CISSP Practice полностью

56. Effective control is achieved when configuration management control is established prior to the start of which of the following?

a. Requirements analysis

b. Design

c. Coding

d. Testing

56. b. The design phase translates requirements into a representation of the software. The design is placed under configuration management control before coding begins.

Requirements analysis is incorrect because it focuses on gathering requirements to understand the nature of the programs to be built. The design must be translated into code-readable form. The coding step performs this task. Code is verified, for example, through the inspection process and put under configuration management control prior to the start of formal testing. After code is generated, program testing begins. The testing focuses on the logical internals of the software, ensuring that all statements have been tested, and on the functional externals; that is, conducting tests to uncover errors to ensure that the defined input can produce actual results that agree with required results.

57. The security-planning document developed in the development/acquisition phase of a system development life cycle (SDLC) does not contain which of the following?

a. System interconnection agreements

b. Security tests and evaluation results

c. Request for proposal

d. Plan of actions and milestones

57. c. The request for proposal development, evaluation, and acceptance are a part of other planning components in the development/acquisition phase of an SDLC. It is a part of project management activities. The other three choices are part of the security-planning document.

58. A worm has infected a system. What should be the first step in handling the worm incident?

a. Analyze the host computer.

b. Disconnect the infected system.

c. Analyze the server.

d. Identify the worm’s behavior.

58. b. Worm incidents often necessitate as rapid a response as possible, because an infected system may be attacking other systems both inside and outside the organization. Organizations may choose to disconnect infected systems from networks immediately, instead of performing an analysis of the host first. Next, the analyst can examine fixed (nonvolatile) characteristics of the server’s operating system, such as looking for administrative-level user accounts and groups that may have been added by the worm. Ultimately, the analyst should gather enough information to identify the worm’s behavior in sufficient detail so that the incident response team can act effectively to contain, eradicate, and recover from the incident.

59. A worm has infected a system. From a network traffic perspective, which of the following contains more detailed information?

a. Network-based IDS and firewalls

b. Routers

c. Host-based IDS and firewalls

d. Remote access servers

59. c. Host-based intrusion detection system (IDS) and firewall products running on the infected system may contain more detailed information than network-based IDS and firewall products. For example, host-based IDS can identify changes to files or configuration settings on the host that were performed by a worm. This information is helpful not only in planning containment, eradication, and recovery activities by determining how the worm has affected the host, but also in identifying which worm infected the system. However, because many worms disable host-based security controls and destroy log entries, data from host-based IDS and firewall software may be limited or missing. If the software was configured to forward copies of its logs to centralized log servers, then queries to those servers may provide some useful information (assuming the host logs’ integrity is not in doubt).

Network-based IDS is incorrect because it indicates which server was attacked and on what port number, which indicates which network service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that the worm traffic may have passed through, such as routers, virtual private network (VPN) gateways, and remote access servers may record information similar to that logged by network-based firewalls.