rootkits

c. Keystroke loggers

d. Tracking cookies

105. b. Malware categories include viruses, worms, Trojan horses, and malicious mobile code, as well as combinations of these, known as blended attacks. Malware also includes attacker tools such as backdoors, rootkits, keystroke loggers, and tracking cookies used as spyware. Of all the types of malware attacker tools, rootkits are traditionally the hardest to detect because they often change the operating system at the kernel level, which allows them to be concealed from antivirus software. Newer versions of rootkits can hide in the master boot record, as do some viruses.

106. Which of the following virus obfuscation techniques is difficult for antivirus software to overcome?

a. Self-encryption

b. Polymorphism

c. Metamorphism

d. Stealth

106. c. Older obfuscation techniques, including self-encryption, polymorphism, and stealth, are generally handled effectively by antivirus software. However, newer, more complex obfuscation techniques, such as metamorphism, are still emerging and can be considerably more difficult for antivirus software to overcome. The idea behind metamorphism is to alter the content of the virus itself, rather than hiding the content with encryption.

Self-encryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Polymorphism is incorrect because it is a particularly robust form of self-encryption where the content of the underlying virus code body does not change; encryption alters its appearance only. Stealth virus is incorrect because it uses various techniques to conceal the characteristics of an infection, such as interfering with file sizes.

107. The goal of which of the following virus obfuscation techniques is to prevent analyzing the virus’s functions through disassembly?

a. Armoring

b. Tunneling

c. Self-decryption

d. Metamorphism

107. a. The intent of armoring is to write a virus so that it attempts to prevent antivirus software or human experts from analyzing the virus’s functions through disassembly (i.e., reverse engineering technique), traces, and other means.

Tunneling is incorrect because it deals with the operating system. A virus that employs tunneling inserts itself into a low level of the operating system so that it can intercept low-level operating system calls. By placing itself below the antivirus software, the virus attempts to manipulate the operating system to prevent detection by antivirus software.

Self-decryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination.

Metamorphism is incorrect because the idea behind it is to alter the content of the virus itself, rather than hiding the content with encryption.

108. Worms do which of the following?

1. Waste system resources

2. Waste network resources

3. Install backdoors

4. Perform distributed denial-of-service attacks

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 1, 2, 3, and 4

108. d. Although some worms are intended mainly to waste system and network resources, many worms damage systems by installing backdoors, perform distributed denial-of-service (DDoS) attacks against other hosts, or perform other malicious acts.

109. Which of the following statements are true about malicious mobile code?

1. It does not infect files.

2. It does not attempt to propagate itself.

3. It takes advantage of the default privileges.

4. It uses languages such as Java and ActiveX.

~ 127 ~