Читаем CISSP Practice полностью

151. d. An audit log must be kept and protected so that any actions impacting security can be traced. Accountability can be established with the audit log. The audit log also helps in verifying the other three choices indirectly.

152. What is a detective control in a computer operations area?

a. Policy

b. Log

c. Procedure

d. Standard

152. b. Logs, whether manual or automated, capture relevant data for further analysis and tracing. Policy, procedure, and standard are directive controls and are part of management controls because they regulate human behavior.

153. In terms of security functionality verification, which of the following is the correct order of information system’s transitional states?

1. Startup

2. Restart

3. Shutdown

4. Abort

a. 1, 2, 3, and 4

b. 1, 3, 2, and 4

c. 3, 2, 1, and 4

d. 4, 3, 2, and 1

153. b. The correct order of information system’s transitional states is startup, shutdown, restart, and abort. Because the system is in transitional states, which is an unstable condition, if the restart procedures are not performed correctly or facing technical recovery problems, then the system has no choice except to abort.

154. Which of the following items is not related to the other items?

a. Keystroke monitoring

b. Penetration testing

c. Audit trails

d. Telephone wiretap

154. b. Penetration testing is a test in which the evaluators attempt to circumvent the security features of a computer system. It is unrelated to the other three choices. Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. It is considered as a special case of audit trails. Some consider the keystroke monitoring as a special case of unauthorized telephone wiretap and others are not.

155. All the following are tools that help both system intruders and systems administrators except:

a. Network discovery tools

b. Intrusion detection tools

c. Port scanners

d. Denial-of-service test tools

155. b. Intrusion detection tools detect computer attacks in several ways: (i) outside of a network’s firewall, (ii) behind a network’s firewall, or (iii) within a network to monitor insider attacks. Network discovery tools and port scanners can be used both by intruders and system administrators to find vulnerable hosts and network services. Similarly, denial-of-service test tools can be used to determine how much damage can be done to a computing site.

156. Audit trail records contain vast amounts of data. Which of the following review methods is best to review all records associated with a particular user or application system?

a. Batch-mode analysis

b. Real-time audit analysis

c. Audit trail review after an event

d. Periodic review of audit trail data

156. b. Audit trail data can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Audit analysis tools can be used in a real-time, or near real-time, fashion. Manual review of audit records in real time is not feasible on large multi-user systems due to the large volume of records generated. However, it might be possible to view all records associated with a particular user or application and view them in real time.

Batch-mode analysis is incorrect because it is a traditional method of analyzing audit trails. The audit trail data are reviewed periodically. Audit records are archived during that interval for later analysis. The three incorrect choices do not provide the convenience of displaying or reporting all records associated with a user or application, as do the real-time audit analysis.

157. Many errors were discovered during application system file-maintenance work. What is the best control?

a. File labels

b. Journaling

c. Run-to-run control

d. Before and after image reporting

157. d. Before and after image reporting ensures data integrity by reporting data field values both before and after the changes so that functional users can detect data entry and update errors.