QUESTION 530
In an on-line transaction processing system, which of the following actions should be taken when erroneous or
invalid transactions are detected?
A. The transactions should be dropped from processing
B. The transactions should be processed after the program makes adjustments
C. The transactions should be written to a report and reviewed
D. The transactions should be corrected and reprocessed
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
250
ISC CISSP Exam
QUESTION 531
Which of the following is a reasonable response from the intrusion detection system when it detects Internet
Protocol (IP) packets where the IP source address is the same as the IP destination address?
A. Allow the packet to be processed by the network and record the event.
B. Record selected information about the item and delete the packet.
C. Resolve the destination address and process the packet.
D. Translate the source address and resend the packet.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: RFC 1918 and RFC 2827 state about private addressing and ip spoofing using the same source
address as destination address. Drop the packet.
QUESTION 532
Which of the following is not a good response to a detected intrusion?
A. Collect additional information about the suspected attack
B. Inject TCP reset packets into the attacker’s connection to the victim system
C. Reconfigure routers and firewalls to block packets from the attacker’s apparent connection
D. Launch attacks or attempt to actively gain information about the attacker’s host
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 533
Once an intrusion into your organizations information system has been detected, which of the following actions
should be performed first?
A. Eliminate all means of intruder access
251
ISC CISSP Exam
B. Contain the intrusion
C. Determine to what extent systems and data are compromised
D. Communicate with relevant parties
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 534
After an intrusion has been contained and the compromised systems having been reinstalled, which of the
following need not be reviewed before bringing the systems back to service?
A. Access control lists
B. System services and their configuration
C. Audit trails
D. User accounts
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 535
Which of the following includes notifying the appropriate parties to take action in order to determine the extent
of the severity of an incident and to remediate the incident’s effects?
A. Intrusion Evaluation (IE) and Response
B. Intrusion Recognition (IR) and Response
C. Intrusion Protection (IP) and Response
D. Intrusion Detection (ID) and Response
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Intrusion Detection (ID) and Response is the task of monitoring systems for evidence of an
intrusion or an inappropriate usage. This includes notifying the appropriate parties to take action in order to
determine the extent of the severity of an incident and to remediate the incident’s effects.” Pg 86 Krutz: CISSP
Prep Guide: Gold Edition.
252
ISC CISSP Exam
QUESTION 536
Which of the following is used to monitor network traffic or to monitor host audit logs in order to determine
violations of security policy that have taken place?
A. Intrusion Detection System
B. Compliance Validation System
C. Intrusion Management System
D. )Compliance Monitoring System
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 537
Which of the following is not a technique used for monitoring?
A. Penetration testing
B. Intrusion detection
C. Violation processing (using clipping levels)
D. Countermeasures testing
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 538
Which one of the following is NOT a characteristic of an Intrusion Detection System? (IDS)
A. Determines the source of incoming packets.
B. Detects intruders attempting unauthorized activities.
C. Recognizes and report alterations to data files.
D. Alerts to known intrusion patterns.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
253
ISC CISSP Exam
Explanation: Software employed to monitor and detect possible attacks and behaviors that vary from the normal
and expected activity. The IDS can be network-based, which monitors network traffic, or host-based, which
monitors activities of a specific system and protects system files and control mechanisms. – Shon Harris All-inone
CISSP Certification Guide pg 932
QUESTION 539
An IDS detects an attack using which of the following?
A. an event-based ID or a statistical anomaly-based ID
B. a discrete anomaly-based ID or a signature-based ID
C. a signature-based ID or a statistical anomaly-based ID
D. a signature-based ID or an event-based ID
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 540
Which of the following monitors network traffic in real time?
A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 541
What technology is being used to detect anomalies?
254
ISC CISSP Exam
A. IDS
B. FRR
C. Sniffing
D. Capturing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Intrusion Detection is a quickly evolving domain of expertise. In the past year we have seen giant steps forward
in this area. We are now seeing IDS engines that will detect anomalies, and that have some built-in intelligence.
It is no longer a simple game of matching signatures in your network traffic.
QUESTION 542
IDSs verify, itemize, and characterize threats from:
A. Inside your organization’s network.
B. Outside your organization’s network.
C. Outside and inside your organization’s network.
D. The Internet.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
IDSs verify, itemize, and characterize the threat from both outside and inside your organization’s network,
assisting you in making sound decisions regarding your allocation of computer security resources. Using IDSs
in this manner is important, as many people mistakenly deny that anyone (outsider or insider) would be
interested in breaking into their networks. Furthermore, the information that IDSs give you regarding the source
and nature of attacks allows you to make decisions regarding security strategy driven by demonstrated need,
not guesswork or folklore.
QUESTION 543
IDS can be described in terms of what fundamental functional components?
255
ISC CISSP Exam
A. Response
B. Information Sources
C. Analysis
D. All of the choices.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Many IDSs can be described in terms of three fundamental functional components:
Information Sources – the different sources of event information used to determine whether an intrusion has
taken place. These sources can be drawn from different levels of the system, with network, host, and
application monitoring most common. Analysis – the part of intrusion detection systems that actually organizes
and makes sense of the events derived from the information sources, deciding when those events indicate that
intrusions are occurring or have already taken place. The most common analysis approaches are misuse
detection and anomaly detection. Response – the set of actions that the system takes once it detects intrusions.
