168. A fault-tolerant design feature for large distributed systems considers all the following except:

a. Using multiple components to duplicate functionality

b. Using duplicated systems in separate locations

c. Using modular components

d. Providing backup power supplies

168. d. A fault tolerant design should make a system resistant to failure and able to operate continuously. Many ways exist to develop fault tolerance in a system, including using two or more components to duplicate functionality, duplicating systems in separate locations, or using modular components in which failed components can be replaced with new ones. It does not include providing backup power supplies because it is a part of preventive maintenance, which should be used with fault tolerant design. Preventive maintenance measures reduce the likelihood of significant impairment to components.

169. The process of degaussing involves which of the following?

a. Retrieving all stored information

b. Storing all recorded information

c. Removing all recorded information

d. Archiving all recorded information

169. c. The purpose of degaussing is to remove all recorded information from a computer-recorded magnetic tape. It does this by demagnetizing (removing) the recording media, the tape, or the hard drive. After degaussing is done, the magnetic media is in a fully demagnetized state. However, degaussing cannot retrieve, store, or archive information.

170. An audit trail record should include sufficient information to trace a user’s actions and events. Which of the following information in the audit trail record helps the most to determine if the user was a masquerader or the actual person specified?

a. The user identification associated with the event

b. The date and time associated with the event

c. The program used to initiate the event

d. The command used to initiate the event

170. b. An audit trail should include sufficient information to establish what events occurred and who (or what) caused them. Date and timestamps can help determine if the user was a masquerader or the actual person specified. With date and time, one can determine whether a specific user worked on that day and at that time.

The other three choices are incorrect because the masquerader could be using a fake user identification (ID) number or calling for invalid and inappropriate programs and commands.

In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result.

171. Automated tools help in analyzing audit trail data. Which one of the following tools looks for anomalies in user or system behavior?

a. Trend analysis tools

b. Audit data reduction tools

c. Attack signature detection tools

d. Audit data-collection tools

171. a. Many types of tools have been developed to help reduce the amount of information contained in audit records, as well as to distill useful information from the raw data. Especially on larger systems, audit trail software can create large files, which can be extremely difficult to analyze manually. The use of automated tools is likely to be the difference between unused audit trail data and a robust program. Trend analysis and variance detection tools look for anomalies in user or system behavior.

Audit data reduction tools are preprocessors designed to reduce the volume of audit records to facilitate manual review. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups.

Attack signature detection tools look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example is repeated failed log-in attempts. Audit data-collection tools simply gather data for analysis later.

172. Regarding a patch management program, which of the following helps system administrators most in terms of monitoring and remediating IT resources?

1. Supported equipment

2. Supported applications software

3. Unsupported hardware

4. Unsupported operating systems

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

172. d. Here, supported and unsupported means whether a company management has approved the acquisition, installation, and operation of hardware and software; approved in the former case and not approved in the latter case. System administrators should be taught how to independently monitor and remediate unsupported hardware, operating systems, and applications software because unsupported resources are vulnerable to exploitation. This is because non-compliant employees could have purchased and installed the unsupported hardware and software on their personal computers, which is riskier than the supported ones. A potential risk is that the unsupported systems could be incompatible with the supported systems and may not have the required security controls.

A list of supported resources is needed to analyze the inventory and identify those resources that are used within the organization. This allows the system administrators to know which hardware, operating systems, and applications will be checking for new patches, vulnerabilities, and threats. Note that not patching the unsupported systems can negatively impact the patching of the supported systems as they both coexist and operate on the same computer or network.

173. Which of the following is the best action to take when an information system media cannot be sanitized?

a. Clearing

b. Purging

c. Destroying

d. Disposal

173. c. An information system media that cannot be sanitized should be destroyed. Destroying is ensuring that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive to do.

Sanitization techniques include disposal, clearing, purging, and destruction. Disposal is the act of discarding media by giving up control in a manner short of destruction and is not a strong protection. Clearing is the overwriting of classified information such that that the media may be reused. Purging is the removal of obsolete data by erasure, by overwriting of storage, or by resetting registers. Clearing media would not suffice for purging.

174. Regarding a patch management program, which of the following benefits confirm that the remediations have been conducted appropriately?

1. Avoiding an unstable website

2. Avoiding an unusable website

3. Avoiding a security incident

4. Avoiding unplanned downtime

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

174. d. There are understandable benefits in confirming that the remediations have been conducted appropriately, possibly avoiding a security incident or unplanned downtime. Central system administrators can send remediation information on a disk to local administrators as a safe alternative to an e-mail list if the network or the website is unstable or unusable.