CHAPTER 17 Questions Flashcards
Which of the following are valid incident management steps or phases as listed in the CISSP objectives? (Choose all that apply.)
A. Prevention
B. Detection
C. Reporting
D. Lessons learned
E. Backup
B. Detection
C. Reporting
D. Lessons learned
Detection, reporting, and lessons learned are valid incident management steps. Prevention is done before an incident. Creating backups can help recover systems, but it isn’t one of the incident management steps. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.
You are troubleshooting a problem on a user’s computer. After viewing the host-based intrusion detection system (HIDS) logs, you determine that the computer has been compromised by malware. Of the following choices, what should you do next?
A. Isolate the computer from the network.
B. Review the HIDS logs of neighboring computers.
C. Run an antivirus scan.
D. Analyze the system to discover how it was infected.
A. Isolate the computer from the network.
Your next step is to isolate the computer from the network as part of the mitigation phase. You might look at other computers later, but you should try to mitigate the problem first. Similarly, you might run an antivirus scan, but later. The lessons learned phase is last and will analyze an incident to determine the cause.
In the incident management steps identified by (ISC)2, which of the following occurs first?
A. Response
B. Mitigation
C. Remediation
D. Detection
D. Detection
The first step is detection. The seven steps (in order) are detection, response, mitigation, reporting, recovery, remediation, and lessons learned.
- Which of the following are basic security controls that can prevent many attacks? (Choose three.)
A. Keep systems and applications up to date.
B. Implement security orchestration, automation, and response (SOAR) technologies.
C. Remove or disable unneeded services or protocols.
D. Use up-to-date antimalware software.
E. Use WAFs at the border.
- A, C, D. The three basic security controls listed are 1) keep systems and applications up to date, 2) remove or disable unneeded services or protocols, and 3) use up-to-date antimalware software. SOAR technologies implement advanced methods to detect and automatically respond to incidents. It’s appropriate to place a network firewall at the border (between the internet and the internal network), but web application firewalls (WAF) should only filter traffic going to a web server.
Security administrators are reviewing all the data gathered by event logging. Which of the following best describes this body of data?
A. Identification
B. Audit trails
C. Authorization
D. Confidentiality
B. Audit trails
Audit trails provide documentation on what happened, when it happened, and who did it. IT personnel create audit trails by examining logs. Authentication of individuals is also needed to ensure that the audit trails provide proof of identities listed in the logs. Identification occurs when an individual claims an identity, but identification without authentication doesn’t provide accountability. Authorization grants individuals access to resources based on their proven identity. Confidentiality ensures that unauthorized entities can’t access sensitive data and is unrelated to this question.
A file server in your network recently crashed. An investigation showed that logs grew so much that they filled the disk drive. You decide to enable rollover logging to prevent this from happening again. Which of the following should you do first?
A. Configure the logs to overwrite old entries automatically.
B. Copy existing logs to a different drive.
C. Review the logs for any signs of attacks.
D. Delete the oldest log entries.
B. Copy existing logs to a different drive.
The first step should be to copy existing logs to a different drive so that they are not lost. If you enable rollover logging, you are configuring the logs to overwrite old entries. It’s not necessary to review the logs before copying them. If you delete the oldest log entries first, you may delete valuable data.
You suspect an attacker has launched a fraggle attack on a system. You check the logs and filter your search with the protocol used by fraggle. What protocol would you use in the filter?
A. User Datagram Protocol (UDP)
B. Transmission Control Protocol (TCP)
C. Internet Control Message Protocol (ICMP)
D. Security orchestration, automation, and response (SOAR)
A. User Datagram Protocol (UDP)
Fraggle is a denial of service (DoS) attack that uses UDP. Other attacks, such as a SYN flood attack, use TCP. A smurf attack is similar to a fraggle attack, but it uses ICMP. SOAR is a group of technologies that provide automated responses to common attacks, not a protocol.
You are updating the training manual for security administrators and want to add a description of a zero-day exploit. Which of the following best describes a zero-day exploit?
A. An attack that exploits a vulnerability that doesn’t have a patch or fix
B. A newly discovered vulnerability that doesn’t have a patch or fix
C. An attack on systems without an available patch
D. Malware that delivers its payload after a user starts an application
A. An attack that exploits a vulnerability that doesn’t have a patch or fix
A zero-day exploit is an attack that exploits a vulnerability that doesn’t have a patch or fix. A newly discovered vulnerability is only a vulnerability until someone tries to exploit it. Attacks on unpatched systems aren’t zero-day exploits. A virus is a type of malware that delivers its payload after a user launches an application.