These are typically grouped into active and passive measures, with active measures involving some automated
intervention on the part of the system, and passive measures involving reporting IDS findings to humans, who
are then expected to take action based on those reports.
QUESTION 544
What are the primary goals of intrusion detection systems? (Select all that apply.)
A. Accountability
B. Availability
C. Response
D. All of the choices
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Although there are many goals associated with security mechanisms in general, there are two overarching
goals usually stated for intrusion detection systems. Accountability is the capability to link a given activity or
event back to the party responsible for initiating it. This is essential in cases where one wishes to bring criminal
charges against an attacker. The goal statement associated with accountability
is: “I can deal with security attacks that occur on my systems as long as I know who
256
ISC CISSP Exam
did it (and where to find them.)” Accountability is difficult in TCP/IP networks, where the protocols allow
attackers to forge the identity of source addresses or other source identifiers. It is also extremely difficult to
enforce accountability in any system that employs weak identification and authentication mechanisms.
Response is the capability to recognize a given activity or event as an attack and then taking action to block or
otherwise affect its ultimate goal. The goal statement associated with response is “I don’t care who attacks my
system as long as I can recognize that the attack is taking place and block it.” Note that the requirements of
detection are quite different for response than for accountability.
QUESTION 545
What is the most common way to classify IDSs?
A. Group them by information source.
B. Group them by network packets.
C. Group them by attackers.
D. Group them by signs of intrusion.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The most common way to classify IDSs is to group them by information source. Some IDSs analyze network
packets, captured from network backbones or LAN segments, to find attackers. Other IDSs analyze information
sources generated by the operating system or application software for signs of intrusion.
QUESTION 546
The majority of commercial intrusion detection systems are:
A. Identity-based
B. Network-based
257
ISC CISSP Exam
C. Host-based
D. Signature-based
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The majority of commercial intrusion detection systems are network-based. These IDSs detect attacks by
capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS
can monitor the network traffic affecting multiple hosts that are connected to the network segment, thereby
protecting those hosts.
QUESTION 547
Which of the following is a drawback of Network-based IDSs?
A. It cannot analyze encrypted information.
B. It is very costly to setup.
C. It is very costly to manage.
D. It is not effective.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Network-based IDSs cannot analyze encrypted information. This problem is increasing as more organizations
(and attackers) use virtual private networks. Most network-based IDSs cannot tell whether or not an attack was
successful; they can only discern that an attack was initiated. This means that after a network-based IDS
detects an attack, administrators must manually investigate each attacked host to determine whether it was
indeed penetrated.
QUESTION 548
Host-based IDSs normally utilize information from which of the following sources?
258
ISC CISSP Exam
A. Operating system audit trails and system logs.
B. Operating system audit trails and network packets.
C. Network packets and system logs.
D. Operating system alarms and system logs.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Host-based IDSs normally utilize information sources of two types, operating system audit trails, and system
logs. Operating system audit trails are usually generated at the innermost (kernel) level of the operating system,
and are therefore more detailed and better protected than system logs. However, system logs are much less
obtuse and much smaller than audit trails, and are furthermore far easier to comprehend. Some host-based
IDSs are designed to support a centralized IDS management and reporting infrastructure that can allow a single
management console to track many hosts. Others generate messages in formats that are compatible with
network management systems.
QUESTION 549
When comparing host based IDS with network based ID, which of the following is an obvious advantage?
A. It is unaffected by switched networks.
B. It cannot analyze encrypted information.
C. It is not costly to setup.
D. It is not costly to manage.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Host-based IDSs are unaffected by switched networks. When Host-based IDSs operate on OS audit trails, they
can help detect Trojan horse or other attacks that involve software integrity breaches. These appear as
inconsistencies in process execution.
QUESTION 550
259
ISC CISSP Exam
You are comparing host based IDS with network based ID. Which of the following will you consider as an
obvious disadvantage of host based IDS?
A. It cannot analyze encrypted information.
B. It is costly to remove.
C. It is affected by switched networks.
D. It is costly to manage.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Host-based IDSs are harder to manage, as information must be configured and managed for every host
monitored. Since at least the information sources (and sometimes part of the analysis engines) for host-based
IDSs reside on the host targeted by attacks, the IDS may be attacked and disabled as part of the attack.
Host-based IDSs are not well suited for detecting network scans or other such surveillance that targets an
entire network, because the IDS only sees those network packets received by its host. Host-based IDSs can be
disabled by certain denial-of-service attacks.
QUESTION 551
Which of the following IDS inflict a higher performance cost on the monitored systems?
A. Encryption based
B. Host based
C. Network based
D. Trusted based
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Host-based IDSs use the computing resources of the hosts they are monitoring, therefore inflicting a
performance cost on the monitored systems.
260
ISC CISSP Exam
QUESTION 552
Application-based IDSs normally utilize information from which of the following sources?
A. Network packets and system logs.
B. Operating system audit trails and network packets.
C. Operating system audit trails and system logs.
D. Application’s transaction log files.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Application-based IDSs are a special subset of host-based IDSs that analyze the events transpiring within a
software application. The most common information sources used by application-based IDSs are the
application’s transaction log files.
