Читаем CISSP Practice полностью

39. b. Organizations should analyze new software in a separate test library before installation in an operational environment. They should look for security impacts due to software flaws, security weaknesses, data incompatibility, or intentional malice in the test library. The development library is used solely for new development work or maintenance work. Some organizations use a quarantine library, as an intermediate library, before moving the software into operational library. The operational library is where the new software resides for day-to-day use.

40. Current operating systems are far more resistant to which of the following types of denial-of-service attacks and have become less of a threat?

a. Reflector attack

b. Amplified attack

c. Distributed attack

d. SYNflood attack

40. d. Synchronized flood (SYNflood) attacks often target an application and daemon, like a Web server, and not the operating system (OS) itself; although the OS may get impacted due to resources used by the attack. It is good to know that current operating systems are far more resistant to SYNflood attacks, and many firewalls now offer protections against such attacks, so they have become less of a threat. Still, SYNfloods can occur if attackers initiate many thousands of transmission control protocol (TCP) connections in a short time.

The other three types of attacks are more of a threat. In a reflector attack, a host sends many requests with a spoofed source address to a service on an intermediate host. Like a reflector attack, an amplified attack involves sending requests with a spoofed source address to an intermediate host. However, an amplified attack does not use a single intermediate host; instead, its goal is to use a whole network of intermediate hosts. Distributed attacks coordinate attacks among many computers (i.e., zombies).

41. Which of the following is the correct sequence of solutions for containing a denial-of-service incident?

1. Relocate the target computer.

2. Have the Internet service provider implement filtering.

3. Implement filtering based on the characteristics of the attack.

4. Correct the vulnerability that is being exploited.

a. 2, 3, 1, and 4

b. 2, 4, 3, and 1

c. 3, 4, 2, and 1

d. 4, 3, 1, and 2

41. c. The decision-making process for containing a denial-of-service (DoS) incident should be easier if recommended actions are predetermined. The containment strategy should include several solutions in sequence as shown in the correct answer.

42. Computer security incident handling can be considered that portion of contingency planning that responds to malicious technical threats (for example, a virus). Which of the following best describes a secondary benefit of an incident handling capability?

a. Containing and repairing damage from incidents

b. Preventing future damage

c. Using the incident data in enhancing the risk assessment process

d. Enhancing the training and awareness program

42. c. An incident capability may be viewed as a component of contingency planning because it provides the ability to react quickly and efficiently to disruptions in normal processing. Incidents can be logged and analyzed to determine whether there is a recurring problem, which would not be noticed if each incident were viewed only in isolation. Statistics on the numbers and types of incidents in the organization can be used in the risk assessment process as an indication of vulnerabilities and threats.

Containing and repairing damage from incidents and preventing future damages are incorrect because they are examples of primary benefits of an incident handling capability. An incident handling capability can provide enormous benefits by responding quickly to suspicious activity and coordinating incident handling with responsible offices and individuals as necessary. Incidents can be studied internally to gain a better understanding of the organization’s threats and vulnerabilities. Enhancing the training and awareness program is an example of a secondary benefit. Based on incidents reported, training personnel will have a better understanding of users’ knowledge of security issues. Training that is based on current threats and controls recommended by incident handling staff provides users with information more specifically directed to their current needs. Using the incident data in enhancing the risk assessment process is the best answer when compared to enhancing the training and awareness program.