Auditing
Which of the following statements best describes a benefit of using clipping levels? A. Clipping levels ignore baselines and generate alerts when they detect security violations. B. Clipping levels ignore normal user errors, but generate alerts when these errors exceed a predetermined threshold. C. Audit trails use clipping levels to record all potential alerts for accountability. D. Clipping levels ensure systems generate alerts when they detect any potential security violations.
B. Clipping levels ignore normal user errors, but generate alerts when these errors exceed a predetermined threshold. Clipping levels are not associated with baselines. It is possible to configure an audit trail without clipping levels, but if clipping levels exist, the audit trail does not ignore them. Clipping levels do not generate alerts when they detect any potential errors or security violations, but instead only generate alerts when they detect the number of events has exceeded a predetermined threshold.
Of the following choices, what is an example of an auditable event logged in an operating system's security log? A. Access through a firewall B. Accessing a website through a proxy server C. Reading a file D. The date and time when a service starts
C. A security log records auditable events related to resources, such as when a user reads, modifies, or deletes a file. Firewall and proxy server logs are not operating system logs. A system log would record events such as when a service stops or starts, but not security events.
What type of control is an audit trail? A. Preventive control B. Corrective control C. Detective control D. Physical access control
C. An audit trail is a technical detective control, because it uses technology and can detect incidents after they occur. A preventive control attempts to prevent incidents. A corrective control attempts to reverse the impact of an incident after it has occurred. A physical access control is an item that you can physically touch.
Who would measure the effectiveness of an organization's security controls? A. An administrator B. A manager C. An auditor D. A data owner
C. An auditor would measure the effectiveness of a security control. An internal auditor might have other roles, such as an administrator, a manager, or a data owner. However, when measuring the effectiveness of security controls, they are acting as an auditor.
1. Of the following choices, what is a primary method used for configuration control? A. Baseline B. Change management requests C. Security logs D. Password audits
A. A baseline is a primary method used for configuration control and it ensures that systems start in a known state. Automated or manual processes periodically examine the systems to verify the system still has the same configuration settings from the baseline. An organization doesn't approve and implement all change management requests, so examining the requests does not give an accurate representation of the server configuration. Security logs and password audits aren't typically used for configuration control.
A system ignores potential security violations until it detects a specific number of events. It then raises an alert. What does this describe? A. Clipping level B. Acceptance level C. Audit level D. Baseline level
A. A clipping level uses a predetermined number of events as a threshold. An auditing system ignores the events until it detects the number of events has exceeded the threshold level. Acceptance level and audit level are not valid terms. The question doesn't describe a baseline level.
Of the following choices, what is the best example of a log used as a deterrent for internal employees? A. Proxy server log B. Network firewall log C. Security audit D. Change management log
A. A proxy server log can serve as a deterrent for internal employees. If employees know that the server is monitoring and logging their activity, they may be less likely to engage in activity that violates the security policy. A network firewall log can capture activity for traffic to and from the Internet, but does not provide much of a deterrent for internal employees. A security audit is not a log. A change management log documents changes for a system.
You suspect that many internal systems may be part of a botnet. What log would you review to verify your suspicions? A. Network-based firewall logs B. Host-based firewall logs C. Operating system logs D. System security logs
A. Network-based firewall logs record traffic on the network, and because many systems are involved, network-based firewalls is the best choice. Each of the other logs are local logs on individual systems. This would require checking logs on multiple systems, rather than checking logs on a single network-based firewall.
What is the purpose of reviewing logs? A. Detecting potential security events B. Preventing potential security events C. Correcting potential security events D. Deterring potential security events
A. Security professionals and auditors can detect potential security events by reviewing logs after the event has occurred. Reviewing the logs doesn't prevent an incident that has already occurred, and reviewing the logs does not enable security professionals and auditors to correct the effects of an incident. While logging some activity, such as proxy servers, can deter events, reviewing the logs doesn't deter the activity.
An organization handles credit card data from customers on a regular basis. What provides the security objectives and requirements that the organization must follow? A. PCI DSS B. HIPAA C. FIPS Pub 200 D. NIST SP 800-53
A. The Payment Card Industry Data Security Standard (PCI DSS) provides 6 control objectives and 12 supporting requirements that organizations must follow if they process credit card payments from customers. The Health Insurance Portability and Accountability Act (HIPAA) covers organizations handling health-and medical-related data. Federal Information Processing Standard Publication 200 (FIPS Pub 200) identifies standards required by federal agencies. NIST SP 800-53 provides information on recommended security controls.