QUESTION 553
Which of the following are the major categories of IDSs response options?
A. Active responses
B. Passive responses
C. Hybrid
D. All of the choices.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Once IDSs have obtained event information and analyzed it to find symptoms of attacks, they generate
responses. Some of these responses involve reporting results and findings to a pre-specified location. Others
involve more active automated responses. Though researchers are tempted to underrate the importance of
good response functions in IDSs, they are actually very important. Commercial IDSs support a wide range of
response options, often categorized as active responses, passive responses, or some mixture of the two.
261
ISC CISSP Exam
QUESTION 554
Alarms and notifications are generated by IDSs to inform users when attacks are detected. The most common
form of alarm is:
A. Onscreen alert
B. Email
C. Pager
D. Icq
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Alarms and notifications are generated by IDSs to inform users when attacks are detected. Most commercial
IDSs allow users a great deal of latitude in determining how and when alarms are generated and to whom they
are displayed. The most common form of alarm is an onscreen alert or popup window. This is displayed on the
IDS console or on other systems as specified by the user during the configuration of the IDS. The information
provided in the alarm message varies widely, ranging from a notification that an intrusion has taken place to
extremely detailed messages outlining the IP addresses of the source and target of the attack, the specific
attack tool used to gain access, and the outcome of the attack. Another set of options that are of utility to large
or distributed organizations are those involving remote notification of alarms or alerts. These allow
organizations to configure the IDS so that it sends alerts to cellular phones and pagers carried by incident
response teams or system security personnel.
QUESTION 555
Which of the following is a valid tool that complements IDSs?
A. All of the choices.
B. Padded Cells
C. Vulnerability Analysis Systems
D. Honey Pots
262
ISC CISSP Exam
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Several tools exist that complement IDSs and are often labeled as intrusion detection products by vendors
since they perform similar functions. They are Vulnerability Analysis Systems, File Integrity Checkers, Honey
Pots, and Padded Cells.
“IDS-Related Tools
Intrusion detection systems are often deployed in concert with several other components. These IDS-related
tools expand the usefulness and capabilities of IDSs and make IDSs more efficient and less prone to false
positives. These tools include honey pots, padded cells, and vulenerability scanners.” Pg. 46 Tittel: CISSP
Study Guide
QUESTION 556
A problem with a network-based ID system is that it will not detect attacks against a host made by an intruder
who is logged in at which of the following?
A. host’s terminal
B. guest’s terminal
C. client’s terminal
D. server’s terminal
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 557
When the IDS detect attackers, the attackers are seamlessly transferred to a special host. This method is
called:
A. Vulnerability Analysis Systems
B. Padded Cell
C. Honey Pot
D. File Integrity Checker
263
ISC CISSP Exam
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Padded cells take a different approach. Instead of trying to attract attackers with tempting data, a padded cell
operates in tandem with traditional IDS. When the IDS detect attackers, it seamlessly transfers then to a special
padded cell host.
QUESTION 558
Which of the following is a weakness of both statistical anomaly detection and pattern matching?
A. Lack of ability to scale.
B. Lack of learning model.
C. Inability to run in real time.
D. Requirement to monitor every event.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Disadvantages of Knowledge-based ID systems:
This system is resources-intensive; the knowledge database continually needs maintenance and updates
New, unique, or original attacks often go unnoticed.Disadvantages of Behavior-based ID systems:
The system is characterized by high false alarm rates. High positives are the most common failure of ID
systems and can create data noise that makes the system unusable. The activity and behavior of the users
while in the networked system might not be static enough to effectively implement a behavior-based ID system.
-Ronald Krutz The CISSP PREP Guide (gold edition) pg 88
QUESTION 559
The two most common implementations of Intrusion Detection are which of the following?
A. They commonly reside on a discrete network segment and monitor the traffic on that network segment
B. They commonly will not reside on a discrete network segment and monitor the traffic on that “Pass Any
Exam. Any Time.” – www.actualtests.com 264
ISC CISSP Exam
network segment
C. They commonly reside on a discrete network segment but do not monitor the traffic on that network
segment
D. They commonly do not reside on a discrete network segment and monitor the traffic on that network
segment
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 560
What are the primary approaches IDS takes to analyze events to detect attacks?
A. Misuse detection and anomaly detection.
B. Log detection and anomaly detection.
C. Misuse detection and early drop detection.
D. Scan detection and anomaly detection.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
There are two primary approaches to analyzing events to detect attacks: misuse detection and anomaly
detection. Misuse detection, in which the analysis targets something known to be “bad”, is the technique used
by most commercial systems. Anomaly detection, in which the analysis looks for abnormal patterns of activity,
has been, and continues to be, the subject of a great deal of research. Anomaly detection is used in limited
form by a number of IDSs. There are strengths and weaknesses associated with each approach, and it appears
that the most effective IDSs use mostly misuse detection methods with a smattering of anomaly detection
components.
