b. Intrusion detection system logs
c. Intrusion prevention system logs
d. File sharing logs
92. d. File transfer protocol (FTP) is used for file sharing where the FTP is subjected to attacks and hence is not a primary source for analyzing fraud. File sharing logs have secondary usages. The other three logs are primarily useful in analyzing fraud.
93. Data diddling can be prevented by all the following except:
a. Access controls
b. Program change controls
c. Rapid correction of data
d. Integrity checking
93. c. Data diddling can be prevented by limiting access to data and programs and limiting the methods used to perform modification to such data and programs. Rapid detection (not rapid correction) is needed—the sooner the better—because correcting data diddling is expensive.
94. From a malicious code protection mechanism viewpoint, which of the following is most risky?
a. Electronic mail
b. Removable media
c. Electronic mail attachments
d. Web accesses
94. b. Malicious code includes viruses, Trojan horses, worms, and spyware. Malicious code protection mechanisms are needed at system entry and exit points, workstations, servers, and mobile computing devices on the network. The malicious code can be transported by electronic mail, e-mail attachments, Web accesses, and removable media (e.g., USB devices, flash drives, and compact disks). Due to their flexibility and mobility, removable media can carry the malicious code from one system to another; therefore it is most risky. Note that removable media can be risky or not risky depending on how it is used and by whom it is used. The other three choices are less risky.
95. Regarding signs of an incident, which of the following is not an example of indications?
a. The Web server crashes.
b. A threat from a hacktivist group stating that the group will attack the organization.
c. Users complain of slow access to hosts on the Internet.
d. The system administrator sees a filename with unusual characters.
95. b. “A threat from a hacktivist group stating that the group will attack the organization” is an example of precursors because it deals with a future incident. The other three choices are examples of indications dealing with past and present indications.
96. Regarding log management data analysis, security event management (SEM) software does not do which of the following?
a. Generate original event data.
b. Identify malicious activity.
c. Detect misuse of systems and networks.
d. Detect inappropriate usage of systems and networks.
96. a. Security event management (SEM) software is capable of importing security event information from various network traffic-related security event data sources (e.g., IDS logs and firewall logs) and correlating events among the sources. It generally works by receiving copies of logs from various data sources over secure channels, normalizing the logs into a standard format, and then identifying related events by matching IP addresses, timestamps, and other characteristics. SEM products usually do not generate original event data; instead, they generate meta-events based on imported event data. Many SEM products not only can identify malicious activity, such as attacks and virus infections; they can also detect misuse and inappropriate usage of systems and networks. SEM software can be helpful in making many sources of network traffic information accessible through a single interface.
97. As incident handlers become more familiar with the log entries and security alerts, which of the following are more important to investigate?
1. Usual entries with minor risk
2. Unusual entries
3. Unexplained entries
4. Abnormal entries
a. 1 and 2
b. 2 and 3
c. 2, 3, and 4
d. 1, 2, 3, and 4
97. c. Incident handlers should review log entries and security alerts to gain a solid understanding of normal behavior or characteristics of networks, systems, and applications so that abnormal behavior can be recognized more easily. Incident handlers should focus more on major risks such as unusual entries, unexplained entries, and abnormal entries, which are generally more important to analyze and investigate than usual entries with minor risk. This follows the principle of management by exception, which focuses on major risks because management time is limited.
98. Information regarding an incident can be recorded in which of the following places?
1. Firewall log
