Читаем CISSP Practice полностью

5. Audit trails should be reviewed. Which of the following methods is not the best way to perform a query to generate reports of selected information?

a. By a known damage or occurrence

b. By a known user identification

c. By a known terminal identification

d. By a known application system name

5. a. Damage or the occurrence of an undesirable event cannot be anticipated or predicted in advance, thus making it difficult to make a query. The system design cannot handle unknown events. Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers need to understand what normal activity looks like. Audit trail review is easier if the audit trail function can be queried by user ID, terminal ID, application system name, date and time, or some other set of parameters to run reports of selected information.

6. Audit trail records contain vast amounts of data. Which of the following review methods is best to review all records associated with a particular user or application system?

a. Batch-mode analysis

b. Real-time audit analysis

c. Audit trail review after an event

d. Periodic review of audit trail data

6. b. Audit trail data can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Audit analysis tools can be used in a real-time, or near real-time, fashion. A manual review of audit records in real time is not feasible on large multi-user systems due to the large volume of records generated. However, it might be possible to view all records associated with a particular user or application and view them in real time.

Batch-mode analysis is incorrect because it is a traditional method of analyzing audit trails. The audit trail data are reviewed periodically. Audit records are archived during that interval for later analysis. All these choices do not provide the convenience of displaying or reporting all records associated with a user or application.

7. An audit trail record should include sufficient information to trace a user’s actions and events. Which of the following information in the audit trail record can help determine if the user was a masquerader or the actual person specified?

a. The user identification associated with the event

b. The date and time associated with the event

c. The program used to initiate the event

d. The command used to initiate the event

7. b. An audit trail should include sufficient information to establish what events occurred and who (or what) caused them. In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result. Date and timestamps can help determine if the user were a masquerader or the actual person specified.

8. Automated tools help in analyzing audit trail data. Which one of the following tools looks for anomalies in user or system behavior?

a. Trend analysis tools

b. Audit data-reduction tools

c. Attack signature-detection tools

d. Audit data-collection tools

8. a. Many types of tools have been developed to help reduce the amount of information contained in audit records, as well as to distill useful information from the raw data. Especially on larger systems, audit trail software can create large files, which can be extremely difficult to analyze manually. The use of automated tools is likely to be the difference between unused audit trail data and a robust program. Trend analysis and variance detection tools look for anomalies in user or system behavior.

Audit data-reduction tools are preprocessors designed to reduce the volume of audit records to facilitate manual review. These tools generally remove records generated by specified classes of events, such as records generated by nightly backups. Attack signature-detection tools look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example is repeated failed log-in attempts. Audit data-collection tools simply gather data for analysis later.

Sources and References