QUESTION 561
Misuse detectors analyze system activity and identify patterns. The patterns corresponding to know attacks are
called:
A. Attachments
265
ISC CISSP Exam
B. Signatures
C. Strings
D. Identifications
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Misuse detectors analyze system activity, looking for events or sets of events that match a predefined pattern of
events that describe a known attack. As the patterns corresponding to known attacks are called signatures,
misuse detection is sometimes called “signature-based detection.” The most common form of misuse detection
used in commercial products specifies each pattern of events corresponding to an attack as a separate
signature. However, there are more sophisticated approaches to doing misuse detection (called “state-based”
analysis techniques) that can leverage a single signature to detect groups of attacks.
QUESTION 562
Which of the following is an obvious disadvantage of deploying misuse detectors?
A. They are costly to setup.
B. They are not accurate.
C. They must be constantly updated with signatures of new attacks.
D. They are costly to use.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Misuse detectors can only detect those attacks they know about – therefore they must be constantly updated
with signatures of new attacks. Many misuse detectors are designed to use tightly defined signatures that
prevent them from detecting variants of common attacks. State- based misuse detectors can overcome this
limitation, but are not commonly used in commercial IDSs.
QUESTION 563
What detectors identify abnormal unusual behavior on a host or network?
266
ISC CISSP Exam
A. None of the choices.
B. Legitimate detectors.
C. Anomaly detectors.
D. Normal detectors.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Anomaly detectors identify abnormal unusual behavior (anomalies) on a host or network. They function on the
assumption that attacks are different from “normal” (legitimate) activity and can therefore be detected by
systems that identify these differences. Anomaly detectors construct profiles representing normal behavior of
users, hosts, or network connections. These profiles are constructed from historical data collected over a
period of normal operation. The detectors then collect event data and use a variety of measures to determine
when monitored activity deviates from the norm.
QUESTION 564
A network-based IDS is which of the following?
A. active while it acquires data
B. passive while it acquires data
C. finite while it acquires data
D. infinite while it acquires data
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 565
Which of the following usually provides reliable, real-time information without consuming network or host
resources?
A. network-based IDS
B. host-based IDS
C. application-based IDS
D. firewall-based IDS
267
ISC CISSP Exam
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: “A network-based IDS has little negative affect on overall network performance, and because it is
deployed on a single-purpose system, it doesn’t adversely affect the performance of any other computer.” Pg
34 Krutz: CISSP Prep Guide: Gold Edition.
QUESTION 566
Which of the following would assist in intrusion detection?
A. audit trails
B. access control lists
C. security clearances
D. host-based authentication
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 567
Using clipping levels refers to:
A. setting allowable thresholds on reported activity
B. limiting access to top management staff
C. setting personnel authority limits based on need-to-know basis
D. encryption of data so that it cannot be stolen
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 568
In what way can violation clipping levels assist in violation tracking and analysis?
268
ISC CISSP Exam
A. Clipping levels set a baseline for normal user errors, and violations exceeding that threshold will be
recorded for analysis of why the violations occurred
B. Clipping levels enable a security administrator to customize the audit trail to record only those violations
which are deemed to be security relevant
C. Clipping levels enable the security administrator to customize the audit trail to record only actions for users
with access to usercodes with a privileged status
D. Clipping levels enable a security administrator to view all reductions in security levels which have been
made to usercodes which have incurred violations
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 569
When establishing a violation tracking and analysis process, which one of the following parameters is used to
keep the quantity of data to manageable levels?
A. Quantity baseline
B. Maximum log size
C. Circular logging
D. Clipping levels
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: To make violation tracking effective, clipping levels must be established. A clipping level is a
baseline of user activity that is considered a routine level of user errors. When a clipping level is exceeded, a
violation record is then produced. Clipping levels are also used for variance detection. -Ronald Krutz The
CISSP PREP Guide (gold edition) pg 318
QUESTION 570
Audit trails based upon access and identification codes establish…
A. intrustion detection thresholds
B. individual accountability
C. audit review critera
D. individual authentication
269
ISC CISSP Exam
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Accountability is another facet of access control. Individuals on a system are responsible for their
actions. This accountability property enables system activities to be traced to the proper individuals.
Accountability is supported by audit trails that record events on the system and on the network. Audit trails can
be used for intrusion detection and for the reconstruction of past events. -Ronald Krutz The CISSP PREP
Guide (gold edition) pg 65
QUESTION 571
The primary reason for enabling software audit trails is which of the following?
A. Improve system efficiency
B. Improve response time for users
C. Establish responsibility and accountability
D. Provide useful information to track down processing errors
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Auditing capabilities ensure that users are accountable for their actions, verify that the security
polices are enforced, and are used as investigation tools.” Pg 161 Shon Harris: All-in- One CISSP Certification
QUESTION 572
Tracing violations, or attempted violations of system security to the user responsible is a function of?
A. authentication
B. access management
C. integrity checking
D. accountability
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Auditing capabilities ensure that users are accountable for their actions, verify that the security
policies are enforced, worked as a deterrent to improper actions, and are used as
270
ISC CISSP Exam
investigation tools. – Shon Harris All-in-one CISSP Certification Guide pg 182
QUESTION 573
According to the Minimum Security Requirements (MSR) for Multi-User Operating Systems (NISTIR 5153)
document, which of the following statements pertaining to audit data recording is incorrect?
