Читаем CISSP Practice полностью

a. Access mechanism

b. Target mechanism

c. Transmission mechanism

d. Incident mechanism

200. c. When incidents fit into more than one category, the incident response team should categorize incidents by the transmission mechanism used. For example, a virus that creates a backdoor that has been used to gain unauthorized access should be treated as a multiple component incident because two transmission mechanisms are used: one as a malicious code incident and the other one as an unauthorized access incident.

201. What is incorrectly classifying a malicious activity as a benign activity called?

a. False negative

b. False positive

c. False warnings

d. False alerts

201. a. Forensic tools create false negatives and false positives. False negatives incorrectly classify malicious activity as benign activity. False positives incorrectly classify benign activity as malicious activity. False warnings and false alerts are generated from intrusion detection system sensors or vulnerability scanners.

202. Which of the following computer and network data analysis methods dealing with computer-incident purposes helps identify policy violations?

a. Operational troubleshooting

b. Log monitoring

c. Data recovery

d. Data acquisition

202. b. Various tools and techniques can assist with log monitoring, such as analyzing log entries and correlating log entries across multiple systems. This can assist with incident handling, identifying policy violations, auditing, and other efforts.

Operational troubleshooting is incorrect because it applies to finding the virtual and physical location of a host with an incorrect network configuration, resolving a functional problem with an application, and recording and reviewing the current operating system and application configuration settings for a host.

Data recovery is incorrect because data recovery tools can recover lost data from systems. This includes data that has been accidentally or purposely deleted, overwritten, or otherwise modified.

Data acquisition is incorrect because it deals with tools to acquire data from hosts that are being redeployed or retired. For example, when a user leaves an organization, the data from the user’s workstation can be acquired and stored in case the data is needed in the future. The workstation’s media can then be sanitized to remove all the original user’s data.

203. Which of the following is best for reviewing packet sniffer data?

a. Security event management software

b. Protocol analyzer

c. Log filtering tool

d. Visualization tool

203. b. Packet sniffer data is best reviewed with a protocol analyzer, which interprets the data for the analyst based on knowledge of protocol standards and common implementations.

Security event management software is incorrect because it is capable of importing security event information from various network traffic-related security event data sources (e.g., IDS logs and firewall logs) and correlating events among the sources.

Log filtering tool is incorrect because it helps an analyst to examine only the events that are most likely to be of interest. Visualization tool is incorrect because it presents security event data in a graphical format.

204. What is a technique for concealing or destroying data so that others cannot access it?

a. Antiforensic

b. Steganography

c. Digital forensic

d. Forensic science

204. a. Antiforensic is a technique for concealing or destroying data so that others cannot access it. Steganography is incorrect because it embeds data within other data to conceal it. Digital forensic is incorrect because it is the application of science to the identification, collection, analysis, and examination of digital evidence while preserving the integrity of the information and maintaining a strict chain of custody for the evidence. Forensic science is incorrect because it is the application of science to the law.

205. A search warrant is required:

a. Before the allegation has been substantiated

b. After establishing the probable cause(s)

c. Before identifying the number of investigators needed

d. After seizing the computer and related equipment

205. b. After the allegation has been substantiated, the prosecutor should be contacted to determine if there is probable cause for a search. Because of the technical orientation of a computer-related crime investigation, presenting a proper technical perspective in establishing probable cause becomes crucial to securing a search warrant.