426 Appendix ■ Answers
76. C. A Security Information and Event Management (SIEM) tool is designed to provide
automated analysis and monitoring of logs and security events. A SIEM tool that receives
access to logs can help detect and alert on events like logs being purged or other breach
indicators. An IDS can help detect intrusions, but IDSs are not typically designed to
handle central logs. A central logging server can receive and store logs but won’t help with
analysis without taking additional actions. Syslog is simply a log format.7 7. B. Requiring authentication can help provide accountability by ensuring that any
action taken can be tracked back to a specific user. Storing logs centrally ensures
that users can’t erase the evidence of actions that they have taken. Log review can be
useful when identifying issues, but digital signatures are not a typical part of a logging
environment. Logging the use of administrative credentials helps for those users
but won’t cover all users, and encrypting the logs doesn’t help with accountability.
Authorization helps, but being able to specifically identify users through authentication
is more important.- B. Port Address Translation (PAT) is used to allow a network to use any IP address set
inside without causing a conflict with the public Internet. PAT is often confused with
Network Address Translation (NAT), which maps one internal address to one external
address. IPsec is a security protocol suite, software-defined networking (SDN) is a method
of defining networks programmatically, and IPX is a non-IP network protocol. - C. Each of the precautions listed helps to prevent social engineering by helping prevent
exploitation of trust. Avoiding voice-only communications is particularly important, since
establishing identity over the phone is difficult. The other listed attacks would not be
prevented by these techniques. - C. L2TP is the only one of the four common VPN protocols that can natively support
non-IP protocols. PPTP, L2F, and IPsec are all IP-only protocols. - D. Remnant data is data that is left after attempts have been made to remove or erase it.
Bitrot is a term used to describe aging media that decays over time. MBR is the master
boot record, a boot sector found on hard drives and other media. Leftover data is not an
industry term. - C. During a parallel test, the team activates the disaster recovery site for testing
but the primary site remains operational. A simulation test involves a roleplay of a
prepared scenario overseen by a moderator. Responses are assessed to help improve the
organization’s response process. The checklist review is the least disruptive type of disaster
recovery test. During a checklist review, team members each review the contents of their
disaster recovery checklists on their own and suggest any necessary changes. During a
tabletop exercise, team members come together and walk through a scenario without
making any changes to information systems. - C. Discretionary access control gives owners the right to decide who has access to the
objects they own. Role-based access control uses administrators to make that decision for
roles or groups of people with a role, task-based access control uses lists of tasks for each
user, and rule-based access control applies a set of rules to all subjects.