A. The system shall provide end-to-end user accountability for all security-relevant events
B. The system shall protect the security audit trail from unauthorized access
C. For maintenance purposes, it shall be possible to disable the recording of activities that require privileges.
D. The system should support an option to maintain the security audit trail data in encrypted format
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 574
Which of the following questions is less likely to help in assessing controls over audit trails?
A. Does the audit trail provide a trace of user actions?
B. Are incidents monitored and tracked until resolved?
C. Is access to online logs strictly controlled?
D. Is there separation of duties between security personnel who administer the access control function and
those who administer the audit trail?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 575
You should keep audit trail on which of the following items?
271
ISC CISSP Exam
A. Password usage.
B. All unsuccessful logon.
C. All of the choices.
D. All successful logon.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Keep audit trail of password usage; log all Successful logon, Unsuccessful logon, Date, Time, ID, Login name.
Control maximum logon attempt rate where possible.Where possible users must be automatically logged off
after 30 minutes of inactivity.
QUESTION 576
In addition to providing an audit trail required by auditors, logging can be used to
A. provide backout and recovery information
B. prevent security violations
C. provide system performance statistics
D. identify fields changed on master files.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Auditing tools are technical controls that track activity within a network on a network device or on a
specific computer. Even though auditing is not an activity that will deny an entity access to a network or
computer, it will track activities so a network administrator can understand the types of access that took place,
identify a security breach, or warn the administrator of suspicious activity. This can be used to point out
weakness of their technical controls and help administrators understand where changes need to be made to
preserve the necessary security level within the environment. . – Shon Harris All-in-one CISSP Certification
Guide pg 179-180
QUESTION 577
Which of the following should NOT be logged for performance problems?
272
ISC CISSP Exam
A. CPU load.
B. Percentage of use.
C. Percentage of idle time.
D. None of the choices.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The level of logging will be according to your company requirements. Below is a list of items that could be
logged, please note that some of the items may not be applicable to all operating systems. What is being
logged depends on whether you are looking for performance problems or security problems. However you have
to be careful about performance problems that could affect your security.
QUESTION 578
Which of the following should be logged for security problems?
A. Use of mount command.
B. Percentage of idle time.
C. Percentage of use.
D. None of the choices.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The level of logging will be according to your company requirements. Below is a list of items that could be
logged, please note that some of the items may not be applicable to all operating systems. What is being
logged depends on whether you are looking for performance problems or security problems. However you have
to be careful about performance problems that could affect your security.
QUESTION 579
Which of the following services should be logged for security purpose?
273
ISC CISSP Exam
A. bootp
B. All of the choices.
C. sunrpc
D. tftp
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Request for the following services should be logged: systat, bootp, tftp, sunrpc, snmp, snmp-trap, nfs.
QUESTION 580
The auditing method that assesses the extent of the system testing, and identifies specific program logic that
has not been tested is called
A. Decision process analysis
B. Mapping
C. Parallel simulation
D. Test data method
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Testing of software modules or unit testing should be addressed when the modules are being
designed. Personnel separate from the programmers should conduct this testing. The test data is part of the
specifications. Testing should not only check the modules using normal and valid input data, but it should also
check for incorrect types, out-of-range values, and other bounds and/or conditions. Live or actual field data is
not recommended for use in the testing procedures because both data types might not cover out-of-range
situations and the correct outputs of the test are unknown. Special test suites of data that exercise all paths of
the software to the fullest extent possible and whose corrected resulting outputs are known beforehand should
be used.” Pg. 345 Krutz: The CISSP Prep Guide: Gold Edition.
QUESTION 581
Who should NOT have access to the log files?
274
ISC CISSP Exam
A. Security staff.
B. Internal audit staff.
C. System administration staff.
D. Manager’s secretary.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Logs must be secured to prevent modification, deletion, and destruction. Only authorized persons should have
access or permission to read logs. A person is authorized if he or she is a member of the internal audit staff,
security staff, system administration staff, or he or she has a need for such access to perform regular duties.
QUESTION 582
Which of the following correctly describe the use of the collected logs?
A. They are used in the passive monitoring process only.
B. They are used in the active monitoring process only.
C. They are used in the active and passive monitoring process.
D. They are used in the archiving process only.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a
period of time. This period of time will be determined by your company policies. This allows the use of logs for
regular and annual audits if retention is longer then a year. Logs must be secured to prevent modification,
deletion, and destruction.
QUESTION 583
All logs are kept on archive for a period of time. What determines this period of time?
275
ISC CISSP Exam
A. Administrator preferences.
B. MTTR
C. Retention polices
D. MTTF
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a
period of time. This period of time will be determined by your company policies. This allows the use of logs for
regular and annual audits if retention is longer then a year. Logs must be secured to prevent modification,
deletion, and destruction.
QUESTION 584
Logs must be secured to prevent:
A. Creation, modification, and destruction.
B. Modification, deletion, and initialization.
C. Modification, deletion, and destruction.
D. Modification, deletion, and inspection.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a
period of time. This period of time will be determined by your company policies. This allows the use of logs for
regular and annual audits if retention is longer then a year. Logs must be secured to prevent modification,
deletion, and destruction.
