CISSP - Certified Information Systems Security Professional Study Guide, 2nd Edition (2004)

Exam Essentials 441

environments and system platforms, there are several common forms found in most environments: warning banners, keystroke monitoring, traffic analysis and trend analysis, and other monitoring tools. Be able to list the various monitoring tools and know when and how to use each tool.

Understand failure recognition and response. On systems that use manual review, failure recognition is the responsibility of the observer or auditor. In order to recognize a failure, one must understand what is normal and expected. When the monitored or audited events stray from this standard baseline, then a failure, breach, intrusion, error, or problem has occurred and a response must be initiated.

Understand what penetration testing is and be able to explain the methods used. Organizations use penetration testing to evaluate the strength of their security infrastructure. Know that it involves launching intrusion attacks on your network and be able to explain the methods used: war dialing, sniffing and eavesdropping, radiation monitoring, dumpster diving, and social engineering.

Know what TEMPEST is. TEMPEST is a standard for the study and control of electronic signals produced by various types of electronic hardware, such as computers, televisions, phones, and so on. Its primary goal is to prevent EMI and RF radiation from leaving a strictly defined area so as to eliminate the possibility of external radiation monitoring, eavesdropping, and signal sniffing.

Know what dumpster diving and scavenging are. Dumpster diving and scavenging involve digging through the refuse, remains, or leftovers from an organization or operation in order to discover or infer confidential information. Countermeasures to dumpster diving and scavenging include secure disposal of all garbage. This usually means shredding all documentation and incinerating all shredded material and other waste. Other safeguards include maintaining physical access control and monitoring privilege activity use online.

Understand social engineering. A social engineering attack is an attempt by an attacker to convince an employee to perform an unauthorized activity to subvert the security of an organization. Often the goal of social engineering is to gain access to the IT infrastructure or the physical facility. The only way to protect against social engineering attacks is to thoroughly train users how to respond and interact with communications as well as with unknown personnel.

Know what inappropriate activities are. Inappropriate activities are actions that may take place on a computer or over the IT infrastructure and that may not be actual crimes but are often grounds for internal punishments or termination. Some types of inappropriate activities include creating or viewing inappropriate content, sexual and racial harassment, waste, and abuse.

Know that errors and omissions can cause security problems. One of the most common vulnerabilities and hardest to protect against are errors and omissions. Errors and omissions occur because humans interact with, program, control, and provide data for IT. There are no direct countermeasures to prevent all errors and omissions. Some safeguards against errors and omissions include input validators and user training. However, these mechanisms offer only a minimal reduction in overall errors and omissions encountered in an IT environment.

442 Chapter 14 Auditing and Monitoring

Understand fraud and theft. Fraud and theft are criminal activities that can be perpetrated over computers or made possible by computers. Most of the access controls deployed in a secured environment will reduce fraud and theft, but not every form of these crimes can be predicted and protected against. Both internal authorized users and external unauthorized intruders can exploit your IT infrastructure to perform various forms of fraud and theft. Maintaining an intensive auditing and monitoring program and prosecuting all criminal incidents will help reduce fraud and theft.

Know what collusion is. Collusion is an agreement among multiple people to perform an unauthorized or illegal action. It is hindered by separation of duties, restricted job responsibilities, audits, and job rotation, which all reduce the likelihood that a coworker will be willing to collaborate on an illegal or abusive scheme due to the higher risk of detection.

Understand employee sabotage. Employee sabotage can become an issue if an employee is knowledgeable enough about the IT infrastructure of an organization, has sufficient access to manipulate critical aspects of the environment, and has become disgruntled. Safeguards against employee sabotage are intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and properly compensating and recognizing employees for excellence and extra work.

Know how loss of physical and infrastructure support can cause security problems. The loss of physical and infrastructure support is caused by power outages, natural disasters, communication interruptions, severe weather, loss of any core utility or service, disruption of transportation, strikes, and national emergencies. It is nearly impossible to predict and protect against events of physical and infrastructure support loss. Disaster recovery and business continuity planning can provide restoration methods if the loss event is severe. In most cases, you must simply wait until the emergency or condition subsides and things return to normal.

Understand espionage. Espionage is the malicious act by an internal employee of gathering proprietary, secret, private, sensitive, or confidential information about an organization for the express purpose of disclosing and often selling that data to a competitor or other interested organization (such as a foreign government). Countermeasures against espionage are to strictly control access to all nonpublic data, thoroughly screen new employee candidates, and efficiently track the activities of all employees.

Review Questions

1.What is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes?

A.Penetration testing

B.Auditing

C.Risk analysis

D.Entrapment

2.Which of the following is not considered a type of auditing activity?

A.Recording of event data

B.Data reduction

C.Log analysis

D.Deployment of countermeasures

3.Monitoring can be used to perform all but which of the following?

A.Detect availability of new software patches

B.Detect malicious actions by subjects

C.Detect attempted intrusions

D.Detect system failures

4.What provides data for re-creating step-by-step the history of an event, intrusion, or system failure?

A.Security policies

B.Log files

C.Audit reports

D.Business continuity planning

5.What is the frequency of an IT infrastructure security audit or security review based on?

A.Asset value

B.Management discretion

C.Risk

D.Level of realized threats

6.Failure to perform which of the following can result in the perception that due care is not being maintained?

A.Periodic security audits

B.Deployment of all available safeguards

C.Performance reviews

D.Creating audit reports for shareholders

444 Chapter 14 Auditing and Monitoring

7.Audit trails are considered to be what type of security control?

