CHAPTER 19 Questions Flashcards
Devin is revising the policies and procedures used by his organization to conduct investigations and would like to include a definition of computer crime. Which one of the following definitions would best meet his needs?
A. Any attack specifically listed in your security policy
B. Any illegal attack that compromises a protected computer
C. Any violation of a law or regulation that involves a computer
D. Failure to practice due diligence in computer security
C. Any violation of a law or regulation that involves a computer
A crime is any violation of a law or regulation. The violation stipulation defines the action as a crime. It is a computer crime if the violation involves a computer, either as the target or as a tool. Computer crimes may not be defined in an organization’s policy, since crimes are only defined in law. Illegal attacks are indeed crimes, but this is too narrow a definition. The failure to practice due diligence may be a liability but, in most cases, is not a criminal action.
What is the main purpose of a military and intelligence attack?
A. To attack the availability of military systems
B. To obtain secret and restricted information from military or law enforcement sources
C. To utilize military or intelligence agency systems to attack other, nonmilitary sites
D. To compromise military systems for use in attacks against other systems
B. To obtain secret and restricted information from military or law enforcement sources
A military and intelligence attack targets the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.
- Which of the following is not a canon of the (ISC)2 Code of Ethics?
B. Provide diligent and competent service to principals.
C. Advance and protect the profession.
D. Protect society.
A. Protect your colleagues.
The Code of Ethics does not require that you protect your colleagues.
Which of the following are examples of financially motivated attacks? (Choose all that apply.)
A. Accessing services that you have not purchased
B. Disclosing confidential personal employee information
C. Transferring funds from an unapproved source into your account
D. Selling a botnet for use in a DDoS attack
A. Accessing services that you have not purchased
C. Transferring funds from an unapproved source into your account
D. Selling a botnet for use in a DDoS attack
A financial attack focuses primarily on obtaining services and funds illegally. Accessing services that you have not purchased is an example of obtaining services illegally. Transferring funds from an unapproved source is obtaining funds illegally, as is leasing out a botnet for use in DDoS attacks. Disclosing confidential information is not necessarily financially motivated.
Which of the following would not be a primary goal of a grudge attack?
A. Disclosing embarrassing personal information
B. Launching a virus on an organization’s system
C. Sending inappropriate email with a spoofed origination address of the victim organization
D. Using automated tools to scan the organization’s systems for vulnerable ports
D. Using automated tools to scan the organization’s systems for vulnerable ports
Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to “get back” at someone.
Which one of the following attacker actions is most indicative of a terrorist attack?
A. Altering sensitive trade secret documents
B. Damaging the ability to communicate and respond to a physical attack
C. Stealing unclassified information
D. Transferring funds to other countries
B. Damaging the ability to communicate and respond to a physical attack.
A terrorist attack is launched to interfere with a way of life by creating an atmosphere of fear. A computer terrorist attack can reach this goal by reducing the ability to respond to a simultaneous physical attack. Although terrorists may engage in other actions, such as altering information, stealing data, or transferring funds, as part of their attacks, these items alone are not indicators of terrorist activity.
What are the primary reasons attackers engage in thrill attacks? (Choose all that apply.)
A. Bragging rights
B. Money from the sale of stolen documents
C. Pride of conquering a secure system
D. Retaliation against a person or organization
A. Bragging rights
C. Pride of conquering a secure system
Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).
What is the most important rule to follow when collecting evidence?
A. Do not turn off a computer until you photograph the screen.
B. List all people present while collecting evidence.
C. Avoid the modification of evidence during the collection process.
D. Transfer all equipment to a secure storage location.
C. Avoid the modification of evidence during the collection process.
Although the other options have some merit in individual cases, the most important rule is to never modify, or taint, evidence. If you modify evidence, it becomes inadmissible in court.
What would be a valid argument for not immediately removing power from a machine when an incident is discovered?
A. All of the damage has been done. Turning the machine off would not stop additional damage.
B. There is no other system that can replace this one if it is turned off.
C. Too many users are logged in and using the system.
D. Valuable evidence in memory will be lost.
D. Valuable evidence in memory will be lost.
The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.
What type of evidence refers to written documents that are brought into court to prove a fact?
A. Best evidence
B. Parol evidence
C. Documentary evidence
D. Testimonial evidence
C. Documentary evidence
Written documents brought into court to prove the facts of a case are referred to as documentary evidence. The best evidence rule states that when a document is used as evidence in a court proceeding, the original document must be introduced. The parole evidence rule states that when an agreement between parties is put into written form, the written document is assumed to contain all the terms of the agreement, and no verbal agreements may modify the written agreement. Testimonial evidence is evidence consisting of the testimony of a witness, either verbal testimony in court or written testimony in a recorded deposition.
Which one of the following investigation types has the highest standard of evidence?
A. Administrative
B. Civil
C. Criminal
D. Regulatory
C. Criminal
Criminal investigations may result in the imprisonment of individuals and, therefore, have the highest standard of evidence to protect the rights of the accused.
During an operational investigation, what type of analysis might an organization undertake to prevent similar incidents in the future?
A. Forensic analysis
B. Root cause analysis
C. Network traffic analysis
D. Fagan analysis
B. Root cause analysis
Root cause analysis seeks to identify the reason that an operational issue occurred. The root cause analysis often highlights issues that require remediation to prevent similar incidents in the future. Forensic analysis is used to obtain evidence from digital systems. Network traffic analysis is an example of a forensic analysis category. Fagan inspection is a software testing technique.
What step of the Electronic Discovery Reference Model ensures that information that may be subject to discovery is not altered?
A. Preservation
B. Production
C. Processing
D. Presentation
A. Preservation
Preservation ensures that potentially discoverable information is protected against alteration or deletion. Production places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening. Presentation displays the information to witnesses, the court, and other parties.
Gary is a system administrator and is testifying in court about a cybercrime incident. He brings server logs to support his testimony. What type of evidence are the server logs?
A. Real evidence
B. Documentary evidence
C. Parol evidence
D. Testimonial evidence
B. Documentary evidence
Server logs are an example of documentary evidence. Gary may ask that they be introduced in court and will then be asked to offer testimonial evidence about how he collected and preserved the evidence. This testimonial evidence authenticates the documentary evidence.
You are a law enforcement officer and you need to confiscate a PC from a suspected attacker who does not work for your organization. You are concerned that if you approach the individual, they may destroy evidence. What legal avenue is most appropriate?
A. Consent agreement signed by employees
B. Search warrant
C. No legal avenue necessary
D. Voluntary consent
B. Search warrant
In this case, you need a search warrant to confiscate equipment without giving the suspect time to destroy evidence. If the suspect worked for your organization and you had all employees sign consent agreements, you could simply confiscate the equipment.