Читаем CISSP Practice полностью

d. Organizations do not know the attacker’s logical location.

196. a. The major reason that many security-related incidents do not result in convictions is that organizations do not properly contact law enforcement agencies. An organization should not contact multiple law enforcement agencies because of jurisdictional conflicts. Organizations should appoint one incident response team member as the primary point of contact with law enforcement agencies. The team should understand what the potential jurisdictional issues are (i.e., physical location versus logical location of the attacker).

197. Which of the following are used to capture and analyze network traffic that may contain evidence of a computer security incident?

1. Packet sniffers

2. Forensic software

3. Protocol analyzers

4. Forensic workstations

a. 1 and 2

b. 1 and 3

c. 2 and 3

d. 2 and 4

197. b. Packet sniffers and protocol analyzers capture and analyze network traffic that may contain malware activity and evidence of a security incident. Packet sniffers are designed to monitor network traffic on wired or wireless networks and capture packets. Most packet sniffers are also protocol analyzers, which mean that they can reassemble streams from individual packets and decode communications that use any of hundreds or thousands of different protocols. Because packet sniffers and protocol analyzers perform the same functions, they could be combined into a single tool.

Computer forensic software is used to analyze disk images for evidence of an incident, whereas forensic workstations are used to create disk images, preserve logs files, and save incident data.

198. Which of the following facilitates faster response to computer security incidents?

a. Rootkit

b. Tool kit

c. Computer kit

d. Jump kit

198. d. Many incident response teams create a jump kit, which is a portable bag containing materials such as a laptop computer loaded with the required software, blank media, backup devices, network equipment and cables, and operating system and application software patches. This jump kit is taken with the incident handler during an offsite investigation of an incident for faster response. The jump kit is ready to go at all times so that when a serious incident occurs, incident handlers can grab the jump kit and go, giving them a jump start.

A rootkit is a set of tools used by an attacker after gaining root-level access to a host. The rootkit conceals the attacker’s activities on the host, permitting the attacker to maintain root-level access to the host through covert means. Rootkits are publicly available, and many are designed to alter logs to remove any evidence of the rootkit’s installation or execution. Tool kit and computer kit are generic terms without any specific value here.

199. Which of the following statements about security controls, vulnerabilities, risk assessment, and incident response awareness is not correct?

a. Insufficient security controls lead to slow responses and larger negative business impacts.

b. A large percentage of incidents involve exploitation of a small number of vulnerabilities.

c. Risk assessment results can be interpreted to ignore security over resources that are less than critical.

d. Improving user awareness regarding incidents reduces the frequency of incidents.

199. c. Risk assessments usually focus on critical resources. This should not be interpreted as a justification for organizations to ignore the security of resources that are deemed to be less than critical because the organization is only as secure as its weakest link.

If security controls are insufficient, high volumes of incidents may occur, which can lead to slow and incomplete responses which, in turn, are translated to a larger negative business impacts (e.g., more extensive damage, longer delays in providing services, and longer system unavailability). Many security experts agree that a large percentage of incidents involve exploitation of a relatively small number of vulnerabilities in operating systems and application systems (i.e., an example of Pareto’s 80/20 principle). Improving user awareness regarding incidents should reduce the frequency of incidents, particularly those involving malicious code and violations of acceptable use policies.

200. Some security incidents fit into more than one category for identification and reporting purposes. An incident response team should categorize incidents by the use of: