Page 1559 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1559

amount of logged data based on a clipping-level threshold.
                    Sampling is a statistical method that extracts meaningful data from

                    audit logs. Log analysis reviews log information looking for trends,
                    patterns, and abnormal or unauthorized events. An alarm trigger is
                    a notification sent to administrators when specific events or
                    thresholds occur.

               16.  B. Traffic analysis focuses more on the patterns and trends of data
                    rather than the actual content. Keystroke monitoring records

                    specific keystrokes to capture data. Event logging logs specific
                    events to record data. Security auditing records security events
                    and/or reviews logs to detect security incidents.

               17.  B. A user entitlement audit can detect when users have more
                    privileges than necessary. Account management practices attempt
                    to ensure that privileges are assigned correctly. The audit detects
                    whether the management practices are followed. Logging records

                    activity, but the logs need to be reviewed to determine if practices
                    are followed. Reporting is the result of an audit.

              18.  D. Security personnel should have gathered evidence for possible
                    prosecution of the attacker. However, the incident response plan
                    wasn’t published, so the server administrator was unaware of the
                    requirement. The first response after detecting and verifying an
                    incident is to contain the incident, but it could have been contained

                    without rebooting the server. The lessons learned stage includes
                    review, and it is the last stage. Remediation includes a root cause
                    analysis to determine what allowed the incident, but this is done
                    late in the process. In this scenario, rebooting the server performed
                    the recovery.

               19.  C. Attacking the IP address was the most serious mistake because it
                    is illegal in most locations. Additionally, because attackers often

                    use spoofing techniques, it probably isn’t the actual IP address of
                    the attacker. Rebooting the server without gathering evidence and
                    not reporting the incident were mistakes but won’t have a potential
                    lasting negative effect on the organization. Resetting the
                    connection to isolate the incident would have been a good step if it
                    was done without rebooting the server.
   1554   1555   1556   1557   1558   1559   1560   1561   1562   1563   1564