1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 216
Выбрать главу

126. A successful incident handling capability should serve which of the following?

a. Internal users only

b. All computer platforms

c. All business units

d. Both internal and external users

126. d. The focus of a computer security incident handling capability may be external as well as internal. An incident that affects an organization may also affect its trading partners, contractors, or clients. In addition, an organization’s computer security incident handling capability may help other organizations and, therefore, help protect the industry as a whole.

127. Which of the following encourages compliance with IT security policies?

a. Use

b. Results

c. Monitoring

d. Reporting

127. c. Monitoring encourages compliance with IT security policies. Results can be used to hold managers accountable for their information security responsibilities. Use for its own sake does not help here. Reporting comes after monitoring.

128. Who should measure the effectiveness of security-related controls in an organization?

a. Local security specialist

b. Business manager

c. Systems auditor

d. Central security manager

128. c. The effectiveness of security-related controls should be measured by a person fully independent of the information systems department. The systems auditor located within an internal audit department of an organization is the right party to perform such measurement.

129. Which of the following corrects faults and returns a system to operation in the event a system component fails?

a. Preventive maintenance

b. Remedial maintenance

c. Hardware maintenance

d. Software maintenance

129. b. Remedial maintenance corrects faults and returns the system to operation in the event of hardware or software component fails. Preventive maintenance is incorrect because it is done to keep hardware in good operating condition. Both hardware and software maintenance are included in the remedial maintenance.

130. Which of the following statements is not true about audit trails from a computer security viewpoint?

a. There is interdependency between audit trails and security policy.

b. If a user is impersonated, the audit trail establishes events and the identity of the user.

c. Audit trails can assist in contingency planning.

d. Audit trails can be used to identify breakdowns in logical access controls.

130. b. Audit trails have several benefits. They are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, audit trails collect events and associate them with the perceived user (i.e., the user ID provided). If a user is impersonated, the audit trail establishes events but not the identity of the user.

It is true that there is interdependency between audit trails and security policy. Policy dictates who has authorized access to particular system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails.

It is true that audit trails can assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files).

It is true that audit trails can be used to identify breakdowns in logical access controls. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity by identifying breakdowns in logical access controls or verifying that access control restrictions are behaving as expected.

131. Which of the following is a policy-driven storage media?

a. Hierarchical storage management

b. Tape management

c. Direct access storage device

d. Optical disk platters

131. a. Hierarchical storage management follows a policy-driven strategy in that the data is migrated from one storage medium to another, based on a set of rules, including how frequently the file is accessed. On the other hand, the management of tapes, direct access storage devices, and optical disks is based on schedules, which is an operational strategy.

132. In which of the following types of denial-of-service attacks does a host send many requests with a spoofed source address to a service on an intermediate host?

a. Reflector attack

b. Amplifier attack

c. Distributed attack

d. SYNflood attack

132. a. Because the intermediate host unwittingly performs the attack, that host is known as reflector. During a reflector attack, a denial-of-service (DoS) could occur to the host at the spoofed address, the reflector itself, or both hosts. The amplifier attack does not use a single intermediate host, like the reflector attack, but uses a whole network of intermediate hosts. The distributed attack coordinates attacks among several computers. A synchronous (SYN) flood attack is a stealth attack because the attacker spoofs the source address of the SYN packet, thus making it difficult to identify the perpetrator.

133. Sometimes a combination of controls works better than a single category of control, such as preventive, detective, or corrective. Which of the following is an example of a combination of controls?

a. Edit and limit checks, digital signatures, and access controls

b. Error reversals, automated error correction, and file recovery

c. Edit and limit checks, file recovery, and access controls

d. Edit and limit checks, reconciliation, and exception reports

133. c. Edit and limit checks are an example of preventive or detective control, file recovery is an example of corrective control, and access controls are an example of preventive control. A combination of controls is stronger than a single type of control.

Edit and limit checks, digital signatures, and access controls are incorrect because they are an example of a preventive control. Preventive controls keep undesirable events from occurring. In a computing environment, preventive controls are accomplished by implementing automated procedures to prohibit unauthorized system access and to force appropriate and consistent action by users.

Error reversals, automated error correction, and file recovery are incorrect because they are an example of a corrective control. Corrective controls cause or encourage a desirable event or corrective action to occur after an undesirable event has been detected. This type of control takes effect after the undesirable event has occurred and attempts to reverse the error or correct the mistake.

~ 216 ~