A HIDS does not consume large amounts of system resources

A HIDS does not consume large amounts of system resources is the correct
choice. HIDS can consume inordinate amounts of CPU and system resources in order to
function effectively, especially during an event.
All the other answers are characteristics of HIDSes
A HIDS can:
scrutinize event logs, critical system files, and other auditable system resources;
look for unauthorized change or suspicious patterns of behavior or activity
can send alerts when unusual events are discovered
Reference:
Official guide to the CISSP CBK. Pages 197 to 198.

Regularly scanning PCs in use to ensure that unauthorized copies of software have not
been loaded on the PC.

The best way to prevent and detect software license violations is to regularly
scan used PCs, either from the LAN or directly, to ensure that unauthorized copies of
software have not been loaded on the PC.
Other options are not detective.
A corporate policy is not necessarily enforced and followed by all employees.
Software can be installed from other means than floppies or CD-ROMs (from a LAN or
even downloaded from the Internet) and software metering only concerns applications that
are registered.
Source: Information Systems Audit and Control Association, Certified Information Systems
Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices
(page 108).

Audit trails

Accountability can actually be seen in two different ways:1) Although audit trails are also needed for accountability, no user can be accountable for
their actions unless properly authenticated.
2) Accountability is another facet of access control. Individuals on a system are responsible
for their actions. This accountability property enables system activities to be traced to the
proper individuals. Accountability is supported by audit trails that record events on the
system and network. Audit trails can be used for intrusion detection and for the
reconstruction of past events. Monitoring individual activities, such as keystroke monitoring,
should be accomplished in accordance with the company policy and appropriate laws.
Banners at the log-on time should notify the user of any monitoring that is being conducted.
The point is that unless you employ an appropriate auditing mechanism, you don't have
accountability. Authorization only gives a user certain permissions on the network.
Accountability is far more complex because it also includes intrusion detection,
unauthorized actions by both unauthorized users and authorized users, and system faults.
The audit trail provides the proof that unauthorized modifications by both authorized and
unauthorized users took place. No proof, No accountability.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Page 50.
The Shon Harris AIO book, 4th Edition, on Page 243 also states:
Auditing Capabilities ensures users are accountable for their actions, verify that the secutiy
policies are enforced,
and can be used as investigation tools. Accountability is tracked by recording user, system,
and application activities.
This recording is done through auditing functions and mechanisms within an operating
sytem or application.
Audit trail contain information about operating System activities, application events, and
user actions.

Clipping levels set a baseline for acceptable normal user errors, and violations
exceeding that threshold will be recorded for analysis of why the violations occurred.

Companies can set predefined thresholds for the number of certain types of
errors that will be allowed before the activity is considered suspicious. The threshold is a
baseline for violation activities that may be normal for a user to commit before alarms are
raised. This baseline is referred to as a clipping level.
The following are incorrect answers:
Clipping levels enable a security administrator to customize the audit trail to record only
those violations which are deemed to be security relevant. This is not the best answer, you
would not record ONLY security relevant violations, all violations would be recorded as well
as all actions performed by authorized users which may not trigger a violation. This could
allow you to indentify abnormal activities or fraud after the fact.
Clipping levels enable the security administrator to customize the audit trail to record only
actions for users with access to user accounts with a privileged status. It could record all
security violations whether the user is a normal user or a privileged user.
Clipping levels enable a security administrator to view all reductions in security levels which
have been made to user accounts which have incurred violations. The keyword "ALL"
makes this question wrong. It may detect SOME but not all of violations. For example,
application level attacks may not be detected.
Reference(s) used for this question:
Harris, Shon (2012-10-18). CISSP All-in-One Exam Guide, 6th Edition (p. 1239). McGraw-
Hill. Kindle Edition.
and
TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation

 Profit

Officers and directors of a company are expected to act carefully in fulfilling
their tasks. A director shall act in good faith, with the care an ordinarily prudent person in a
like position would exercise under similar circumstances and in a manner he reasonably
believes is in the best interest of the enterprise. The notion of profit would tend to go
against the due care principle.
Source: ANDRESS, Mandy, Exam Cram CISSP, Coriolis, 2001, Chapter 10: Law,
Investigation, and Ethics (page 186).

Commonly reside on a discrete network segment and monitor the traffic on that network
segment.

Network-based ID systems:
- Commonly reside on a discrete network segment and monitor the traffic on that network
segment
- Usually consist of a network appliance with a Network Interface Card (NIC) that is
operating in promiscuous mode and is intercepting and analyzing the network packets in
real time "A passive NIDS takes advantage of promiscuous mode access to the network, allowing it
to gain visibility into every packet traversing the network segment. This allows the system
to inspect packets and monitor sessions without impacting the network, performance, or
the systems and applications utilizing the network."
NOTE FROM CLEMENT:
A discrete network is a synonym for a SINGLE network. Usually the sensor will monitor a
single network segment, however there are IDS today that allow you to monitor multiple
LAN's at the same time.
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 62.
and
Official (ISC)2 Guide to the CISSP CBK, Hal Tipton and Kevin Henry, Page 196
and
Additional information on IDS systems can be found here:
http://en.wikipedia.org/wiki/Intrusion_detection_system

Strength of user-chosen passwords.

Organizations should have a process for (1) requesting, establishing, issuing,
and closing user accounts; (2) tracking users and their respective access authorizations;
and (3) managing these functions.
Reviews should examine the levels of access each individual has, conformity with the
concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, whether required training has been completed, and so forth.
These reviews can be conducted on at least two levels: (1) on an application-by-application
basis, or (2) on a system wide basis.
The strength of user passwords is beyond the scope of a simple user account management
review, since it requires specific tools to try and crack the password file/database through
either a dictionary or brute-force attack in order to check the strength of passwords.
Reference(s) used for this question:
SWANSON, Marianne & GUTTMAN, Barbara, National Institute of Standards and
Technology (NIST), NIST Special Publication 800-14, Generally Accepted Principles and
Practices for Securing Information Technology Systems, September 1996 (page 28).

Audit trails

Explanation: If audit trails have been properly defined and implemented, they will record
information that can assist in detecting intrusions.
Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, Chapter 4: Access Control (page 186).

The transactions should be written to a report and reviewed.

