CISSP (Chapter 9 - Legal, Regulations, Investigations, and Compliance) Flashcards
Which of the following does the Internet Architecture Board consider unethical?
A. Creating a computer virus
B. Entering information into a web page
C. Performing a penetration test on a host on the Internet
D. Disrupting Internet communications
D. The Internet Architecture Board (IAB) is a committee for Internet design, engineering, and management. It considers the use of the Internet to be a privilege that should be treated as such. The IAB considers the following acts unethical and unacceptable behavior:
• Purposely seeking to gain unauthorized access to Internet resources
• Disrupting the intended use of the Internet
• Wasting resources (people, capacity, and computers) through purposeful actions
• Destroying the integrity of computer-based information
• Compromising the privacy of others
• Negligence in the conduct of Internet-wide experiments
What is the study of computers and surrounding technologies and how they relate to crime? A. Computer forensics B. Computer vulnerability analysis C. Incident handling D. Computer information criteria
A. Computer forensics is a field that specializes in understanding and properly extracting evidence from computers and peripheral devices for the purpose of prosecution. Collecting this type of evidence requires a skill set and understanding of several relative laws
Which of the following does the Internet Architecture Board consider unethical behavior?
A. Internet users who conceal unauthorized accesses
B. Internet users who waste computer resources
C. Internet users who write viruses
D. Internet users who monitor traffic
B. This question is similar to Question 1. The IAB has declared wasting computer resources through purposeful activities unethical because it sees these resources as assets that are to be available for the computing society.
After a computer forensics investigator seizes a computer during a crime investigation, what is the next step?
A. Label and put it into a container, and then label the container.
B. Dust the evidence for fingerprints.
C. Make an image copy of the disks.
D. Lock the evidence in the safe.
C. Several steps need to be followed when gathering and extracting evidence from a scene. Once a computer has been confiscated, the first thing the computer forensics team should do is make an image of the hard drive. The team will work from this image instead of the original hard drive so it stays in a pristine state and the evidence on the drive is not accidentally corrupted or modified.
A CISSP candidate signs an ethics statement prior to taking the CISSP examination. Which of the following would be a violation of the (ISC)2
Code of Ethics that could cause the candidate to lose his or her certification?
A. E-mailing information or comments about the exam to other CISSP candidates
B. Submitting comments on the questions of the exam to (ISC)2
C. Submitting comments to the board of directors regarding the test and content of the class
D. Conducting a presentation about the CISSP certification and what the certification means
A. A CISSP candidate and a CISSP holder should never discuss with others what was on the exam. This degrades the usefulness of the exam to be used as a tool to test someone’s true security knowledge. If this type of activity is uncovered, the person could be stripped of their CISSP certification
If your company gives you a new PC and you find residual information about confidential company issues, what should you do based on the (ISC)2 Code of Ethics?
A. Contact the owner of the file and inform him about it. Copy it to a disk, give it to him, and delete your copy.
B. Delete the document because it was not meant for you.
C. Inform management of your findings so it can make sure this type of thing does not happen again.
D. E-mail it to both the author and management so everyone is aware of what is going on.
C. When dealing with the possible compromise of confidential company information or intellectual property, management should be informed and be involved as soon as possible. Management members are the ones who are ultimately responsible for this data and who understand the damage its leakage can cause. An employee should not attempt to address and deal with these issues on his own.
Why is it difficult to investigate computer crime and track down the criminal?
A. Privacy laws are written to protect people from being investigated for these types of crimes.
B. Special equipment and tools are necessary to detect these types of criminals.
C. Criminals can hide their identity and hop from one network to the next.
D. The police have no jurisdiction over the Internet
C. Spoofing one’s identity and being able to traverse anonymously through different networks and the Internet increase the complexity and difficulty of tracking down criminals who carry out computer crimes. It is very easy to commit many damaging crimes from across the country or world, and this type of activity can be difficult for law enforcement to track down
Protecting evidence and providing accountability for who handled it at different steps during the investigation is referred to as what? A. The rule of best evidence B. Hearsay C. Evidence safety D. Chain of custody
D. Properly following the chain of custody for evidence is crucial for it to be admissible in court. A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to establish that it is sufficiently trustworthy to be presented as evidence in court. Because electronic evidence can be easily modified, a clearly defined chain of custody demonstrates that the evidence is trustworthy.
If an investigator needs to communicate with another investigator but does not want the criminal to be able to eavesdrop on this conversation, what type of communication should be used? A. Digitally signed messages B. Out-of-band messages C. Forensics frequency D. Authentication and access control
B. Out-of-band communication means to communicate through some other type of communication channel. For example, if law enforcement agents are investigating a crime on a network, they should not share information through e-mail that passes along this network. The criminal may still have sniffers installed and thus be able to access this data.
Why is it challenging to collect and identify computer evidence to be used in a court of law? A. The evidence is mostly intangible. B. The evidence is mostly corrupted. C. The evidence is mostly encrypted. D. The evidence is mostly tangible
A. The evidence in computer crimes usually comes straight from computers themselves. This means the data are held as electronic voltages, which are represented as binary bits. Some data can be held on hard drives and peripheral devices, and some data may be held in the memory of the system itself. This type of evidence is intangible in that it is not made up of objects one can hold, see, and easily understand. Other types of crimes usually have evidence that is more tangible in nature, and that is easier to handle and control
The chain of custody of evidence describes who obtained the evidence and \_\_\_\_\_\_\_\_\_\_. A. Who secured it and stole it B. Who controlled it and broke it C. Who secured it and validated it D. Who controlled it and duplicated it
C. The chain of custody outlines a process to ensure that under no circumstance was there a possibility for the evidence to be tampered with. If the chain of custody is broken, there is a high probability that the evidence will not be admissible in court. If it is admitted, it will not carry as much weight
Why is computer-generated documentation usually considered unreliable evidence?
A. It is primary evidence.
B. It is too difficult to detect prior modifications.
C. It is corroborative evidence.
D. It is not covered under criminal law, but it is covered under civil law.
B. It can be very difficult to determine if computer-generated material has been modified before it is presented in court. Since this type of evidence can be altered without being detected, the court cannot put a lot of weight on this evidence. Many times, computer-generated evidence is considered hearsay in that there is no firsthand proof backing it up.
Which of the following is a necessary characteristic of evidence for it to be admissible? A. It must be real. B. It must be noteworthy. C. It must be reliable. D. It must be important
C. For evidence to be admissible, it must be sufficient, reliable, and relevant to the case. For evidence to be reliable, it must be consistent with fact and must not be based on opinion or be circumstantial
If a company deliberately planted a flaw in one of its systems in the hope of detecting an attempted penetration and exploitation of this flaw, what would this be called? A. Incident recovery response B. Entrapment C. Illegal D. Enticement
D. Companies need to be very careful about the items they use to entice intruders and attackers, because this may be seen as entrapment by the court. It is best to get the legal department involved before implementing these items. Putting a honeypot in place is usually seen as the use of enticement tools.
If an employee is suspected of wrongdoing in a computer crime, what department must be involved? A. Human resources B. Legal C. Audit D. Payroll
A. It is imperative that the company gets human resources involved if an employee is considered a suspect in a computer crime. This department knows the laws and regulations pertaining to employee treatment and can work to protect the employee and the company at the same time.