Law, Investigations, and Ethics Flashcards
In the public sector, as opposed to the private sector, due care is usually determined by A. Minimum standard requirements. B. Legislative requirements. C. Insurance rates. D. Potential for litigation.
Answer: B
Explanation:
What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm? A. Due diligence B. Risk mitigation C. Asset protection D. Due care
Answer: D
Explanation: “Due care and due diligence are terms that are used throughout this book. Due diligence is the act of investigating and understanding the risks the company faces. A company practices due care by developing security policies, procedures, and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible risks. So due diligence is understanding the current threats and risks and due care is implementing countermeasures to provide protection from those threats. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence.” Pg. 85 Shon Harris: All-in-One CISSP Certification
“The following list describes some of the actions required to show that due care is being properly practiced in a corporation:
Pg. 616 Shon Harris: All-in-One CISSP Certification
Under the standard of due care, failure to achieve the minimum standards would be considered A. Negligent B. Unethical C. Abusive D. Illegal
Answer: A
Explanation: Due Care: care which an ordinary prudent person would have exercised under the same or similar circumstances. “Due Care” and “Reasonable Care” are used interchangeably. Ronald Krutz The CISSP PREP Guide (gold edition) pg 896
Under the principle of culpable negligence, executives can be held liable for losses that result from computer system breaches if:
A. the company is not a multi-national company
B. they have not exercised due care protecting computing resources
C. they have failed to properly insure computer resources against loss
D. the company does not prosecute the hacker that caused the breach
Answer: B
Explanation:
The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation f the corresponding vulnerability. Therefore, a legal liability exists when?
A. C L
D. C > L – (residual risk)
Answer: A
Explanation:
When companies come together to work in an integrated manner such as extranets, special care must be taken to ensure that each party promises to provide the necessary level of protection, liability and responsibility. These aspects should be defined in the contracts that each party signs. What describes this type of liability? A. Cascade liabilities B. Downstream liabilities C. Down-flow liabilities D. Down-set liabilities
Answer: B
Explanation: “When companies come together to work in an integrated manner, such as extranets and VANs, special care must be taken to ensure that teach party promises to provide the necessary level of protection, liability, and responsibility needed, which should be clearly defined in the contracts that each party signs. Auditing and testing should be performed to ensure that each party is indeed holding up its side of the bargain and that its technology integrates properly with all other parties. Interoperability can become a large, frustrating, and expensive issue in these types of arrangements.
If one of the companies does no provide the necessary level of protection and their negligence affects a partner they are working with, the affected company can sue the upstream company. For example, let’s say company A and company B have constructed an extranet. Company A does not put in controls to detect and del with viruses. Company A gets infected with a destructive virus and it is spread to company B through the extranet. The virus corrupts critical data and causes massive disruption to company B’s production. Company B can sue company A for being negligent. Both companies need to make sure that they are doing their part to ensure that their activities, or lack of them, will not negatively affect another company, which is referred to as downstream liability.” Pg 61 6 Shon Harris: All-in-One CISSP Certification
The typical computer felons are usually persons with which of the following characteristics?
A. They have had previous contact with law enforcement
B. They conspire with others
C. They hold a position of trust
D. They deviate from the accepted norms of security
Answer: D
Explanation:
Which of the following is responsible for the most security issues? A. Outside espionage B. Hackers C. Personnel D. Equipment Failure
Answer: C
Explanation:
Hackers are most often interested in:
A. Helping the community in securing their networks
B. Seeing how far their skills wll take them
C. Getting recognition for their actions
D. Money
Answer: B
Explanation:
Which of the following categories of hackers poses the greatest threat? A. Disgruntled employees B. Student hackers C. Criminal hackers D. Corporate spies
Answer: A
Explanation:
Individuals who have their sole aim as breaking into a computer system are being referred to as: A. Crackers B. Sniffers C. Hackers D. None of the choices.
