Читаем CISSP Practice полностью

3. In general, which of the following evidence is not admissible in a court?

a. Hearsay evidence

b. Primary evidence

c. Material evidence

d. Substantive evidence

3. a. Hearsay evidence, whether oral or written, by itself is not admissible in a court because it is second-hand evidence. It refers to any oral or written evidence brought into court and offered as proof of things said out of court. However, hearsay evidence is admissible when the witness is put under oath in a court’s stand and cross examined to state what he saw or heard. This is an example of a court’s procedural checks and balances.

The other three choices are admissible in a court of law. Primary evidence is original and best evidence. It is confined to documentary evidence and applies to proof of a writing’ content. Material evidence is evidence that was relevant to prove a disputed consequential fact and is also used to say evidence having some weight. Substantive evidence is evidence that is admitted to prove the significance of the party’s case rather than to attack the credibility of an opposing witness.

Similarly, business documents (for example, sales orders and purchase orders) created during regular business transactions are considered admissible in a court of law. Another example is photographs represent hearsay evidence but are considered admissible if they are properly authenticated by witnesses who are familiar with the subject.

4. All of the following are the primary elements of a security incident triad except:

a. Detect

b. Respond

c. Report

d. Recover

4. c. The primary elements of a security incident triad include detect, respond, and recover. An organization should have the ability to detect an attack, respond to an attack, and recover from an attack by limiting consequences of or impacts from an attack.

The “report” is a secondary element and is a byproduct of the primary elements. Reporting can be done internally to management, which is required, and externally to public (for example, media/press, law enforcement authorities, and incident reporting organizations), which is optional. How much external reporting is done depends on the organization’s management openness to report due to adverse publicity and reputation risk involved from bad security breaches.

5. Which of the following makes the security incident event correlation work much easier and faster?

a. Distributed logging

b. Local logging

c. Centralized logging

d. Centralized monitoring

5. c. Using centralized logging makes security incident event correlation work much easier and faster because it pulls together data from various sources such as networks, hosts, services, applications, and security devices.

6. Networks and systems profiling is a technical measure for aiding in incident analysis and is achieved through which of the following means?

1. Running file integrity checking software on hosts

2. Monitoring network bandwidth usage

3. Monitoring host resource usage

4. Determining the average and peak usage levels

a. 2 only

b. 3 only

c. 4 only

d. 1, 2, 3, and 4

6. d. Networks and systems profiling measures the characteristics of expected activity so that changes to it can be more easily identified. Examples of profiling include running integrity checking software on hosts to derive checksums for critical files, monitoring network bandwidth usage, and monitoring host resource usage to determine what the average and peak usage volumes are on various days and times.

7. The incident response team should discuss which of the following containment strategies with its legal department to determine if it is feasible?

a. Full containment

b. Phase containment

c. Partial containment

d. Delayed containment

7. d. When an incident has been detected and analyzed, it is important to contain it before the spread of the incident overwhelms resources or the damage increases. In certain cases, some organizations delay the containment of an incident so that they can monitor the attacker’s activity, usually to gather additional evidence. The incident response team should discuss delayed containment strategy with its legal department to determine if it is feasible. The delayed containment strategy is dangerous because an attacker could escalate unauthorized access or compromise other systems in a fraction of a second. The value of delayed containment is usually not worth the high risk that it poses.