QUESTION 585
To ensure dependable and secure logging, all computers must have their clock synchronized to:
276
ISC CISSP Exam
A. A central timeserver.
B. The log time stamp.
C. The respective local times.
D. None of the choices.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The following pre-requisite must be met to ensure dependable and secure logging:
All computers must have their clock synchronized to a central timeserver to ensure accurate time on events
being logged.
If possible all logs should be centralized for easy analysis and also to help detect patterns of abuse across
servers.
Logging information traveling on the network must be encrypted if possible. Log files are stored and protected
on a machine that has a hardened shell. Log files must not be modifiable without a trace or record of such
modification.
QUESTION 586
To ensure dependable and secure logging, logging information traveling on the network should be:
A. Stored
B. Encrypted
C. Isolated
D. Monitored
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The following pre-requisite must be met to ensure dependable and secure logging:
All computers must have their clock synchronized to a central timeserver to ensure accurate time on events
being logged.
If possible all logs should be centralized for easy analysis and also to help detect patterns of abuse across
servers.
Logging information traveling on the network must be encrypted if possible. Log files are stored and protected
on a machine that has a hardened shell. Log files must not be modifiable without a trace or record of such
modification.
277
ISC CISSP Exam
QUESTION 587
The activity that consists of collecting information that will be used for monitoring is called:
A. Logging
B. Troubleshooting
C. Auditing
D. Inspecting
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Logging is the activity that consists of collecting information that will be used for monitoring and auditing.
Detailed logs combined with active monitoring allow detection of security issues before they negatively affect
your systems.
QUESTION 588
How often should logging be run?
A. Once every week.
B. Always
C. Once a day.
D. During maintenance.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Usually logging is done 24 hours per day, 7 days per week, on all available systems and services except during
the maintenance window where some of the systems and services may not be available while maintenance is
being performed.
278
ISC CISSP Exam
QUESTION 589
Which of the following are security events on Unix that should be logged?
A. All of the choices.
B. Use of Setgid.
C. Change of permissions on system files.
D. Use of Setuid.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The following file changes, conditions, and events are logged:
rhosts.
UNIX Kernel.
/etc/password.
rc directory structure.
bin files.
lib files.
Use of Setuid.
Use of Setgid.
Change of permission on system or critical files.
QUESTION 590
Which of the following are potential firewall problems that should be logged?
A. Reboot
B. All of the choices.
C. Proxies restarted.
D. Changes to configuration file.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The following firewall configuration problem are logged:
Reboot of the firewall.
Proxies that cannot start (e.g. Within TIS firewall).
279
ISC CISSP Exam
Proxies or other important services that have died or restarted.
Changes to firewall configuration file.
A configuration or system error while firewall is running.
QUESTION 591
Which of the following is required in order to provide accountability?
A. Authentication
B. Integrity
C. Confidentiality
D. Audit trails
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: pg 5 Tittel: CISSP Study Guide
QUESTION 592
The principle of accountability is a principle by which specific action can be traced back to:
A. A policy
B. An individual
C. A group
D. A manager
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The principle of accountability has been described in many references; it is a principle by which specific action
can be traced back to an individual. As mentioned by Idrach, any significant action should be traceable to a
specific user. The definition of “Significant” is entirely dependant on your business circumstances and risk
management model. It was also mentioned by Rino that tracing the actions of a specific user is fine but we
must also be able to ascertain that this specific user was responsible for the uninitiated action.
280
ISC CISSP Exam
QUESTION 593
The principle of _________ is a principle by which specific action can be traced back to anyone of your users.
A. Security
B. Integrity
C. Accountability
D. Policy
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The principle of accountability has been described in many references; it is a principle by which specific action
can be traced back to an individual. As mentioned by Idrach, any significant action should be traceable to a
specific user. The definition of “Significant” is entirely dependant on your business circumstances and risk
management model. It was also mentioned by Rino that tracing the actions of a specific user is fine but we
must also be able to ascertain that this specific user was responsible for the uninitiated action.
QUESTION 594
According to the principle of accountability, what action should be traceable to a specific user?
A. Material
B. Intangible
C. Tangible
D. Significant
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
281
ISC CISSP Exam
The principle of accountability has been described in many references; it is a principle by which specific action
can be traced back to an individual. As mentioned by Idrach, any significant action should be traceable to a
specific user. The definition of “Significant” is entirely dependant on your business circumstances and risk
management model. It was also mentioned by Rino that tracing the actions of a specific user is fine but we
must also be able to ascertain that this specific user was responsible for the uninitiated action.
QUESTION 595
Which of the following best ensures accountability of users for actions taken within a system or domain?
A. Identification
B. Authentication
C. Authorization
D. Credentials
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Identification is the process by which a subject professes an identify and accountability is
initiated.” Pg 149 Tittel: CISSP Study Guide
“Identification and authentication are the keystones of most access control systems. Identification is the act of a
user professing an identify to a system, usually in the form of a log-on ID to the system. Identification
establishes user accountability for the actions on the system. Authentication is verification that the user’s
claimed identity is valid and is usually implemented through a user password at log-on time.” Pg 36 Krutz: The
CISSP Prep Guide
QUESTION 596
Individual accountability does not include which of the following?