Answer: A
Explanation: Crackers are individuals who try to break into a computer system. The term was coined in the mid-80s by hackers who wanted to differentiate themselves from individuals whose sole purpose is to sneak through security systems. Whereas crackers sole aim is to break into secure systems, hackers are more interested in gaining knowledge about computer systems and possibly using this knowledge for playful pranks. Although hackers still argue that there’s a big difference between what they do and what crackers do, the mass media has failed to understand the distinction, so the two terms – hack and crack – are often used interchangeably.
Which of the following tools is less likely to be used by a hacker? A. l0phtcrack B. Tripwire C. Crack D. John the ripper
Answer: B
Explanation: “Other security packages, such as the popular Tripwire data integrity assurance packages, also provide a secondary antivirus functionality. Tripwire is designed to alert administrators of unauthorized file modifications. It’s often used to detect web server defacements and similar attacks, but it also may provide some warning of virus infections if critical system executable files, such as COMMAND.COM, are modified unexpectedly. These systems work by maintaining a database of hash values for all files stored on the system. These archive hash values are then compared to current computed values to detect any files that were modified between the two periods.” Pg. 224 Tittel: CISSP Study Guide
Which of the following tools is not likely to be used by a hacker? A. Nessus B. Saint C. Tripwire D. Nmap
Answer: C
Explanation:
Nmap – discovers systems and what services they are offering
Saint – vulnerability scanning and penetration testing nessus – vulnerability scanner
tripwire – performs validation of system files
Supporting evidence used to help prove an idea of point is described as? It cannot stand on its own, but is used as a supplementary tool to help prove a primary piece of evidence: A. Circumstantial evidence B. Corroborative evidence C. Opinion evidence D. Secondary evidence
Answer: B
Explanation:
Which of the following would best describe secondary evidence?
A. Oral testimony by a non-expert witness
B. Oral testimony by an expert witness
C. A copy of a piece of evidence
D. Evidence that proves a specific act
Answer: C
Explanation:
Which of the following exceptions is less likely to make hearsay evidence admissible in court?
A. Records are collected during the regular conduct of business
B. Records are collected by senior or executive management
C. Records are collected at or near the time of occurrence of the act being investigated
D. Records are in the custody of the witness on a regular basis
Answer: B
Explanation:
Once evidence is seized, a law enforcement officer should emphasize which of the following? A. chain of command B. chain of custody C. chain of control D. chain of communications
Answer: B
Explanation:
Which of the following rules is less likely to allow computer evidence to be admissible in court?
A. It must prove a fact that is material to the case
B. Its reliability must be proven
C. The process for producing it must be documented
D. The chain of custody of evidence must show who collected, security, controlled, handled,
transported, and tampered with the evidence
Answer: C
Explanation:
A copy of evidence or oral description of its contents; not reliable as best evidence is what type of evidence? A. Direct evidence B. Circumstantial evidence C. Hearsay evidence D. Secondary evidence
Answer: D
Explanation:
What is defined as inference of information from other, intermediate, relevant facts? A. Secondary evidence B. Conclusive evidence C. Hearsay evidence D. Circumstantial evidence
Answer: D
Explanation:
In order to be able to successfully prosecute an intruder:
A. A point of contact should be designated to be responsible for communicating with law enforcement and other external agencies.
B. A proper chain of custody of evidence has to be preserved
C. Collection of evidence has to be done following predefined procedures
D. Whenever possible, analyze, a replica of the compromised resource, not the original, thereby avoiding inadvertently tampering with evidence
Answer: B
Explanation:
Which of the following proves or disproves a specific act through oral testimony based on information gathered through the witness’s five senses? A. direct evidence B. best evidence C. conclusive evidence D. hearsay evidence
Answer: A
Explanation: As stated in the CISSP documentation, “If you want to achieve the validation or revalidation of the oral testimony of a witness, you need to provide physical, direct evidence to backup your statements and override the five senses of an oral testimony”. Circumstantial or Corroborative evidence is not enough in this case, we need direct, relevant evidence backing up the facts.
In order to preserve a proper chain of custody of evidence?
A. Evidence has to be collected following predefined procedures in accordance with all laws and legal regulations
B. Law enforcement officials should be contacted for advice on how and when to collect critical information
C. Verifiable documentation indicating the sequence of individuals who have handled a piece of evidence should be available.
