2. Network IDS logs
3. Host IDS logs
4. Application logs
a. 1 only
b. 2 and 3
c. 4 only
d. 1, 2, 3, and 4
98. d. Information regarding an incident can be recorded in several places such as firewall, router, network intrusion detection system (IDS), host IDS, and application logs. However, they all record different information at different times.
99. Which of the following is not an effective way of managing malicious code protection mechanisms?
a. Automatic updating of signature definitions
b. Preventing nonprivileged users from circumventing controls
c. Managing malicious code protection mechanisms locally or in a decentralized environment
d. Testing with a known benign, nonspreading test case
99. c. An organization must centrally manage the malicious code protection mechanisms, similar to managing the flaw remediation process. This includes centrally managing the content of audit records generated, employing integrity verification tools, managing spam protection mechanisms, and installing software updates automatically. This is because malicious code protection mechanisms are installed at many system entry and exit points, workstations, servers, and mobile computing devices on the network. A decentralized management approach cannot work efficiently and effectively considering the various system entry and exit points. The other three choices are effective.
100. Which of the following is effective at stopping malware infections that exploit vulnerabilities or insecure settings?
a. Host hardening and patching measures
b. E-mail server settings
c. Network server settings
d. Application client settings
100. a. Vulnerabilities can be mitigated in several ways, including practicing patch management, following the principle of least privilege, and implementing host-hardening measures. The latter includes disabling unneeded services, reconfiguring software, eliminating unsecured file shares, changing default usernames and passwords, requiring authentication before allowing access to a network service, and disabling automatic execution of binaries and scripts.
E-mail server settings are incorrect because they are effective at stopping e-mail-based malware that uses the organization’s e-mail services through blocking e-mail attachments. Network server settings are incorrect because they are effective at stopping network service worms. Application client settings are incorrect because they are effective at stopping some specific instances of malware.
101. Many computer incidents can be handled more effectively and efficiently if data analysis considerations have been incorporated into:
a. Organizational policies
b. Departmental procedures
c. Information system life-cycle phases
d. Incident response staffing models
101. c. Many computer incidents can be handled more effectively and efficiently if data analysis considerations have been incorporated into the information system’s life cycle.
Examples include (i) configuring mission-critical applications to perform auditing, including recording all authentication attempts, (ii) enabling auditing on workstations, servers, and network devices, and (iii) forwarding audit records to secure centralized log servers.
Organizational policies and departmental procedures are incorrect because most of these considerations are extensions of existing provisions in policies and procedures. Incident response staffing models are incorrect because staffing models are usually a function of the human resources department.
102. Acquiring network traffic data can pose some legal issues. Which of the following should be in place first to handle the legal issues?
1. Access policies
2. Warning banners
3. System logs
4. System alerts
a. 1 only
b. 2 only
c. 1 and 2
d. 3 and 4
102. c. Acquiring network traffic data can pose some legal issues, including the capture (intentional or incidental) of information with privacy or security implications, such as passwords or e-mail contents. The term network traffic refers to computer network communications that are carried over wired or wireless networks between hosts. Access policies and warning banners are the first step to be completed. It is important to have policies regarding the monitoring of networks, as well as warning banners on system that indicate that activity may be monitored. System logs and alerts are part of monitoring activities.