Of the following choices, what can help ensure that system modifications do NOT cause unintended outages? A. Security audit B. Change management C. Configuration control D. Audit trail
B. A change management program allows stakeholders to request changes and helps reduce unintended outages from unauthorized changes. A security audit examines an organization's policies and procedures to determine whether those who work in the organization follow these policies and procedures. Configuration control helps ensure that systems are configured in a secure manner and similarly to each other. An audit trail is one or more logs that can re-create events leading up to and occurring during an incident.
A user entered an incorrect password three times. Now, the user is no longer able to log on. What caused this to occur? A. Password policy B. Account lockout policy C. Clipping level D. Audit trail
B. An account lockout policy locks out an account after a predetermined number of failed logins. The password policy ensures that users create strong passwords and change them often. The account lockout policy is using a clipping level by ignoring failed login attempts until it detects a preset threshold, but the clipping level doesn't lock the account. An audit trail is one or more logs used to reconstruct events leading up to and occurring during an incident.
A badge reader records employee names, dates, and times when employees enter and exit a secure server room. An auditor reviewed the logs and noticed that they showed that many employees entered the room, but the logs do not show when all of the employees exited the room. What does this indicate? A. The badge reader is operational B. Tailgating C. The mantrap is not being used D. Unauthorized entry
B. Logs that include entries showing employees entered a secure area but do not include entries showing they exited indicate tailgating is occurring. Some employees are using their credentials to exit (and the logs show them exiting), but other employees are following closely behind these employees without showing their credentials (and the log doesn't include entries for these employees). While it is possible the badge reader has a problem, it is recording some employees exiting, so this isn't the most likely cause. Mantraps prevent tailgating, and if a mantrap is in use, employees would be forced to use it. There isn't any indication of unauthorized entry.
What type of log on a Microsoft system records auditable events, such as when a user deletes a file? A. System B. Security C. Application D. Forwarded Events
B. The Security log records auditable events, such as when a user accesses or deletes a file (as long as resource auditing is enabled). The System log records system events such as when a service stops or starts. The Application log records application events. The Forwarded Events log shows events forwarded from other systems as part of an event subscription.
Your organization uses strong authentication and authorization mechanisms and has robust logging capabilities. Combined, what do these three elements provide? A. Guaranteed security B. Prevention of unintended outages from unauthorized changes C. Accountability D. Configuration control
C. Authentication, authorization, and accounting (AAA) provide accountability, and logging provides the accounting element. Although AAA increases security, it does not guarantee security. Change management prevents unintended outages from unauthorized changes. Configuration control ensures systems are deployed with a secure baseline and maintain approved configuration settings for system stability.
Of the following choices, which one is NOT a recommended strategy for audit logs? A. Review the logs regularly B. Archive logs for later review C. Periodically overwrite logs D. Store logs on remote servers
C. If you periodically overwrite logs, it is no longer possible to review the logs. However, all of the other choices (review the logs, archive the logs, and store logs on remote servers) are recommended strategies to retain the integrity of audit logs.
An accounting system ignores logon failures until an account has three logon failures within a 30-minute period. It then generates an alert. What is the accounting system using? A. Account lockout B. Password policy C. Snipping level D. Clipping level
D. A clipping level uses a predetermined level as a threshold. A classic example is three or five logon failures in a short period, such as within 30 minutes. Although many operating systems use account lockout policies to actually lock the account after a predetermined level, the question doesn't ask what happens to the account, but instead asks what the accounting system is using to ignore the first two logon failures and only generate the alert after three logon failures. A password policy ensures that users have strong passwords and change them regularly. Snipping level isn't a valid term associated with accounting systems.
What do you call a group of one or more logs used to re-create events leading up to and occurring during an incident? A. A configuration control program B. A change management program C. A security audit D. An audit trail
D. An audit trail is one or more logs that can re-create events leading up to and occurring during an incident. Configuration control helps ensure that systems are configured in a secure manner. A change management program allows stakeholders to request changes and helps reduce unintended outages from unauthorized changes. A security audit examines an organization's policies and procedures to determine whether the organization follows these policies and procedures.
Your organization has recently completed a security audit. Which of the following is NOT a valid step to take after completing the audit? A. Approve changes B. Evaluate controls C. Implement fixes D. Delete the security audit
D. Organizations should keep security audits instead of deleting them. This allows personnel to use them as reference points in future audits. Audits typically evaluate existing controls and recommend changes. Management approves the changes and directs personnel within the organization to implement the fixes.
Which of the following is NOT a valid method used for configuration control? A. Imaging B. Microsoft's Group Policy C. Change management D. Proxy server logs
D. Proxy server logs record what websites users visit and are not used for configuration control. Each of the other choices can be used for configuration control.
