Читаем CISSP Practice полностью

d. Multiple identification

62. c. Manual identification methods are generally not feasible for comprehensive enterprisewide identification, but they are a necessary part of identification when other methods are not available and can fill in gaps when other methods are insufficient.

63. From a log management perspective, logon attempts to an application are recorded in which of the following logs?

1. Audit log

2. Authentication log

3. Event log

4. Error log

a. 1 only

b. 2 only

c. 1 and 2

d. 3 and 4

63. c. Audit log entries, also known as security log entries, contain information pertaining to audited activities, such as successful and failed logon attempts, security policy changes, file access, and process execution. Some applications record logon attempts to a separate authentication log. Applications may use audit capabilities built into the operating system or provide their own auditing capabilities.

Event log entries typically list all actions that were performed, the date and time each action occurred, and the result of each action. Error logs record information regarding application errors, typically with timestamps. Error logs are helpful in troubleshooting both operational issues and attacks. Error messages can be helpful in determining when an event of interest occurred and identifying important characteristics of the event.

64. From a log management perspective, which of the following provides more information on the results of each action recorded into an application event log?

a. Date each action occurred

b. What status code was returned?

c. Time each action occurred

d. What username was used to perform each action?

64. b. Event logs list all actions that were performed, the date and time each action occurred, and the result of each action. Event log entries might also include supporting information, such as what username was used to perform each action and what status code was returned. The returned status code provides more information on the result than a simple successful/failed status.

65. Spyware is often bundled with which of the following?

a. P2P file sharing client programs

b. Network service worms

c. Mass mailing worms

d. E-mail-borne viruses

65. a. Spyware is often bundled with software, such as certain peer-to-peer (P2P) file sharing client programs; when the user installs the supposedly benign P2P software, it then covertly installs spyware programs.

Network service worms are incorrect because they spread by exploiting vulnerability in a network service associated with an operating system or an application. Mass mailing worms and e-mail-borne viruses are incorrect because mass mailing worms are similar to e-mail-borne viruses, with the primary difference being that mass mailing worms are self-contained instead of infecting an existing file as e-mail-borne viruses do. After a mass mailing worm has infected a system, it typically searches the system for e-mail addresses and then sends copies of itself to those addresses, using either the systems e-mail client or a self-contained mailer built into the worm itself.

66. Which of the following is not an example of security software logs?

a. Intrusion prevention system logs

b. Vulnerability management software logs

c. Network quarantine server logs

d. File sharing logs

66. d. File sharing logs are an example of application logs. The other three choices are examples of security software logs.

67. Which of the following logs are most beneficial for identifying suspicious activity involving a particular host?

a. Network-based security software logs

b. Host-based security software logs

c. Operating system logs

d. Application system logs

67. c. Operating systems logs are most beneficial for identifying suspicious activity involving a particular host, or for providing more information on suspicious activity identified by another host. Operating system logs collect information on servers, workstations, and network connectivity devices (e.g., routers and switches) that could be useful in identifying suspicious activity involving a particular host.

The other three logs are not that beneficial when compared to the operating system logs. Both network-based and host-based security software logs contain basic security-related information such as user access profiles and access rights and permissions. Application system logs include e-mail logs, Web server logs, and file-sharing logs.