CISSP Practice полностью

142. b. Activity logs reflect the course of each day. It is not necessary to describe each activity in detail, but it is useful to keep such a log so that the CSIRC can account for its actions. Noting all contacts, telephone conversations, and so forth ultimately saves time by enabling one to retain information that may prove useful later.

Contact logs are incorrect because they contain vendor contacts, legal and investigative contacts, and other contacts. Incident logs are incorrect because they contain information generated during the course of handling an incident, including all actions taken, all conversations, and all events. Audit logs are incorrect because they contain personal identification and activity information and transaction processing information so that actions can be traced back and forth.

143. Which of the following approaches provides an effective way of reporting computer security-related problems?

a. Help desks

b. Self-help information

c. Site security offices

d. Telephone hotline

143. d. One basic aim of a computer-security incident-response capability (CSIRC) is to mitigate the potentially serious effects of a severe computer security-related problem. It requires not only the capability to react to incidents but also the resources to alert and inform the users. It requires the cooperation of all users to ensure that incidents are reported and resolved and that future incidents are prevented.

An organization can augment existing computer security capabilities, such as help desks, self-help information, or site security offices, with CSIRC capability. A telephone hotline or e-mail address provides a single point of contact for users with centralized reporting. It is then possible to respond to all incidents and to determine whether incidents are related. With centralized reporting, a CSIRC can also develop accurate statistics on the size, nature, and extent of the security problems within the organization.

144. A computer security incident is any adverse event whereby some aspect of computer security is threatened. Which of the following is the best characteristic of security incident response capability?

a. Proactive

b. Reactive

c. Proactive and reactive

d. Detective

144. c. A computer-security incident-response capability (CSIRC) can help organizations resolve computer security problems in a way that is both efficient and cost-effective. Combined with policies for centralized reporting, a CSIRC can reduce waste and duplication while providing a better posture against potentially devastating threats. A CSIRC is a proactive approach to computer security, one that combines reactive capabilities with active steps to prevent future incidents from occurring.

When not responding to incidents, a CSIRC can take proactive steps to educate its users regarding pertinent risks and threats to computer security. These activities can prevent incidents from occurring. They include informing users about vulnerabilities and heightening awareness of other security threats, procedures, and proper maintenance of their systems. A CSIRC is not solely a reactive capability; it is also a proactive approach to reducing an organization’s computer security risk. Detective is not correct because prevention is better than detection, and detection works only in some circumstances.

145. Automatic tools exist to test computer system vulnerability and to detect computer security incidents. Vulnerability testing tools analyze which of the following events?

a. Recurring events

b. Current state of the system

c. Historical events

d. Nonrecurring events

145. b. Security is affected by the actions of both the users and the system administrators. Users may leave their files open to attack; the system administrator may leave the system open to attack by insiders or outsiders. The system can be vulnerable due to misuse of the system’s features. Automated tools can search for vulnerabilities that arise from common administrator and user errors. Vulnerability testing tools analyze the current state of the system (a snapshot), which is a limitation. These test tools review the objects in a system, searching for anomalies that might indicate vulnerabilities that could allow an attacker to (i) plant Trojan horses, (ii) masquerade as another user, or (iii) circumvent the organizational security policy.