D. Log files containing information regarding an intrusion are retained for at least as long as normal business records, and longer in the case of an ongoing investigation.
Answer: A
Explanation:
What is the primary reason for the chain of custody of evidence?
A. To ensure that no evidence is lost
B. To ensure that all possible evidence is gathered
C. To ensure that it will be admissible in court
D. To ensure that incidents were handled with due care and due diligence
Answer: C
Explanation:
Which element must computer evidence have to be admissible in court? A. It must be relevant B. It must be annotated C. It must be printed D. t must contain source code
Answer: A
Explanation:
Which kind of evidence would printed business records, manuals, and, printouts classify as? A. Direct evidence B. Real evidence C. Documentary evidence D. Demonstrative evidence
Answer: B
Explanation:
Since disks and other magnetic media are only copies of the actual or original evidence, what type of evidence are they are often considered to represent? A. Hearsay B. Irrelevant C. Incomplete D. Secondary
Answer: A
Explanation:
Which of the following is LEAST necessary when creating evidence tags detailing the chain of custody for electronic evidence?
A. The mode and means of transportation.
B. Notifying the person who owns the information being seized.
C. Complete description of the evidence, including quality if necessary.
D. Who received the evidence.
Answer: B
Explanation: The references indicate that transportation is important.
Each piece of evidence should be marked in some way with the date, time, initials of the collector, and a case number if one has been assigned…The pieces of evidence should then be sealed in a container and the container should be marked with the same information. The container should be sealed with evidence tape and if possible, the writing should be on the tape so a broken seal can be detected. - Shon Harris All-in-one CISSP Certification Guide pg 673
In many cases, it is not possible for a witness to uniquely identify an object in court. In those cases, a chain of evidence must be established. This involves everyone who handles evidence including the police who originally collect it, the evidence technicians who process it, and the lawyers who use it in court. The location of the evidence must be fully documented from the moment it was collected to the moment it appears in court to ensure that it is indeed the same item. This requires thorough labeling of evidence and comprehensive logs noting who had access to the evidence at specific times and the reasons they required such access.” Pg. 593 Tittel: CISSP Study Guide.
The evidence life cycle covers the evidence gathering and application process. This life cycle has the following components: Discovery and recognition Protection Recording Collection Collect all relevant storage media Make image of hard disk before removing power Print out screen Avoid degaussing equipment Identification Preservation Protect magnetic media from erasure Store in proper environment Transportation Presentation in a court of law Return of evidence to owner
Pg. 309 Krutz: The CISSP Prep Guide
The life cycle of evidence includes * Collection and identification * Storage, preservation, and transportation * Presentation in court * Being returned to victim or owner
Pg 677 Shon Harris: All-In-One CISSP Certification Exam Guide
To be admissible in court, computer evidence must be which of the following? A. relevant B. decrypted C. edited D. incriminating
Answer: A
Explanation:
Computer-generated evidence is considered: A. Best evidence B. Second hand evidence C. Demonstrative evidence D. Direct evidence
Answer: B
Explanation: “Most of the time, computer-related documents are considered hearsay, meaning the evidence is secondhand evidence. Hearsay evidence is not normally admissible in court unless it has firsthand evidence that can be used to prove the evidence’s accuracy, trustworthiness, and reliability, such as a businessperson who generated the computer logs and collected them.” Pg. 630 Shon Harris: All-in-One CISSP Certification
Why would a memory dump be admissible as evidence in court?
A. Because it is used to demonstrate the truth of the contents
B. Because it is used to identify the state of the system
C. Because the state of the memory cannot be used as evidence
D. Because of the exclusionary rule
Answer: B
Explanation:
Evidence corroboration is achieved by
A. Creating multiple logs using more than one utility.
B. Establishing secure procedures for authenticating users.
C. Maintaining all evidence under the control of an independent source.
D. Implementing disk mirroring on all devices where log files are stored.
Answer: C
Explanation: Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand on its own, but is used as a supplementary tool to help prove a primary piece of evidence. - Shon Harris All-in-one CISSP Certification Guide pg 678
You are documenting a possible computer attack.
