80. b. Malicious code protection should be deployed at the host level (e.g., server and workstation operating systems), the application server level (e.g., e-mail server and Web proxies), and the application client level (e.g., e-mail clients and instant messaging clients).
81. Regarding signs of an incident, which of the following characterizes an indicator?
1. Future incident
2. Past incident
3. Present incident
4. All incidents
a. 2 only
b. 1 and 2
c. 2 and 3
d. 1, 2, 3, and 4
81. c. Signs of an incident fall into one of two categories: precursors and indications. An indicator is a sign that an incident may have occurred (past incident) or may be occurring now (present incident). A precursor is a sign that an incident may occur in the future (future incident). An indicator is not based on future incidents or not based on all incidents.
82. Regarding signs of an incident, which of the following is not an example of indicators?
a. The antivirus software alerts when it detects that a host is infected with a worm.
b. The user calls the help desk to report a threatening e-mail message.
c. Web server log entries that show the usage of a Web vulnerability scanner.
d. The host records an auditing configuration change in its log.
82. c. “Web server log entries that show the usage of a Web vulnerability scanner” is an example of precursor because it deals with a future incident. The other three choices are examples of indications dealing with the past and present incidents.
83. Which of the following statements are correct about signs of an incident?
1. Not every attack can be detected through precursors.
2. Some attacks have no precursors.
3. Some attacks that generate precursors cannot always be detected.
4. There are always indicators with some attacks.
a. 1 and 2
b. 1and 3
c. 2 and 3
d. 1, 2, 3, and 4
83. d. A precursor is a sign that an incident may occur in the future (future incident). An indicator is a sign that an incident may have occurred (past incident) or may be occurring now (present incident). It is true that not every attack can be detected through precursors. Some attacks have no precursors, whereas other attacks generate precursors that the organization fails to detect. If precursors are detected, the organization may have an opportunity to prevent the incident by altering the security posture through automated or manual means to save a target from attack. It is true that there are always some attacks with indicators.
84. Which of the following is not used as primary source of precursors or indications?
a. Operating system logs
b. Services logs
c. Network device logs
d. Application logs
84. c. Logs from network devices such as firewalls and routers are not typically used as a primary source of precursors or indications. Network device logs provide little information about the nature of activity.
Frequently, operating system logs, services logs, and application logs provide great value when an incident occurs. These logs can provide a wealth of information, such as which accounts were accessed and what actions were performed.
85. Which of the following records the username used to attack?
a. Firewall logs
b. Network intrusion detection software logs
c. Host intrusion detection software logs
d. Application logs
85. d. Evidence of an incident may be captured in several logs. Each log may contain different types of data regarding the incident. An application log may contain a username used to attack and create a security incident. Logs in the other three choices do not contain a username.
86. Which of the following records information concerning whether an attack that was launched against a particular host was successful?
a. Firewall logs
b. Network intrusion detection software logs
c. Host intrusion detection software logs
d. Application logs
86. c. Evidence of an incident may be captured in several logs. Each log may contain different types of data regarding the incident. A host intrusion detection sensor may record information whether an attack that was launched against a particular host was successful. Logs in the other three choices may also record host-related information but may not indicate whether a host is successful.
