Honeypots are hosts that have no authorized users other than the honeypot administrators because they serve no business function; all activity directed at them is considered suspicious. Attackers scan and attack honeypots, giving administrators data on new trends and attack/attacker tools, particularly malicious code. However, honeypots are a supplement to, not a replacement for, properly securing networks, systems, and applications.
164. Each user is granted the lowest clearance needed to perform authorized tasks. Which of the following principles is this?
a. The principle of least privilege
b. The principle of separation of duties
c. The principle of system clearance
d. The principle of system accreditation
164. a. The principle of least privilege requires that each subject (user) in a system be granted the most restrictive set of privileges (or lowest clearances) needed to perform authorized tasks. The application of this principle limits the damage that can result from accident, error, and/or unauthorized use. The principle of separation of duties states that no single person can have complete control over a business transaction or task.
The principle of system clearance states that users’ access rights should be based on their job clearance status (i.e., sensitive or non-sensitive). The principle of system accreditation states that all systems should be approved by management prior to making them operational.
165. Which of the following intrusion detection and prevention system (IDPS) methodology is appropriate for analyzing both network-based and host-based activity?
a. Signature-based detection
b. Misuse detection
c. Anomaly-based detection
d. Stateful protocol analysis
165. d. IDPS technologies use many methodologies to detect incidents. The primary classes of detection methodologies include signature-based, anomaly-based, and stateful protocol analysis, where the latter is the only one that analyzes both network-based and host-based activity.
Signature-based detection is the process of comparing signatures against observed events to identify possible incidents. A signature is a pattern that corresponds to a known threat. It is sometimes incorrectly referred to as misuse detection or stateful protocol analysis. Misuse detection refers to attacks from within the organizations.
Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations and abnormal behavior.
Stateful protocol analysis (also known as deep packet inspection) is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. The stateful protocol is appropriate for analyzing both network-based and host-based activity, whereas deep packet inspection is appropriate for network-based activity only. One network-based IDPS can listen on a network segment or switch and can monitor the network traffic affecting multiple hosts that are connected to the network segment. One host-based IDPS operates on information collected from within an individual computer system and determines which processes and user accounts are involved in a particular attack.
166. The Clark-Wilson security model focuses on which of the following?
a. Confidentiality
b. Integrity
c. Availability
d. Accountability
166. b. The Clark-Wilson security model is an approach that provides data integrity for common commercial activities. It is a specific model addressing “integrity,” which is one of five security objectives. The five objectives are: confidentiality, integrity, availability, accountability, and assurance.
167. The Biba security model focuses on which of the following?
a. Confidentiality
b. Integrity
c. Availability
d. Accountability
167. b. The Biba security model is an integrity model in which no subject may depend on a less trusted object, including another subject. It is a specific model addressing only one of the security objectives such as confidentiality, integrity, availability, and accountability.
168. The Take-Grant security model focuses on which of the following?
a. Confidentiality
b. Accountability
c. Availability
d. Access rights