A. unique identifiers
B. policies & procedures
C. access rules
282
ISC CISSP Exam
D. audit trails
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 597
Controls provide accountability for individuals who are accessing sensitive information. This accountability is
accomplished:
A. through access control mechanisms that require identification and authentication and through the audit
function.
B. through logical or technical controls involving the restriction of access to systems and the protection of
information
C. through logical or technical controls but not involving the restriction of access to systems and the protection
of information.
D. through access control mechanisms that do not require identification and authentication and do not operate
through the audit function.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 598
What types of computer attacks are most commonly reported by IDSs?
A. System penetration
B. Denial of service
C. System scanning
D. All of the choices
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Three types of computer attacks are most commonly reported by IDSs: system scanning, denial of service
(DOS), and system penetration. These attacks can be launched locally, on the attacked machine, or remotely,
using a network to access the target. An IDS operator must understand the differences between these types of
attacks, as each
283
ISC CISSP Exam
requires a different set of responses.
QUESTION 599
Operation security requires the implementation of physical security to control which of the following?
A. unauthorized personnel access
B. incoming hardware
C. contingency conditions
D. evacuation procedures
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 600
Configuration Management is a requirement for the following level(s)?
A. B3 and A1
B. B1, B2 and B3
C. A1
D. B2, B3, and A1
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference: pg 306 Krutz: CISSP Study Guide: Gold Edition
QUESTION 601
Which of the following is not concerned with configuration management?
A. Hardware
B. Software
C. Documentation
284
ISC CISSP Exam
D. They all are concerned with configuration management
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 602
Configuration Management controls what?
A. Auditing of changes to the Trusted Computing Base
B. Control of changes to the Trusted Computing Base
C. Changes in the configuration access to the Trusted Computing Base
D. Auditing and controlling any changes to the Trusted Computing Base
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Official Definition of Configuration Management
Identifying, controlling, accounting for and auditing changes made to the baseline TCB, which includes changes
to hardware, software, and firmware.
A System that will control changes and test documentation through the operational life cycle of a system.” Pg
698 Shon Harris: All-in-One CISSP Certification
“[B3] The security administrator role is clearly defined, and the system must be able to recover from failures
without its security level being compromised.” Pg. 226 Shon Harris CISSP All-In-One Exam Guide
QUESTION 603
In addition to ensuring that changes to the computer system take place in an identifiable and controlled
environment, configuration management provides assurance that future changes:
A. The application software cannot bypass system security features.
B. Do not adversely affect implementation of the security policy.
C. The operating system is always subjected to independent validation and verification.
285
ISC CISSP Exam
D. In technical documentation maintain an accurate description of the Trusted Computer Base.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: “The primary security goal of configuration management is to ensure that changes to the system
do not unintentionally diminish security.” Pg 306 Krutz: CISSP Prep Guide: Gold Edition.
QUESTION 604
Which set of principal tasks constitutes configuration management?
A. Program management, system engineering, and quality assurance.
B. Requirements verification, design, and system integration and testing.
C. Independent validation and verification of the initial and subsequent baseline.
D. Identification, control, status accounting, and auditing of changes.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Configuration management is the process of tracking and approving changes to a system. It
involves identifying, controlling, and auditing all changes made to the system.
Pg. 223 Krutz: The CISSP Prep Guide
QUESTION 605
If the computer system being used contains confidential information, users must not:
A. Leave their computer without first logging off.
B. Share their desks.
C. Encrypt their passwords.
D. Communicate
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
If the computer system being used or to which a user is connected contains sensitive or confidential
information, users must not leave their computer, terminal, or workstation
286
ISC CISSP Exam
without first logging off. Users should be reminded frequently to follow this rule.
QUESTION 606
Separation of duties is valuable in deterring:
A. DoS
B. external intruder
C. fraud
D. trojan house
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Separation of duties is considered valuable in deterring fraud since fraud can occur if an opportunity exists for
collaboration between various jobs related capabilities. Separation of duty requires that for particular sets of
transactions, no single individual be allowed to execute all transactions within the set. The most commonly
used examples are the separate transactions needed to initiate a payment and to authorize a payment. No
single individual should be capable of executing both transactions.
QUESTION 607
What principle requires that for particular sets of transactions, no single individual be allowed to execute all
transactions within the set?
A. Use of rights
B. Balance of power
C. Separation of duties
D. Fair use
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Separation of duties is considered valuable in deterring fraud since fraud can occur if
287
ISC CISSP Exam
an opportunity exists for collaboration between various jobs related capabilities. Separation of duty requires that
for particular sets of transactions, no single individual be allowed to execute all transactions within the set. The
most commonly used examples are the separate transactions needed to initiate a payment and to authorize a
payment. No single individual should be capable of executing both transactions.
QUESTION 608
Separation of duty can be:
A. Dynamic only
B. Encrypted
C. Static only
D. Static or dynamic
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Separation of duty can be either static or dynamic. Compliance with static separation requirements can be
determined simply by the assignment of individuals to roles and allocation of transactions to roles. The more
difficult case is dynamic separation of duty where compliance with requirements can only be determined during
system operation. The objective behind dynamic separation of duty is to allow more flexibility in operations.
QUESTION 609
What is the company benefit, in terms of risk, for people taking a vacation of a specified minimum length?
