122. Which of the following statements is true about application software testing?
a. Basic testing equals black-box testing.
b. Comprehensive testing equals black-box testing.
c. Basic testing equals gray-box testing.
d. Comprehensive testing equals focused testing.
122. a. Basic testing is a test methodology that assumes no knowledge of the internal structure and implementation details of the assessment object. Basic testing is also known as black-box testing.
Comprehensive testing is a test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is also known as white- box testing.
Focused testing is a test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Focused testing is also known as gray-box testing.
123. Which of the following cannot handle the complete workload of a malware incident and cannot ensure a defense-in-depth strategy?
a. Antivirus software
b. E-mail filtering
c. Network-based intrusion prevention system software
d. Host-based IPS software
123. a. In a widespread incident, if malware cannot be identified by updated antivirus software, or updated signatures are not yet fully deployed, organizations should be prepared to use other security tools to contain the malware until the antivirus signatures can perform the containment effectively. Expecting antivirus software to handle the complete workload of a malware incident is unrealistic during high-volume infections. By using a defense-in-depth strategy for detecting and blocking malware, an organization can spread the workload across multiple components. Antivirus software alone cannot ensure defense-in-depth strategy. Automated detection methods other than antivirus software are needed to ensure defense-in-depth strategy. These detection methods include e-mail filtering, network-based intrusion prevention system (IPS) software, and host-based IPS software.
124. Defining roles and responsibilities is important in identifying infected hosts with malware incidents before security incidents occur. Which of the following groups can primarily assist with identifying infected servers?
a. Security administrators
b. System administrators
c. Network administrators
d. Desktop administrators
124. b. Organizations should identify which individuals or groups can assist in infection identification efforts. System administrators are good at identifying infected servers such as domain name system (DNS), e-mail, and Web servers. The roles of the other three administrators are different from separation of duties, independence, and objectivity viewpoints.
125. Which of the following is true about a stealth virus?
a. It is easy to detect.
b. It is a resident virus.
c. It can reveal file size increases.
d. It doesn’t need to be active to show stealth qualities.
125. b. A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. An active stealth file virus can typically not reveal any size increase in infected files, and it must be active to exhibit its stealth qualities.
126. Which of the following is not a common tool for eradication of malware from an infected host?
a. Antivirus software
b. Spam-filtering software
c. Spyware detection and removal utility software
d. Patch management software
126. b. Spam-filtering software, whether host-based or network-based, is effective at stopping known email-based malware that uses the organization’s e-mail services and is effective at stopping some unknown malware. The most common tools for eradication are antivirus software, spyware detection and removal utility software, patch management software, and dedicated malware removal tool.
127. Organizations should strongly consider rebuilding a system that has which of the following malware incident characteristics?
1. Unauthorized administrator-level access.
2. Changes to system files.
3. The system is unstable.
4. The extent of damage is unclear.
a. 1 only
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
127. d. If an incident has resulted in unauthorized administrator-level access, changes to system files, unstable system, and the extent of damage is unclear, organizations should be prepared to rebuild each affected system.
128. Which of the following ways should be used to rebuild an infected host with malware incident?
1. Reinstalling the operating system
2. Reinstalling the application systems
3. Securing the operating and application systems
4. Restoring the data from known good backups
a. 1 and 2
b. 3 only
c. 1, 2, and 3
d. 1, 2, 3, and 4
128. d. Rebuild each affected system by reinstalling and reconfiguring its operating system and applications, securing the operating system and applications, and restoring the data from known good backups.
129. Lessons learned from major malware incidents improve which of the following?
1. Security policy
2. Software configurations
3. Malware prevention software deployments
4. Malware detection software deployments
a. 1 only
b. 1 and 2
c. 3 and 4
d. 1, 2, 3, and 4
129. d. Capturing the lessons following the handling of a malware incident should help an organization improve its incident handling capability and malware defenses, including needed changes to security policy, software configurations, and malware detection and prevention software deployments.
130. Which of the following is the correct tool and technology deployment sequence for containing malware incidents, especially when a worm attacks the network service?
1. Internet border and internal routers
2. Network-based firewalls
3. Network- and host-based antivirus software
4. Host-based firewalls
a. 1, 2, 4, and 3
b. 2, 3, 1, and 4
c. 3, 4, 2, and 1
d. 4, 2, 1, and 3
130. c. When organizations develop strategies for malware incident containment, they should consider developing tools to assist incident handlers in selecting and implementing containment strategies quickly when a serious incident occurs.
Network- and host-based antivirus software does detect and stop the worm, and identify and clean the infected systems.