A.Administrative

B.Passive

C.Corrective

D.Physical

8.Which essential element of an audit report is not considered to be a basic concept of the audit?

A.Purpose of the audit

B.Recommendations of the auditor

C.Scope of the audit

D.Results of the audit

9.Why should access to audit reports be controlled and restricted?

A.They contain copies of confidential data stored on the network.

B.They contain information about the vulnerabilities of the system.

C.They are useful only to upper management.

D.They include the details about the configuration of security controls.

10.What are used to inform would-be intruders or those who attempt to violate security policy that their intended activities are restricted and that any further activities will be audited and monitored?

A.Security policies

B.Interoffice memos

C.Warning banners

D.Honey pots

11.Which of the following focuses more on the patterns and trends of data rather than the actual content?

A.Keystroke monitoring

B.Traffic analysis

C.Event logging

D.Security auditing

12.Which of the following activities is not considered a valid form of penetration testing?

A.Denial of service attacks

B.Port scanning

C.Distribution of malicious code

D.Packet sniffing

13.The act of searching for unauthorized modems is known as ___________________.

A.Scavenging

B.Espionage

C.System auditing

D.War dialing

14.Which of the following is not a useful countermeasure to war dialing?

A.Restricted and monitored Internet access

B.Imposing strong remote access security

C.Callback security

D.Call logging

15.The standard for study and control of electronic signals produced by various types of electronic hardware is known as ___________________.

A.Eavesdropping

B.TEMPEST

C.SESAME

D.Wiretapping

16.Searching through the refuse, remains, or leftovers from an organization or operation to discover or infer confidential information is known as ___________________.

A.Impersonation

B.Dumpster diving

C.Social engineering

D.Inference

17.Which of the following is not an effective countermeasure against inappropriate content being hosted or distributed over a secured network?

A.Activity logging

B.Content filtering

C.Intrusion detection system

D.Penalties and termination for violations

18.One of the most common vulnerabilities of an IT infrastructure and hardest to protect against is the occurrence of ___________________.

A.Errors and omissions

B.Inference

C.Data destruction by malicious code

D.Data scavenging

446 Chapter 14 Auditing and Monitoring

19.The willful destruction of assets or elements within the IT infrastructure as a form of revenge or justification for perceived wrongdoing is known as ___________________.

A.Espionage

B.Entrapment

C.Sabotage

D.Permutation

20.What is the most common reaction to the loss of physical and infrastructure support?

A.Deploying OS updates

B.Vulnerability scanning

C.Waiting for the event to expire

D.Tightening of access controls

Answers to Review Questions

1.B. Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes.

2.D. Deployment of countermeasures is not considered a type of auditing activity; rather, it’s an active attempt to prevent security problems.

3.A. Monitoring is not used to detect the availability of new software patches.

4.B. Log files provide an audit trail for re-creating step-by-step the history of an event, intrusion, or system failure. An audit trail is used to reconstruct an event, to extract information about an incident, to prove or disprove culpability, and much more.

5.C. The frequency of an IT infrastructure security audit or security review is based on risk. You must establish the existence of sufficient risk to warrant the expense of and interruption caused by a security audit on a more or less frequent basis.

6.A. Failing to perform periodic security audits can result in the perception that due care is not being maintained. Such audits alert personnel that senior management is practicing due diligence in maintaining system security.

7.B. Audit trails are a passive form of detective security control. Administrative, corrective, and physical security controls are active ways to maintain security.

8.B. Recommendations of the auditor are not considered basic and essential concepts to be included in an audit report. Key elements of an audit report include the purpose, scope, and results of the audit.

9.B. Audit reports should be secured because they contain information about the vulnerabilities of the system. Disclosure of such vulnerabilities to the wrong person could lead to security breaches.

10.C. Warning banners are used to inform would-be intruders or those who attempt to violate the security policy that their intended activities are restricted and that any further activities will be audited and monitored.

11.B. Traffic analysis focuses more on the patterns and trends of data rather than the actual content. Such an analysis offers insight into primary communication routes, sources of encrypted traffic, location of primary servers, primary and backup communication pathways, amount of traffic supported by the network, typical direction of traffic flow, frequency of communications, and much more.

12.C. Distribution of malicious code will almost always result in damage or loss of assets. Thus, it is not an element of penetration testing under any circumstance, even if it’s done with the approval of upper management.

13.D. War dialing is the act of searching for unauthorized modems that will accept inbound calls on an otherwise secure network in an attempt to gain access.

14.A. Users often install unauthorized modems because of restricted and monitored Internet access. Because war dialing is often used to locate unauthorized modems, restricting and monitoring Internet access wouldn’t be an effective countermeasure.

448 Chapter 14 Auditing and Monitoring

15.B. TEMPEST is the standard that defines the study and control of electronic signals produced by various types of electronic hardware.

16.B. Dumpster diving is the act of searching through the refuse, remains, or leftovers from an organization or operation to discover or infer confidential information.

17.C. An IDS is not a countermeasure against inappropriate content.

18.A. One of the most common vulnerabilities and hardest to protect against is the occurrence of errors and omissions.

19.C. The willful destruction of assets or elements within the IT infrastructure as a form of revenge or justification for perceived wrongdoing is known as sabotage.

20.C. In most cases, you must simply wait until the emergency or condition expires and things return to normal.

Chapter Business Continuity

15 Planning

THE CISSP EXAM TOPICS COVERED IN THIS

CHAPTER INCLUDE:

Business Continuity Planning

Project Scope and Planning

Business Impact Assessment

Containment Strategy