A. Reduces stress levels, thereby lowering insurance claims.
B. Improves morale, thereby decreasing errors.
288
ISC CISSP Exam
C. Increases potential for discovering frauds.
D. Reduces dependence on critical individuals.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: Mandatory vacations are another type of administrative control that may sound a bit odd at first.
Chapter 3 touches on reasons to make sure that employees take their vacations; this has to do with being able
to identify fraudulent activities and enable job rotation to take place. – Shon Harris All-in-one CISSP Certification
Guide pg 810
QUESTION 610
Which of the following would be less likely to prevent an employee from reporting an incident?
A. They are afraid of being pulled into something they don’t want to be involved with
B. The process of reporting incidents is centralized
C. They are afraid of being accused of something they didn’t do
D. They are unaware of the company’s security policies and procedures
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reasons why a user won’t report an incident (page 882 of Shon Harris 5th edition)
– Afraid of being pulled into something
– afraid of being accused
Logically, they may be unaware of the procedure
No reason that reporting incidents to a centralized location would be a problem so that leaves that as the
answer.
QUESTION 611
Employee involuntary termination processing should include
A. A list of all passwords used by the individual.
B. A report on outstanding projects.
289
ISC CISSP Exam
C. The surrender of any company identification.
D. Signing a non-disclosure agreement.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Before the employee is released, all organization-specific identification, access, or security
badges as well as cards, keys, and access tokens should be collected.”
Pg. 173 Tittel: CISSP Study Guide
QUESTION 612
Which trusted facility management concept implies that two operators must review and approve the work of
each other?
A. Two-man control
B. Dual control
C. Double control
D. Segregation control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
“In the concept of two-man control, two operators review and approve the work of each other. The purpose of
two-man control is to provide accountability and to minimize fraud in highly sensitive or high-risk transactions.
The concept of dual control means that both operators are needed to complete a sensitive task.” Pg. 303 Krutz:
The CISSP Prep Guide: Gold Edition.
QUESTION 613
When two operators review and approve the work of each other, this is known as?
A. Dual control
B. Two-man control
C. Two-fold control
D. Twin control
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
290
ISC CISSP Exam
Explanation:
QUESTION 614
What security procedure forces an operator into collusion with an operator of a different category to have
access to unauthorized data?
A. Enforcing regular password changes
B. Management monitoring of audit logs
C. Limiting the specific accesses of operations personnel
D. Job rotation of people through different assignments
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 615
Which of the following user items can be shared?
A. Password
B. Home directory
C. None of the choices.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Each user assigned directory (home directory) is not to be shared with others. None of the choices is correct.
QUESTION 616
What should you do to the user accounts as soon as employment is terminated?
291
ISC CISSP Exam
A. Disable the user accounts and erase immediately the data kept.
B. Disable the user accounts and have the data kept for a specific period of time.
C. None of the choices.
D. Maintain the user accounts and have the data kept for a specific period of time.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
A record of user logins with time and date stamps must be kept. User accounts shall be disabled and data kept
for a specified period of time as soon as employment is terminated. All users must log on to gain network
access.
QUESTION 617
What is the main objective of proper separation of duties?
A. To prevent employees from disclosing sensitive information
B. To ensure access controls are in place
C. To ensure that no single individual can compromise a system
D. To ensure that audit trails are not tampered with
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Separation of duties (also called segregation of duties) assigns parts of tasks to different
personnel. Thus if no single person has total control of the system’s security mechanisms, the theory is that no
single person can completely compromise the system.”
Pg. 303 Krutz: The CISSP Prep Guide: Gold Edition
QUESTION 618
What are the benefits of job rotation?
A. All of the choices.
B. Trained backup in case of emergencies.
C. Protect against fraud.
292
ISC CISSP Exam
D. Cross training to employees.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Job assignments should be changed periodically so that it is more difficult for users to collaborate to exercise
complete control of a transaction and subvert it for fraudulent purposes. This principle is effective when used in
conjunction with a separation of duties. Problems in effectively rotating duties usually appear in organizations
with limited staff resources and inadequate training programs. Rotation of duties will protect you against fraud;
provide cross training to your employees, as well as assuring trained backup in case of emergencies.
QUESTION 619
Which of the following control pairing include organizational policies and procedures, pre- employment
background checks, strict hiring practices, employment agreements, friendly and unfriendly employee
termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security
awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and
networks in?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 620
Which of the following are functions that are compatible in a properly segregated environment?
A. Application programming and computer operation
B. Systems programming and job control analysis
C. Access authorization and database administration
D. Systems development and systems maintenance
293
ISC CISSP Exam
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 621
Which of the following are functions that are compatible in a properly segregated environment?
A. Security administration and quality assurance
B. Security administration and data entry
C. Security administration and application programming
D. Application programming and data entry
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Security Administration and Quality Assurance are the most similar tasks.
Administrative Management: Administrative management is a very important piece of operational security. One
aspect of administrative management is dealing with personnel issues. This includes separation of duties and
job rotation. The objective of separation of duties is to ensure that one person acting alone cannot compromise
the company’s security in any way. High-risk activities should be broken up into different parts and distributed to
different individuals. This way the company does not need to put a dangerously high level of t