Читаем CISSP Practice полностью

192. d. Usually, a separate team, other than the incident response team provides patch management services, and the patch management work could be a combination of manual and computer processes. Automation is needed to perform an analysis of the incident data and select events of interest for human review. Event correlation software, centralized log management software, and security software can be of great value in automating the analysis process. The other three choices are used in the detection and analysis phase, which is prior to the recovery phase where patches are installed.

193. When applying computer forensics to redundant array of independent disks (RAID) disk imaging technology, which of the following are not used as a hash function in verifying the integrity of digital data on RAID arrays as evidence in a court of law?

1. Cyclic redundancy check-32 (CRC-32)

2. Checksums

3. Message digest 5 (MD5)

4. Secure hash algorithm1 (SHA1)

a. 1 only

b. 3 only

c. 1 and 2

d. 3 and 4

193. c. Both CRC-32 and checksums are not used as a hash function in verifying the integrity of digital data on RAID arrays as evidence in a court of law. To be complete and accurate in the eyes of the court, data must be verified as bit-bit match. Failure to provide the court assurance of data integrity can result in the evidence being completely dismissed or used in a lesser capacity as an artifact, finding, or as item of note. The court system needs an absolute confidence that the data presented to it is an exact, unaltered replication of the original data in question.

The CRC-32 is not a hash function, is a 32-bit checksum, and is too weak to be heavily relied upon. The main weakness is that the probability of two separate and distinct data-streams generating the same value using CRC-32 is too high. Checksums are digits or bits summed according to some arbitrary rules and are used to verify the integrity of normal data, but they are not hash functions, as required in disk imaging.

Both MD5 and SHA1 are used as a hash function in verifying the integrity of digital data on RAID arrays as evidence in a court of law. The MD5 is a 128-bit hash algorithm, and is not susceptible to the same weakness of CRC-32. The chances of any two distinct data-streams generating the same hash value using MD5 is extremely low. SHA-1 is a 160-bit hash algorithm, which is computationally stronger than the MD5. In relation to disk imaging, the benefit of using a hash algorithm is that if any bit is changed or missing between the source and the destination copy, a hash of the data-stream will show this difference.

194. A user providing illegal copies of software to others is an example of which of the following computer-security incident types?

a. Denial-of-service

b. Malicious code

c. Unauthorized access

d. Inappropriate usage

194. d. Using file-sharing services (e.g., peer-to-peer, P2P) to acquire or distribute pirated software is an example of inappropriate usage actions. Inappropriate usage occurs when a person violates acceptable computing use policies.

A denial-of-service (DoS) attack prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. Malicious code includes a virus, worm, Trojan horse, or other code-based malicious entity that infects a host. Unauthorized access is where a person gains logical or physical access without permission to a network, operating system, application system, data, or device.

195. When should the incident response team become acquainted with its various law enforcement representatives?

a. After an incident has occurred

b. Before an incident occurs

c. During an incident is occurring

d. After the incident is taken to court

195. b. The incident response team should become acquainted with its various law enforcement representatives before an incident occurs to discuss conditions under which incidents should be reported to them, how the reporting should be performed, what evidence should be collected, and how the evidence should be collected.

196. Which of the following is the major reason for many security-related incidents not resulting in convictions?

a. Organizations do not properly contact law enforcement agencies.

b. Organizations are confused about the role of various law enforcement agencies.

c. Organizations do not know the attacker’s physical location.