CHAPTER 9

Question 1

The most common types of vulnerabilities, threats, and complexities are covered in the following sections, which we will explore one at a time:

Answer 1

• Information gathering
• Administrative interfaces
• Authentication and access control
• Input validation
• Parameter validation
• Session management

Question 2

To gain the benefits of remote access without taking on unacceptable risks, remote administration needs to take place securely. The following are just a few of the guidelines to use:

Answer 2

• Commands and data should not take place in cleartext (that is, they should be encrypted). For example, Secure Shell (SSH) should be used, not Telnet.
• Truly critical systems should be administered locally instead of remotely.
• Only a small number of administrators should be able to carry out this remote functionality.
• Strong authentication should be in place for any administration activities.
• Anyone who wears green shoes really should not be able to access these systems. They are weird.

Question 3

Closure of an incident is determined by the nature or category of the incident, the desired incident response outcome (for example, business resumption or system restoration), and the team’s success in determining the incident’s source and root cause. Once it is determined that the incident is closed, it is a good idea to have a team briefing that includes all groups affected by the incident to answer the following questions:

Answer 3

• What happened?
• What did we learn?
• How can we do it better next time?

Question 4

Whether the crime scene is physical or digital, it is important to control who comes in contact with the evidence of the crime to ensure its integrity. The following are just some of the steps that should take place to protect the crime scene:

Answer 4

• Only allow authorized individuals access to the scene. These individuals should have knowledge of basic crime scene analysis.
• Document who is at the crime scene.
• In court, the integrity of the evidence may be in question if there are too many people milling around.
• Document who were the last individuals to interact with the systems.
• If the crime scene does become contaminated, document it. The contamination may not negate the derived evidence, but it will make investigating the crime more challenging.

Question 5

The following are the minimum system requirements for the cryptography video sample:

Answer 5

• Windows 98, 800 MHz Pentium II, 24X CD-ROM drive, 64MB RAM, 800×600 monitor, millions of colors, QuickTime 5, Microsoft Internet Explorer 5 or Netscape Navigator 4.5, and speakers or headphones
• Macintosh OS 9.2.1, 450 MHz G3, 24X CD-ROM drive, 64MB RAM, 800×600 monitor, millions of colors, QuickTime 5, Microsoft Internet Explorer 5 or Netscape Navigator 4.5, and speakers or headphones.

Question 6

Vulnerability scanners provide the following capabilities:

Answer 6

• The identification of active hosts on the network
• The identification of active and vulnerable services (ports) on hosts
• The identification of applications and banner grabbing
• The identification of operating systems
• The identification of vulnerabilities associated with discovered operating systems and applications
• The identification of misconfigured settings
• Test for compliance with host applications’ usage/security policies
• The establishment of a foundation for penetration testing

Question 7

This chapter presents the following:

Answer 7

• Common software development issues
• Software development life cycles
• Secure software development approaches
• Change control and configuration management
• Programming language types
• Database concepts and security issues
• Expert systems and artificial intelligence
• Malware types and attacks

Question 8

Management needs to make the decision as to whether law enforcement should be called in to handle the security breach. The following are some of the issues to understand if law enforcement is brought in:

Answer 8

• Company loses control over investigation once law enforcement is involved.
• Secrecy of compromise is not promised; it could become part of public record.
• Effects on reputation need to be considered (the ramifications of this information reaching customers, shareholders, and so on).
• Evidence will be collected and may not be available for a long period of time. It may take a year or so to get into court.

Question 9

The following are the items you will most likely run into when taking the CISSP exam:

Answer 9

• Disk shadowing (mirroring)
• Redundant servers
• RAID, MAID, RAIT
• Clustering
• Backups
• Dual backbones
• Direct Access Storage Device
• Redundant power
• Mesh network topology instead of star, bus, or ring

Question 10

To ensure that forensics activities are carried out in a standardized manner, it is necessary for the team to follow specific laid-out steps so nothing is missed and thus ensure the evidence is admissible. Figure 9-5 illustrates the phases through a common investigation process. Each team or company may commonly come up with their own steps, but all should be essentially accomplishing the same things:

Answer 10

• Identification
• Preservation
• Collection
• Examination
• Analysis
• Presentation
• Decision