Читаем CISSP Practice полностью

74. c. In normalization, log data values are converted to a standardized format and labeled consistently. One of the most common uses of normalization is storing dates and times in a single format. Organizations should use time synchronization technologies such as network time protocol (NTP) servers to keep log sources’ clocks consistent with each other. The other three choices do not deal with NTP servers.

75. Regarding log management infrastructure functions, which of the following is performed in support of incident handling or investigations?

a. Log clearing

b. Log retention

c. Log preservation

d. Log reduction

75. c. Log preservation is performed in support of incident handling or investigations because logs contain records of activity of particular interest.

The other three choices do not support incident handling. Log retention and log preservation are part of the log archival. Log clearing is removing all entries from a log that precede a certain date and time. Log reduction is removing unneeded entries or data fields from a log to create a new log that is similar.

76. Which of the following is most recommended to ensure log file integrity?

a. Message digest 5 (MD5)

b. Secure hash algorithm 1 (SHA-1)

c. User datagram protocol (UDP)

d. Transmission control protocol (TCP)

76. b. Although both MD5 and SHA-1 are commonly used message digest algorithms, SHA-1 is stronger and better than MD5. Hence, SHA-1 is mostly recommended for ensuring log file integrity. UDP is a connectionless and unreliable protocol used to transfer logs between hosts. TCP is a connection-oriented protocol that attempts to ensure reliable delivery of information across networks.

77. Regarding log management infrastructure, which of the following characterizes the security event management software?

1. Single standard data format

2. Proprietary data formats

3. High resource-intensive for hosts

4. Low resource-intensive for hosts

a. 1 and 3

b. 1 and 4

c. 2 and 3

d. 2 and 4

77. c. Unlike syslog-based centralized logging software, which is based on a single standard, security event management (SEM) software primarily uses proprietary data formats. Although SEM software typically offers more robust and broad log management capabilities than syslog, SEM software is usually much more complicated and expensive to deploy than a centralized syslog implementation. Also, SEM software is often more resource-intensive for individual hosts than syslog because of the processing that agents perform.

78. Which of the following network operational environment is the easiest in which to perform log management functions?

a. Standalone

b. Enterprise

c. Custom

d. Legacy

78. b. Of all the network operational environments, the enterprise (managed) environment is typically the easiest in which to perform log management functions and usually does not necessitate special consideration in log policy development. This is because system administrators have centralized control over various settings on workstations and servers and have a formal structure.

The other three choices require special considerations and hence difficult to perform log management functions. For example, the standalone (small office/home office) environment has an informal structure, the custom environment deals with specialized security-limited functionality, and the legacy environment deals with older systems, which could be less secure.

79. Which of the following are major factors to consider when designing the system-level log management processes?

1. Online and offline data storage

2. Security needs for the data

3. Initiating responses to identified events

4. Managing long-term data storage

a. 1 and 2

b. 1 and 4

c. 2 and 3

d. 3 and 4

79. d. The major system-level processes for log management are configuring log sources, providing ongoing operational support, performing log analysis, initiating responses to identified events, and managing long-term data storage. Online and offline data storage and security needs for the data deal with organizational-level log management processes.

80. Which of the following is an example of deploying malicious code protection at the application server level?

a. Workstation operating systems

b. Web proxies

c. E-mail clients

d. Instant messaging clients