Which one of the following methods is NOT appropriate for legal record keeping?
A. A bound paper notebook.
B. An electronic mail document.
C. A personal computer in “capture” mode that prints immediately.
D. Microcassette recorder for verbal notes
Answer: D
Explanation:
Which one of the following is NOT a requirement before a search warrant can be issued?
A. There is a probable cause that a crime has been committed.
B. There is an expectation that evidence exists of the crime.
C. There is probable cause to enter someone’s home or business.
D. There is a written document detailing the anticipated evidence.
Answer: D
Explanation: “If a computer crime is suspected, it is important not to alert the suspect. A preliminary investigation should be conducted to determine whether a crime has been committed by examining the audit records and system logs, interviewing witnesses, and assessing the damage incurred….Search warrants are issued when there is a probable cause for the search and provide legal authorization to search a location for specific evidence.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg 436
Once a decision is made to further investigate a computer crime incident, which one of the following is NOT employed?
A. Identifying what type of system is to be seized.
B. Identifying the search and seizure team members.
C. Identifying the cost of damage and plan for their recover.
D. Determining the risk that the suspect will destroy evidence.
Answer: C
Explanation: Costs and how to recover are not considered in a computer crime scene incident.
From a legal perspective, which of the following rules must be addressed when investigating a computer crime? A. Search and seizure B. Data protection C. Engagement D. Evidence
Answer: D
Explanation: “The gathering, control, storage and preservation of evidence are extremely critical in any legal investigation.” Pg 432 Krutz: The CISSP Prep Guide: Gold Edition.
Which of the following is not a problem regarding computer investigation issues?
A. Information is intangible
B. Evidence is difficult to gather
C. Computer-generated records are only considered secondary evidence, thus are no as reliable as best evidence
D. In many instances, an expert or specialist is required
Answer: D
Explanation:
Why is the investigation of computer crime involving malicious damage especially challenging?
A. Information stored in a computer is intangible evidence.
B. Evidence may be destroyed in an attempt to restore the system.
C. Isolating criminal activity in a detailed audit log is difficult.
D. Reports resulting from common user error often obscure the actual violation.
Answer: B
Explanation: The gathering, control, storage, and preservation of evidence are extremely critical in any legal investigation. Because evidence involved in a computer crime might be intangible and subject to easy modification without a trace, evidence must be carefully handled and controlled throughout its entire life cycle. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 432
After law enforcement is informed of a computer crime, the organization's investigators constraints are A. removed. B. reduced. C. increased. D. unchanged.
Answer: C
Explanation: “On the other hand, there are also two major factors that may cause a company to shy away from calling in the authorities. First, the investigation will more than likely become public and may embarrass the company. Second, law enforcement authorities are bound to conduct an investigation that complies with the Fourth Amendment and other legal requirements that may not apply to a private investigation.” Pg. 529 Tittel: CISSP Study Guide
To understand the “whys” in crime, many times it is necessary to understand MOM. Which of the following is not a component of MOM? A. Opportunities B. Methods C. Motivation D. Means
Answer: B
Reference: pg 600 Shon Harris: All-in-One CISSP Certification
What category of law deals with regulatory standards that regulate performance and conduct? Government agencies create these standards, which are usually applied to companies and individuals within those companies. A. Standards law B. Conduct law C. Compliance law D. Administrative law
Answer: C
Explanation:
Something that is proprietary to that company and importance for its survival and profitability is what type of intellectual property law? A. Trade Property B. Trade Asset C. Patent D. Trade Secret
Answer: D
Explanation:
Which of the following statements regarding trade secrets is false?
A. For a company to have a resource qualify as a trade secret, it must provide the company with some type of competitive value or advantage
B. The Trade Secret Law normally protects the expression of the idea of the resource.
C. Many companies require their employees to sign nondisclosure agreements regarding the protection of their trade secrets
D. A resource can be protected by law if it is not generally known and if it requires special skill, ingenuity, and/or expenditure of money and effort to develop it
Answer: B
Explanation:
Which category of law is also referenced as a Tort law? A. Civil law B. Criminal law C. Administrative law D. Public law
Answer: A
Explanation: