The viewing of recorded events after the fact using a closed-circuit TV camera is considered a
Correct Answer: B
Section: Analysis and Monitoring Explanation/Reference: Detective security controls are like a burglar alarm. They detect and report an unauthorized or undesired event (or an attempted undesired event). Detective security controls are invoked after the undesirable event has occurred. Example detective security controls are log monitoring and review, system audit, file integrity checkers, and motion detection. Visual surveillance or recording devices such as closed circuit television are used in conjunction with guards in order to enhance their surveillance ability and to record events for future analysis or prosecution. When events are monitored, it is considered preventative whereas recording of events is considered detective in nature. Below you have explanations of other types of security controls from a nice guide produce by James Purcell (see reference below): Preventive security controls are put into place to prevent intentional or unintentional disclosure, alteration, or destruction (D.A.D.) of sensitive information. Some example preventive controls follow: Policy - Unauthorized network connections are prohibited. Firewall - Blocks unauthorized network connections. Locked wiring closet - Prevents unauthorized equipment from being physically plugged into a network switch. Notice in the preceding examples that preventive controls crossed administrative, technical, and physical categories discussed previously. The same is true for any of the controls discussed in this section. Corrective security controls are used to respond to and fix a security incident. Corrective security controls also limit or reduce further damage from an attack. Examples follow: Procedure to clean a virus from an infected system A guard checking and locking a door left unlocked by a careless employee Updating firewall rules to block an attacking IP address Note that in many cases the corrective security control is triggered by a detective security control. Recovery security controls are those controls that put a system back into production after an incident. Most Disaster Recovery activities fall into this category. For example, after a disk failure, data is restored from a backup tape. Directive security controls are the equivalent of administrative controls. Directive controls direct that some action be taken to protect sensitive organizational information. The directive can be in the form of a policy, procedure, or guideline. Deterrent security controls are controls that discourage security violations. For instance, "Unauthorized Access Prohibited" signage may deter a trespasser from entering an area. The presence of security cameras might deter an employee from stealing equipment. A policy that states access to servers is monitored could deter unauthorized access. Compensating security controls are controls that provide an alternative to normal controls that cannot be used for some reason. For instance, a certain server cannot have antivirus software installed because it interferes with a critical application. A compensating control would be to increase monitoring of that server or isolate that server on its own network segment. Note that there is a third popular taxonomy developed by NIST and described in NIST Special Publication 800- 53, "Recommended Security Controls for Federal Information Systems." NIST categorizes security controls into 3 classes and then further categorizes the controls within the classes into 17 families. Within each security control family are dozens of specific controls. The NIST taxonomy is not covered on the CISSP exam but is one the CISSP should be aware of if you are employed within the US federal workforce. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 10: Physical security (page 340). and CISSP Study Guide By Eric Conrad, Seth Misenar, Joshua Feldman, page 50-52 and Security Control Types and Operational Security, James E. Purcell, http://www.giac.org/cissp-papers/207.pdf
Question 953
In a SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session?
Correct Answer: B
Once the merchant server has been authenticated by the browser client, the browser generates a master secret that is to be shared only between the server and client. This secret serves as a seed to generate the session (private) keys. The master secret is then encrypted with the merchant's public key and sent to the server. The fact that the master secret is generated by the client's browser provides the client assurance that the server is not reusing keys that would have been used in a previous session with another client. Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 6: Cryptography (page 112). Also: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001, page 569.
Question 954
Which of the following is less likely to accompany a contingency plan, either within the plan itself or in the form of an appendix?
Correct Answer: A
Section: Risk, Response and Recovery Explanation/Reference: Why is this the correct answer? Simply because it is WRONG, you would have contact information for your emergency personnel within the plan but NOT for ALL of your personnel. Be careful of words such as ALL. According to NIST's Special publication 800-34, contingency plan appendices provide key details not contained in the main body of the plan. The appendices should reflect the specific technical, operational, and management contingency requirements of the given system. Contact information for recovery team personnel (not all personnel) and for vendor should be included, as well as detailed system requirements to allow for supporting of system operations. The Business Impact Analysis (BIA) should also be included as an appendix for reference should the plan be activated. Reference(s) used for this question: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), NIST Special Publication 800-34, Contingency Planning Guide for Information Technology Systems
Question 955
Which of the following would assist the most in Host Based intrusion detection?
Correct Answer: A
To assist in Intrusion Detection you would review audit logs for access violations. The following answers are incorrect: access control lists. This is incorrect because access control lists determine who has access to what but do not detect intrusions. security clearances. This is incorrect because security clearances determine who has access to what but do not detect intrusions. host-based authentication. This is incorrect because host-based authentication determine who have been authenticated to the system but do not dectect intrusions.
Question 956
An access system that grants users only those rights necessary for them to perform their work is operating on which security principle?
Correct Answer: B
Section: Access Control Explanation/Reference: Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.