Flashcards in Law, Investigations, and Ethics Deck (111)
In the public sector, as opposed to the private sector, due care is usually determined by
A. Minimum standard requirements.
B. Legislative requirements.
C. Insurance rates.
D. Potential for litigation.
What is the minimum and customary practice of responsible protection of assets that affects a community or societal norm?
A. Due diligence
B. Risk mitigation
C. Asset protection
D. Due care
Explanation: “Due care and due diligence are terms that are used throughout this book. Due diligence is the act of investigating and understanding the risks the company faces. A company practices due care by developing security policies, procedures, and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible risks. So due diligence is understanding the current threats and risks and due care is implementing countermeasures to provide protection from those threats. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence.” Pg. 85 Shon Harris: All-in-One CISSP Certification
“The following list describes some of the actions required to show that due care is being properly practiced in a corporation:
Pg. 616 Shon Harris: All-in-One CISSP Certification
Under the standard of due care, failure to achieve the minimum standards would be considered
Explanation: Due Care: care which an ordinary prudent person would have exercised under the same or similar circumstances. "Due Care" and "Reasonable Care" are used interchangeably. Ronald Krutz The CISSP PREP Guide (gold edition) pg 896
Under the principle of culpable negligence, executives can be held liable for losses that result from computer system breaches if:
A. the company is not a multi-national company
B. they have not exercised due care protecting computing resources
C. they have failed to properly insure computer resources against loss
D. the company does not prosecute the hacker that caused the breach
The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation f the corresponding vulnerability. Therefore, a legal liability exists when?
A. C L
D. C > L – (residual risk)
When companies come together to work in an integrated manner such as extranets, special care must be taken to ensure that each party promises to provide the necessary level of protection, liability and responsibility. These aspects should be defined in the contracts that each party signs. What describes this type of liability?
A. Cascade liabilities
B. Downstream liabilities
C. Down-flow liabilities
D. Down-set liabilities
Explanation: “When companies come together to work in an integrated manner, such as extranets and VANs, special care must be taken to ensure that teach party promises to provide the necessary level of protection, liability, and responsibility needed, which should be clearly defined in the contracts that each party signs. Auditing and testing should be performed to ensure that each party is indeed holding up its side of the bargain and that its technology integrates properly with all other parties. Interoperability can become a large, frustrating, and expensive issue in these types of arrangements.
If one of the companies does no provide the necessary level of protection and their negligence affects a partner they are working with, the affected company can sue the upstream company. For example, let’s say company A and company B have constructed an extranet. Company A does not put in controls to detect and del with viruses. Company A gets infected with a destructive virus and it is spread to company B through the extranet. The virus corrupts critical data and causes massive disruption to company B’s production. Company B can sue company A for being negligent. Both companies need to make sure that they are doing their part to ensure that their activities, or lack of them, will not negatively affect another company, which is referred to as downstream liability.” Pg 61 6 Shon Harris: All-in-One CISSP Certification
The typical computer felons are usually persons with which of the following characteristics?
A. They have had previous contact with law enforcement
B. They conspire with others
C. They hold a position of trust
D. They deviate from the accepted norms of security
Which of the following is responsible for the most security issues?
A. Outside espionage
D. Equipment Failure
Hackers are most often interested in:
A. Helping the community in securing their networks
B. Seeing how far their skills wll take them
C. Getting recognition for their actions
Which of the following categories of hackers poses the greatest threat?
A. Disgruntled employees
B. Student hackers
C. Criminal hackers
D. Corporate spies
Individuals who have their sole aim as breaking into a computer system are being referred to as:
D. None of the choices.
Explanation: Crackers are individuals who try to break into a computer system. The term was coined in the mid-80s by hackers who wanted to differentiate themselves from individuals whose sole purpose is to sneak through security systems. Whereas crackers sole aim is to break into secure systems, hackers are more interested in gaining knowledge about computer systems and possibly using this knowledge for playful pranks. Although hackers still argue that there's a big difference between what they do and what crackers do, the mass media has failed to understand the distinction, so the two terms -- hack and crack -- are often used interchangeably.
Which of the following tools is less likely to be used by a hacker?
D. John the ripper
Explanation: “Other security packages, such as the popular Tripwire data integrity assurance packages, also provide a secondary antivirus functionality. Tripwire is designed to alert administrators of unauthorized file modifications. It’s often used to detect web server defacements and similar attacks, but it also may provide some warning of virus infections if critical system executable files, such as COMMAND.COM, are modified unexpectedly. These systems work by maintaining a database of hash values for all files stored on the system. These archive hash values are then compared to current computed values to detect any files that were modified between the two periods.” Pg. 224 Tittel: CISSP Study Guide
Which of the following tools is not likely to be used by a hacker?
Nmap – discovers systems and what services they are offering
Saint – vulnerability scanning and penetration testing nessus – vulnerability scanner
tripwire – performs validation of system files
Supporting evidence used to help prove an idea of point is described as? It cannot stand on its own, but is used as a supplementary tool to help prove a primary piece of evidence:
A. Circumstantial evidence
B. Corroborative evidence
C. Opinion evidence
D. Secondary evidence
Which of the following would best describe secondary evidence?
A. Oral testimony by a non-expert witness
B. Oral testimony by an expert witness
C. A copy of a piece of evidence
D. Evidence that proves a specific act
Which of the following exceptions is less likely to make hearsay evidence admissible in court?
A. Records are collected during the regular conduct of business
B. Records are collected by senior or executive management
C. Records are collected at or near the time of occurrence of the act being investigated
D. Records are in the custody of the witness on a regular basis
Once evidence is seized, a law enforcement officer should emphasize which of the following?
A. chain of command
B. chain of custody
C. chain of control
D. chain of communications
Which of the following rules is less likely to allow computer evidence to be admissible in court?
A. It must prove a fact that is material to the case
B. Its reliability must be proven
C. The process for producing it must be documented
D. The chain of custody of evidence must show who collected, security, controlled, handled,
transported, and tampered with the evidence
A copy of evidence or oral description of its contents; not reliable as best evidence is what type of evidence?
A. Direct evidence
B. Circumstantial evidence
C. Hearsay evidence
D. Secondary evidence
What is defined as inference of information from other, intermediate, relevant facts?
A. Secondary evidence
B. Conclusive evidence
C. Hearsay evidence
D. Circumstantial evidence
In order to be able to successfully prosecute an intruder:
A. A point of contact should be designated to be responsible for communicating with law enforcement and other external agencies.
B. A proper chain of custody of evidence has to be preserved
C. Collection of evidence has to be done following predefined procedures
D. Whenever possible, analyze, a replica of the compromised resource, not the original, thereby avoiding inadvertently tampering with evidence
Which of the following proves or disproves a specific act through oral testimony based on information gathered through the witness’s five senses?
A. direct evidence
B. best evidence
C. conclusive evidence
D. hearsay evidence
Explanation: As stated in the CISSP documentation, “If you want to achieve the validation or revalidation of the oral testimony of a witness, you need to provide physical, direct evidence to backup your statements and override the five senses of an oral testimony”. Circumstantial or Corroborative evidence is not enough in this case, we need direct, relevant evidence backing up the facts.
In order to preserve a proper chain of custody of evidence?
A. Evidence has to be collected following predefined procedures in accordance with all laws and legal regulations
B. Law enforcement officials should be contacted for advice on how and when to collect critical information
C. Verifiable documentation indicating the sequence of individuals who have handled a piece of evidence should be available.
D. Log files containing information regarding an intrusion are retained for at least as long as normal business records, and longer in the case of an ongoing investigation.
What is the primary reason for the chain of custody of evidence?
A. To ensure that no evidence is lost
B. To ensure that all possible evidence is gathered
C. To ensure that it will be admissible in court
D. To ensure that incidents were handled with due care and due diligence
Which element must computer evidence have to be admissible in court?
A. It must be relevant
B. It must be annotated
C. It must be printed
D. t must contain source code
Which kind of evidence would printed business records, manuals, and, printouts classify as?
A. Direct evidence
B. Real evidence
C. Documentary evidence
D. Demonstrative evidence
Since disks and other magnetic media are only copies of the actual or original evidence, what type of evidence are they are often considered to represent?
Which of the following is LEAST necessary when creating evidence tags detailing the chain of custody for electronic evidence?
A. The mode and means of transportation.
B. Notifying the person who owns the information being seized.
C. Complete description of the evidence, including quality if necessary.
D. Who received the evidence.
Explanation: The references indicate that transportation is important.
Each piece of evidence should be marked in some way with the date, time, initials of the collector, and a case number if one has been assigned...The pieces of evidence should then be sealed in a container and the container should be marked with the same information. The container should be sealed with evidence tape and if possible, the writing should be on the tape so a broken seal can be detected. - Shon Harris All-in-one CISSP Certification Guide pg 673
In many cases, it is not possible for a witness to uniquely identify an object in court. In those cases, a chain of evidence must be established. This involves everyone who handles evidence including the police who originally collect it, the evidence technicians who process it, and the lawyers who use it in court. The location of the evidence must be fully documented from the moment it was collected to the moment it appears in court to ensure that it is indeed the same item. This requires thorough labeling of evidence and comprehensive logs noting who had access to the evidence at specific times and the reasons they required such access." Pg. 593 Tittel: CISSP Study Guide.
The evidence life cycle covers the evidence gathering and application process. This life cycle has the following components: Discovery and recognition Protection Recording Collection Collect all relevant storage media Make image of hard disk before removing power Print out screen Avoid degaussing equipment Identification Preservation Protect magnetic media from erasure Store in proper environment Transportation Presentation in a court of law Return of evidence to owner
Pg. 309 Krutz: The CISSP Prep Guide
The life cycle of evidence includes * Collection and identification * Storage, preservation, and transportation * Presentation in court * Being returned to victim or owner
Pg 677 Shon Harris: All-In-One CISSP Certification Exam Guide
To be admissible in court, computer evidence must be which of the following?