121. Which of the following is not part of malware incident detection and analysis phase?
a. Understanding signs of malware incidents
b. Acquiring tools and resources
c. Identifying malware incident characteristics
d. Prioritizing incident response
121. b. Acquiring tools and resources is a part of the preparation phase. These tools and resources may include packet sniffers and protocol analyzers. The other three choices are incorrect because they are a part of the detection phase. The malware incident response life cycle has four phases, including (i) preparation, (ii) detection and analysis, (iii) containment, eradication, and recovery, and (iv) post-incident activity.
122. Which of the following statements is true about application software testing?
a. Basic testing equals black-box testing.
b. Comprehensive testing equals black-box testing.
c. Basic testing equals gray-box testing.
d. Comprehensive testing equals focused testing.
122. a. Basic testing is a test methodology that assumes no knowledge of the internal structure and implementation details of the assessment object. Basic testing is also known as black-box testing.
Comprehensive testing is a test methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object. Comprehensive testing is also known as white- box testing.
Focused testing is a test methodology that assumes some knowledge of the internal structure and implementation detail of the assessment object. Focused testing is also known as gray-box testing.
123. Which of the following cannot handle the complete workload of a malware incident and cannot ensure a defense-in-depth strategy?
a. Antivirus software
b. E-mail filtering
c. Network-based intrusion prevention system software
d. Host-based IPS software
123. a. In a widespread incident, if malware cannot be identified by updated antivirus software, or updated signatures are not yet fully deployed, organizations should be prepared to use other security tools to contain the malware until the antivirus signatures can perform the containment effectively. Expecting antivirus software to handle the complete workload of a malware incident is unrealistic during high-volume infections. By using a defense-in-depth strategy for detecting and blocking malware, an organization can spread the workload across multiple components. Antivirus software alone cannot ensure defense-in-depth strategy. Automated detection methods other than antivirus software are needed to ensure defense-in-depth strategy. These detection methods include e-mail filtering, network-based intrusion prevention system (IPS) software, and host-based IPS software.
124. Defining roles and responsibilities is important in identifying infected hosts with malware incidents before security incidents occur. Which of the following groups can primarily assist with identifying infected servers?
a. Security administrators
b. System administrators
c. Network administrators
d. Desktop administrators
124. b. Organizations should identify which individuals or groups can assist in infection identification efforts. System administrators are good at identifying infected servers such as domain name system (DNS), e-mail, and Web servers. The roles of the other three administrators are different from separation of duties, independence, and objectivity viewpoints.
125. Which of the following is true about a stealth virus?
a. It is easy to detect.
b. It is a resident virus.
c. It can reveal file size increases.
d. It doesn’t need to be active to show stealth qualities.
125. b. A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. An active stealth file virus can typically not reveal any size increase in infected files, and it must be active to exhibit its stealth qualities.
126. Which of the following is not a common tool for eradication of malware from an infected host?
a. Antivirus software
b. Spam-filtering software
c. Spyware detection and removal utility software
d. Patch management software
