CISSP Practice полностью

104. Which of the following is the most effective approach in identifying infected hosts with malware incidents and in striking a balance between speed, accuracy, and timeliness?

a. Forensic identification

b. Active identification

c. Manual identification

d. Multiple identifications

104. d. Malware is malicious software and malicious code. In many cases, it is most effective to use multiple identification approaches simultaneously or in sequence to provide the best results for striking a balance between speed, accuracy, and timeliness. Multiple identifications include where a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts (for example, DoS and DDoS attacks).

Forensic identification is effective when data is recent; although, the data might not be comprehensive. Active identification produces the most accurate results; although, it is often not the fastest way of identifying infections due to scanning every host in an organization. Manual identification is not feasible for comprehensive enterprise-wide identification, but it is a necessary part of identification when other methods are not available and can fill in gaps when other methods are insufficient.

105. Traditionally, which of the following malware attacker tools is the hardest to detect?

a. Backdoors

b. Rootkits

c. Keystroke loggers

d. Tracking cookies

105. b. Malware categories include viruses, worms, Trojan horses, and malicious mobile code, as well as combinations of these, known as blended attacks. Malware also includes attacker tools such as backdoors, rootkits, keystroke loggers, and tracking cookies used as spyware. Of all the types of malware attacker tools, rootkits are traditionally the hardest to detect because they often change the operating system at the kernel level, which allows them to be concealed from antivirus software. Newer versions of rootkits can hide in the master boot record, as do some viruses.

106. Which of the following virus obfuscation techniques is difficult for antivirus software to overcome?

a. Self-encryption

b. Polymorphism

c. Metamorphism

d. Stealth

106. c. Older obfuscation techniques, including self-encryption, polymorphism, and stealth, are generally handled effectively by antivirus software. However, newer, more complex obfuscation techniques, such as metamorphism, are still emerging and can be considerably more difficult for antivirus software to overcome. The idea behind metamorphism is to alter the content of the virus itself, rather than hiding the content with encryption.

Self-encryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination. Polymorphism is incorrect because it is a particularly robust form of self-encryption where the content of the underlying virus code body does not change; encryption alters its appearance only. Stealth virus is incorrect because it uses various techniques to conceal the characteristics of an infection, such as interfering with file sizes.

107. The goal of which of the following virus obfuscation techniques is to prevent analyzing the virus’s functions through disassembly?

a. Armoring

b. Tunneling

c. Self-decryption

d. Metamorphism

107. a. The intent of armoring is to write a virus so that it attempts to prevent antivirus software or human experts from analyzing the virus’s functions through disassembly (i.e., reverse engineering technique), traces, and other means.

Tunneling is incorrect because it deals with the operating system. A virus that employs tunneling inserts itself into a low level of the operating system so that it can intercept low-level operating system calls. By placing itself below the antivirus software, the virus attempts to manipulate the operating system to prevent detection by antivirus software.

Self-decryption is incorrect because some viruses can encrypt and decrypt their virus code bodies, concealing them from direct examination.

Metamorphism is incorrect because the idea behind it is to alter the content of the virus itself, rather than hiding the content with encryption.

108. Worms do which of the following?

1. Waste system resources

2. Waste network resources

3. Install backdoors

4. Perform distributed denial-of-service attacks

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 1, 2, 3, and 4