Читаем CISSP Practice полностью

224. c. Regulations require many organizations to protect sensitive information and maintain certain records for audit purposes. Organizations can exercise due diligence and comply with regulatory requirements. Due diligence requires developing and implementing an effective security program to prevent and detect violation of policies and laws. The other three choices deal with day-to-day operations work, not with regulatory requirements.

225. Computer incident response process is a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

225. d. Computer incident response process is a part of corrective controls because it manages the unexpected security incidents in a systematic manner. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 5.

The ERD Company has just had a theft of 2.5 million dollars via the Internet. The IT management believes the cause to be malware installed by an attacker. This represents 2 percent of the company’s total assets. The senior executives have been notified, but they will not be available for the next 36 hours. The last policy update for incident response was 4 years ago. Since the update, the people in charge of incident handling have left the company. The contact information for the virtual team is not current.

1. A search of the malware database did not lead to the identification of the worm. In analyzing the current state of the host, the incident handler feels that the worm has created a backdoor. Which of the following aspects of the host’s current state can identify that backdoor?

a. Unusual connections

b. Unexpected listening ports

c. Unknown processes

d. Unusual entries

1. b. The analyst can look at several different aspects of the host’s current state. It is good to start with identifying unusual connections (e.g., large number, unexpected port number usage, and unexpected hosts) and unexpected listening ports (e.g., backdoors created by the worm). Other steps that may be useful include identifying unknown processes in the running process list, and examining the host’s logs to reveal any unusual entries that may be related to the infection.

2. A worm has infected a system. From a network data analysis perspective, which of the following contains more detailed information?

a. Network-based IDS and firewalls

b. Routers

c. Host-based IDS and firewalls

d. Remote access servers

2. c. Intrusion detection system (IDS) and firewall products running on the infected system may contain more detailed information than network-based IDS and firewall products. For example, a host-based IDS can identify changes to files or configuration settings on the host that were performed by a worm. This information is helpful not only in planning containment, eradication, and recovery activities by determining how the worm has affected the host, but also in identifying which worm infected the system. However, because many worms disable host-based security controls and destroy log entries, data from host-based IDS and firewall software may be limited or missing. If the software were configured to forward copies of its logs to centralized log servers, then queries to those servers may provide some useful information.

Network-based IDS is incorrect because they indicate which server was attacked and on what port number, which indicates which network service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that the worm traffic may have passed through, such as routers, VPN gateways, and remote access servers may record information similar to that logged by network-based firewalls.