CISSP Practice полностью

126. b. Spam-filtering software, whether host-based or network-based, is effective at stopping known email-based malware that uses the organization’s e-mail services and is effective at stopping some unknown malware. The most common tools for eradication are antivirus software, spyware detection and removal utility software, patch management software, and dedicated malware removal tool.

127. Organizations should strongly consider rebuilding a system that has which of the following malware incident characteristics?

1. Unauthorized administrator-level access.

2. Changes to system files.

3. The system is unstable.

4. The extent of damage is unclear.

a. 1 only

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

127. d. If an incident has resulted in unauthorized administrator-level access, changes to system files, unstable system, and the extent of damage is unclear, organizations should be prepared to rebuild each affected system.

128. Which of the following ways should be used to rebuild an infected host with malware incident?

1. Reinstalling the operating system

2. Reinstalling the application systems

3. Securing the operating and application systems

4. Restoring the data from known good backups

a. 1 and 2

b. 3 only

c. 1, 2, and 3

d. 1, 2, 3, and 4

128. d. Rebuild each affected system by reinstalling and reconfiguring its operating system and applications, securing the operating system and applications, and restoring the data from known good backups.

129. Lessons learned from major malware incidents improve which of the following?

1. Security policy

2. Software configurations

3. Malware prevention software deployments

4. Malware detection software deployments

a. 1 only

b. 1 and 2

c. 3 and 4

d. 1, 2, 3, and 4

129. d. Capturing the lessons following the handling of a malware incident should help an organization improve its incident handling capability and malware defenses, including needed changes to security policy, software configurations, and malware detection and prevention software deployments.

130. Which of the following is the correct tool and technology deployment sequence for containing malware incidents, especially when a worm attacks the network service?

1. Internet border and internal routers

2. Network-based firewalls

3. Network- and host-based antivirus software

4. Host-based firewalls

a. 1, 2, 4, and 3

b. 2, 3, 1, and 4

c. 3, 4, 2, and 1

d. 4, 2, 1, and 3

130. c. When organizations develop strategies for malware incident containment, they should consider developing tools to assist incident handlers in selecting and implementing containment strategies quickly when a serious incident occurs.

Network- and host-based antivirus software does detect and stop the worm, and identify and clean the infected systems.

Host-based firewalls do block worm activity from entering or exiting hosts, reconfigure the host-based firewall itself to prevent exploitation by the worm, and update the host-based firewall software so that it is no longer exploitable.

Network-based firewalls do detect and stop the worm from entering or exiting networks and subnets.

Internet border and internal routers do detect and stop the worm from entering or exiting networks and subnets if the volume of traffic is too high for network firewalls to handle or if certain subnets need greater protection.

The incorrect sequences listed in the other three choices does not contain malware incidents because their combined effect is not as strong and effective as the correct sequence.

131. All the following are characteristics of a managed environment dealing with malware prevention and handling except:

a. Installing antivirus software

b. Requiring administrator-level privileges to end users

c. Using deny-by-default policies

d. Applying software patches