Читаем CISSP Practice полностью

225. d. Conducting an exploit test means performing a penetration test to exploit the vulnerability. Only an experienced administrator or security officer should perform exploit tests because this involves launching actual attacks within a network or on a host. Generally, this type of testing should be performed only on nonproduction equipment and only for certain vulnerabilities. Only qualified staff who are thoroughly aware of the risk and who are fully trained should conduct the tests.

Testing file settings, testing configuration settings, and reviewing patch logs are routine tasks a less experienced administrator or security officer can perform.

Scenario-Based Questions, Answers, and Explanations

Use the following information to answer questions 1 through 8.

The GRO Company will face an audit by a federal regulatory body in 30 days. The last update for its policies and procedures was made one year ago after the last audit. It has 50% of the controls in place described in the last audit, and 45% will be turned on before the auditors arrive. The remaining 5% of controls (audit trail software for computer operating systems) will break the financial systems if turned on for more than one hour.

1. Who initiates audit trails in computer systems?

a. Functional users

b. System auditors

c. System administrators

d. Security administrators

1. a. Functional users have the utmost responsibility in initiating audit trails in their computer systems for tracing and accountability purposes. Systems and security administrators help in designing and developing these audit trails. System auditors review the adequacy and completeness of audit trails and issue an opinion whether they are effectively working. Auditors do not initiate, design, or develop audit trails due to their independence in attitude and appearance as dictated by their Professional Standards.

2. An inexpensive security measure is which of the following?

a. Firewalls

b. Intrusion detection

c. Audit trails

d. Access controls

2. c. Audit trails provide one of the best and most inexpensive means for tracking possible hacker attacks, not only after attack, but also during the attack. One can learn what the attacker did to enter a computer system, and what he did after entering the system. Audit trails also detect unauthorized but abusive user activity. Firewalls, intrusion detection systems, and access controls are expensive when compared to audit trails.

3. What is an audit trail an example of?

a. Recovery control

b. Corrective control

c. Preventive control

d. Detective control

3. d. Audit trails show an attacker’s actions after detection; hence they are an example of detective controls. Recovery controls facilitate the recovery of lost or damaged files. Corrective controls fix a problem or an error. Preventive controls do not detect or correct an error; they simply stop it if possible.

4. Which of the following statements is not true about audit trails from a computer security viewpoint?

a. There is interdependency between audit trails and security policy.

b. If a user is impersonated, the audit trail will establish events and the identity of the user.

c. Audit trails can assist in contingency planning.

d. Audit trails can be used to identify breakdowns in logical access controls.

4. b. Audit trails have several benefits. They are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, audit trails collect events and associate them with the perceived user (i.e., the user ID provided). If a user is impersonated, the audit trail establishes events but not the identity of the user.

It is true that there is interdependency between audit trails and security policy. Policy dictates who has authorized access to particular system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails.

It is true that audit trails can assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files).

It is true that audit trails can be used to identify breakdowns in logical access controls. Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity by identifying breakdowns in logical access controls or verifying that access control restrictions are behaving as expected.