Take Assessment: Test 7 Topic 7
Name Test 7 Topic 7
1. You have 30 minutes to complete this test
2. You only have one attempt and must finish it once started
3. Answer all 6 questions
Timed Assessment This Test has a 30 minute timer.The elapsed time appears at the top right of the window.
A 1 minute warning will be displayed.
Multiple Attempts Not allowed. This Test can only be taken once.
Force Completion This Test must be completed now.
Which below are elements of a security audit and alarms model? (15.2)
A. System logs, email logs and apache logs
B. Operating system updates / patches, application updates / patches and anti virus updates
C. Audit analyzer, security reports, archives and security audit trail
D. None of the above
From the text, Stallings & Brown (2008), page 477 and 478, the elements of a security audit and alarms model are described as follows;
• Event discriminator: The is logic embedded into the software of the system that
monitors system activity and detects security-related events that it has been
configured to detect.
• Audit recorder: For each detected event, the event discriminator transmits the
information to an audit recorder. The model depicts this transmission as being in
the form of a message. The audit could also be done by recording the event in a
shared memory area.
• Alarm processor: Some of the events detected by the event discriminator are
defined to be alarm events. For such events an alarm is issued to an alarm
processor. The alarm processor takes some action based on the alarm. This action
is itself an auditable event and so is transmitted to the audit recorder.
• Security audit trail: The audit recorder creates a formatted record of each event
and stores it in the security audit trail.
• Audit analyzer: The security audit trail is available to the audit analyzer, which,
based on a pattern of activity, may define a new auditable event that is sent to the
audit recorder and may generate an alarm.
• Audit archiver: This is a software module that periodically extracts records from
the audit trail to create a permanent archive of auditable events.
• Archives: The audit archives are a permanent store of security-related events on
• Audit provider: The audit provider is an application and/or user interface to the
• Audit trail examiner: The audit trail examiner is an application or user who
examines the audit trail and the audit archives for historical trends, for computer
forensic purposes, and for other analysis.
• Security reports: The audit trail examiner prepares human-readable security
Which of the following *are* supported by the Cisco Systems' "Monitoring, Analysis and Response System (MARS)"?
A. Network devices: Cisco software
B. Firewall / VPN devices
C. Intrusion detection software
D. Anti virus
E. Applications: Apache IIS web servers
F. All of the above G. None of the above
Refer to your text, page 503, Computer Security Principles and Practice, Stalling & Brown, 2008.
Which of the following statements best describes "system-level audit trail"? (15.5)
A. traces the activity of individual users over time
B. captures data such as login attempts, both successful and unsuccessful, devices used, and OS functions performed
C. generated by equipment that controls physical access and then transmitted to a central host for subsequent storage and analysis
D. may be used to detect security violations within an application or to detect flaws in the application's interaction with the system
Four different categories of audit trails are;
System-level audit trails: captures data such as login attempts, both successful and unsuccessful, devices used, and OS functions performed
Application-level audit trails: may be used to detect security violations within an application or to detect flaws in the application's interaction with the system.
User-level audit trails: traces the activity of individual users over time.
Physical access audit trails: generated by equipment that controls physical access and then transmitted to a central host for subsequent storage and analysis.
Which of the following areas (categories of data) should audit data be collecting? (15.4)
A. deletion of objects
B. identification and authentication functions
C. printout of data
D. use of access rights to bypass a policy check
E. All of the above F. Only A, B and D above
All actions that may effect access to data are to be collected by audit data.
The following are all categories of data that audit data should collect;
• Introduction of objects within the security-related portion of the software into a
subject’s address space
• Deletion of objects
• Distribution or revocation of access rights or capabilities
• Changes to subject or object security attributes
• Policy checks performed by the security software as a result of a request by a
• The use of access rights to bypass a policy check
• Use of identification and authentication functions
• Security-related actions taken by an operator and/or authorized user (e.g.,
suppression of a protection mechanism)
• Import/export of data from/to removable media (e.g., printed output, tapes,
Which of the follow need to be understood to perform effective reviews and analysis of an organisation's systems audit logs?
A. characteristics of common attack techniques
B. organisations policies regarding acceptable use
C. the operating systems and major applications
D. security software used on hosts
E. brand computers purchased by each department of the organisation
F. All of the above
G. Only A, B, C and D above
The brand of computers purchased is not relevant, but all other points listed are needed to be understood to review and analyse an organisation's systems audit logs.
Refer to your text, page 498, Computer Security Principles and Practise, Stalling & Brown, 2008.
Audit logs that track user activity on an information system provide __________.
C. accountability D. authentication