Users in an organization complain that they can’t access several websites that are usually available. After troubleshooting the issue, you discover that an intrusion protection system (IPS) is blocking the traffic, but the traffic is not malicious. What does this describe?
A. A false negative
B. A honeynet
C. A false positive
D. Sandboxing
C. A false positive
This is a false positive. The IPS falsely identified normal web traffic as an attack and blocked it. A false negative occurs when a system doesn’t detect an actual attack. A honeynet is a group of honeypots used to lure attackers. Sandboxing provides an isolated environment for testing and is unrelated to this question.
You are installing a new intrusion detection system (IDS). It requires you to create a baseline before fully implementing it. Which of the following best describes this IDS?
A. A pattern-matching IDS
B. A knowledge-based IDS
C. A signature-based IDS
D. An anomaly-based IDS
D. An anomaly-based IDS
An anomaly-based IDS requires a baseline, and it then monitors traffic for any anomalies or changes when compared to the baseline. It’s also called behavior based and heuristics based. Pattern-based detection (also known as knowledge-based detection and signature-based detection) uses known signatures to detect attacks.
An administrator is implementing an intrusion detection system. Once installed, it will monitor all traffic and raise alerts when it detects suspicious traffic. Which of the following best describes this system?
A. A host-based intrusion detection system (HIDS)
B. A network-based intrusion detection system (NIDS)
C. A honeynet
D. A network firewall
B. A network-based intrusion detection system (NIDS)
A NIDS will monitor all traffic and raise alerts when it detects suspicious traffic. A HIDS only monitors a single system. A honeynet is a network of honeypots used to lure attackers away from live networks. A network firewall filters traffic, but it doesn’t raise alerts on suspicious traffic.
You are installing a system that management hopes will reduce incidents in the network. The setup instructions require you to configure it inline with traffic so that all traffic goes through it before reaching the internal network. Which of the following choices best identifies this system?
A. A network-based intrusion prevention system (NIPS)
B. A network-based intrusion detection system (NIDS)
C. A host-based intrusion prevention system (HIPS)
D. A host-based intrusion detection system (HIDS)
A. A network-based intrusion prevention system (NIPS)
This describes an NIPS. It is monitoring network traffic, and it is placed in line with the traffic. An NIDS isn’t placed in line with the traffic, so it isn’t the best choice. Host-based systems only monitor traffic sent to specific hosts, not network traffic.
After installing an application on a user’s system, your supervisor told you to remove it because it is consuming most of the system’s resources. Which of the following prevention systems did you most likely install?
A. A network-based intrusion detection system (NIDS)
B. A web application firewall (WAF)
C. A security information and event management (SIEM) system
D. A host-based intrusion detection system (HIDS)
D. A host-based intrusion detection system (HIDS)
A drawback of some HIDSs is that they interfere with a single system’s normal operation by consuming too many resources. The other options refer to applications that aren’t installed on user systems.
You are replacing a failed switch. The configuration documentation for the original switch indicates a specific port needs to be configured as a mirrored port. Which of the following network devices would connect to this port?
A. An intrusion prevention system (IPS)
B. An intrusion detection system (IDS)
C. A honeypot
D. A sandbox
B. An intrusion detection system (IDS)
An IDS is most likely to connect to a switch port configured as a mirrored port. An IPS is placed in line with traffic, so it is placed before the switch. A honeypot doesn’t need to see all traffic going through a switch. A sandbox is an isolated area often used for testing and would not need all traffic from a switch.
A network includes a network-based intrusion detection system (NIDS). However, security administrators discovered that an attack entered the network and the NIDS did not raise an alarm. What does this describe?
A. A false positive
B. A false negative
C. A fraggle attack
D. A smurf attack
B. A false negative
A false negative occurs when there is an attack but the IDS doesn’t detect it and raise an alarm. In contrast, a false positive occurs when an IDS incorrectly raises an alarm, even though there isn’t an attack. The attack may be a UDP-based fraggle attack or an ICMP-based smurf attack, but the attack is real, and since the IDS doesn’t detect it, it is a false negative.
