d. Organizations do not know the attacker’s logical location.
197. Which of the following are used to capture and analyze network traffic that may contain evidence of a computer security incident?
1. Packet sniffers
2. Forensic software
3. Protocol analyzers
4. Forensic workstations
a. 1 and 2
b. 1 and 3
c. 2 and 3
d. 2 and 4
Computer forensic software is used to analyze disk images for evidence of an incident, whereas forensic workstations are used to create disk images, preserve logs files, and save incident data.
198. Which of the following facilitates faster response to computer security incidents?
a. Rootkit
b. Tool kit
c. Computer kit
d. Jump kit
A rootkit is a set of tools used by an attacker after gaining root-level access to a host. The rootkit conceals the attacker’s activities on the host, permitting the attacker to maintain root-level access to the host through covert means. Rootkits are publicly available, and many are designed to alter logs to remove any evidence of the rootkit’s installation or execution. Tool kit and computer kit are generic terms without any specific value here.
199. Which of the following statements about security controls, vulnerabilities, risk assessment, and incident response awareness is
a. Insufficient security controls lead to slow responses and larger negative business impacts.
b. A large percentage of incidents involve exploitation of a small number of vulnerabilities.
c. Risk assessment results can be interpreted to ignore security over resources that are less than critical.
d. Improving user awareness regarding incidents reduces the frequency of incidents.
If security controls are insufficient, high volumes of incidents may occur, which can lead to slow and incomplete responses which, in turn, are translated to a larger negative business impacts (e.g., more extensive damage, longer delays in providing services, and longer system unavailability). Many security experts agree that a large percentage of incidents involve exploitation of a relatively small number of vulnerabilities in operating systems and application systems (i.e., an example of Pareto’s 80/20 principle). Improving user awareness regarding incidents should reduce the frequency of incidents, particularly those involving malicious code and violations of acceptable use policies.
200. Some security incidents fit into more than one category for identification and reporting purposes. An incident response team should categorize incidents by the use of: