378 Appendix ■ Answers
7 4. B. Not having enough log sources is not a key consideration in log management system
design, although it may be a worry for security managers who can’t capture the data they
need. Log management system designs must take into account the volume of log data and
the network bandwidth it consumes, the security of the data, and the amount of effort
required to analyze the data.- B. The Common Platform Enumeration (CPE) component of SCAP provides a consistent
way to refer to operating systems and other system components. The Common
Vulnerabilities and Exposures (CVE) component provides a consistent way to refer to
security vulnerabilities. The Common Weaknesses Enumeration (CWE) component
helps describe the root causes of software flaws. The Open Vulnerability and Assessment
Language (OVAL) standardizes steps of the vulnerability assessment process. - C. Rebooting a Windows machine results in an information log entry. Windows defines
five types of events: errors, which indicate a significant problem; warnings, which may
indicate future problems; information, which describes successful operation; success
audits, which record successful security accesses; and failure audits, which record failed
security access attempts.
7 7. C. Inconsistent time stamps are a common problem, often caused by improperly set time
zones or due to differences in how system clocks are set. In this case, a consistent time
difference often indicates that one system uses local time, and the other is using Greenwich
Mean Time (GMT). Logs from multiple sources tend to cause problems with centralization
and collection, whereas different log formats can create challenges in parsing log data.
Finally, modified logs are often a sign of intrusion or malicious intent.- A. Authenticated scans use a read-only account to access configuration files, allowing
more accurate testing of vulnerabilities. Web application, unauthenticated scans, and port
scans don’t have access to configuration files unless they are inadvertently exposed. - B. Microsoft’s STRIDE threat assessment model places threats into one of six categories:
■ (^) Spoofing—threats that involve user credentials and authentication, or falsifying legiti-
mate communications
■ (^) Tampering—threats that involve the malicious modification of data
■ (^) Repudiation—threats that cause actions to occur that cannot be denied by a user
■ (^) Information disclosure—threats that involve exposure of data to unauthorized indi-
viduals
■ (^) Denial of service—threats that deny service to legitimate users
■ (^) Elevation of privilege—threats that provide higher privileges to unauthorized users
Using role-based access controls (RBACs) for specific operations will help to ensure
that users cannot perform actions that they should not be able to. Auditing and logging
can help detect abuse but won’t prevent it, and data type, format checks, and whitelist-
ing are all useful for preventing attacks like SQL injection and buffer overflow attacks
but are not as directly aimed at authorization issues.