Explanation: In an online transaction processing system (OLTP) all transactions are
recorded as they occur. When erroneous or invalid transactions are detected the
transaction can be recovered by reviewing the logs.
As explained in the ISC2 OIG:
OLTP is designed to record all of the business transactions of an organization as they
occur. It is a data processing system facilitating and managing transaction-oriented
applications. These are characterized as a system used by many concurrent users who are
actively adding and modifying data to effectively change real-time data.
OLTP environments are frequently found in the finance, telecommunications, insurance,
retail, transportation, and travel industries. For example, airline ticket agents enter data in
the database in real-time by creating and modifying travel reservations, and these are
increasingly joined by users directly making their own reservations and purchasing tickets
through airline company Web sites as well as discount travel Web site portals. Therefore,
millions of people may be accessing the same flight database every day, and dozens of
people may be looking at a specific flight at the same time.
The security concerns for OLTP systems are concurrency and atomicity.
Concurrency controls ensure that two users cannot simultaneously change the same data,
or that one user cannot make changes before another user is finished with it. In an airline
ticket system, it is critical for an agent processing a reservation to complete the transaction,
especially if it is the last seat available on the plane.
Atomicity ensures that all of the steps involved in the transaction complete successfully. If
one step should fail, then the other steps should not be able to complete. Again, in an
airline ticketing system, if the agent does not enter a name into the name data field
correctly, the transaction should not be able to complete.
OLTP systems should act as a monitoring system and detect when individual processes
abort, automatically restart an aborted process, back out of a transaction if necessary,
allow distribution of multiple copies of application servers across machines, and perform
dynamic load balancing.A security feature uses transaction logs to record information on a transaction before it is
processed, and then mark it as processed after it is done. If the system fails during the
transaction, the transaction can be recovered by reviewing the transaction logs.
Checkpoint restart is the process of using the transaction logs to restart the machine by
running through the log to the last checkpoint or good transaction. All transactions following
the last checkpoint are applied before allowing users to access the data again.
Wikipedia has nice coverage on what is OLTP:
Online transaction processing, or OLTP, refers to a class of systems that facilitate and
manage transaction-oriented applications, typically for data entry and retrieval transaction
processing. The term is somewhat ambiguous; some understand a "transaction" in the
context of computer or database transactions, while others (such as the Transaction
Processing Performance Council) define it in terms of business or commercial transactions.
OLTP has also been used to refer to processing in which the system responds immediately
to user requests. An automatic teller machine (ATM) for a bank is an example of a
commercial transaction processing application.
The technology is used in a number of industries, including banking, airlines, mailorder,
supermarkets, and manufacturing. Applications include electronic banking, order
processing, employee time clock systems, e-commerce, and eTrading.
There are two security concerns for OLTP system: Concurrency and Atomicity
ATOMICITY
In database systems, atomicity (or atomicness) is one of the ACID transaction properties.
In an atomic transaction, a series of database operations either all occur, or nothing occurs.
A guarantee of atomicity prevents updates to the database occurring only partially, which
can cause greater problems than rejecting the whole series outright.
The etymology of the phrase originates in the Classical Greek concept of a fundamental
and indivisible component; see atom.
An example of atomicity is ordering an airline ticket where two actions are required:
payment, and a seat reservation. The potential passenger must either:
both pay for and reserve a seat; OR
neither pay for nor reserve a seatThe booking system does not consider it acceptable for a customer to pay for a ticket
without securing the seat, nor to reserve the seat without payment succeeding.
CONCURRENCY
Database concurrency controls ensure that transactions occur in an ordered fashion.
The main job of these controls is to protect transactions issued by different
users/applications from the effects of each other. They must preserve the four
characteristics of database transactions ACID test: Atomicity, Consistency, Isolation, and
Durability. Read http://en.wikipedia.org/wiki/ACID for more details on the ACID test.
Thus concurrency control is an essential element for correctness in any system where two
database transactions or more, executed with time overlap, can access the same data,
e.g., virtually in any general-purpose database system. A well established concurrency
control theory exists for database systems: serializability theory, which allows to effectively
design and analyze concurrency control methods and mechanisms.
Concurrency is not an issue in itself, it is the lack of proper concurrency controls that
makes it a serious issue.
The following answers are incorrect:
The transactions should be dropped from processing. Is incorrect because the transactions
are processed and when erroneous or invalid transactions are detected the transaction can
be recovered by reviewing the logs.
The transactions should be processed after the program makes adjustments. Is incorrect
because the transactions are processed and when erroneous or invalid transactions are
detected the transaction can be recovered by reviewing the logs.
The transactions should be corrected and reprocessed. Is incorrect because the
transactions are processed and when erroneous or invalid transactions are detected the
transaction can be recovered by reviewing the logs.
References:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Locations 12749-12768). Auerbach Publications. Kindle
Edition.
andhttp://en.wikipedia.org/wiki/Online_transaction_processing
and
http://databases.about.com/od/administration/g/concurrency.htm

Knowledge-Based ID System

Knowledge-based Intrusion Detection Systems use a database of previous
attacks and known system vulnerabilities to look for current attempts to exploit their
vulnerabilities, and trigger an alarm if an attempt is found.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 87.
Application-Based ID System - "a subset of HIDS that analyze what's going on in an
application using the transaction log files of the application." Source: Official ISC2 CISSP
CBK Review Seminar Student Manual Version 7.0 p. 87
Host-Based ID System - "an implementation of IDS capabilities at the host level. Its most
significant difference from NIDS is intrusion detection analysis, and related processes are
limited to the boundaries of the host." Source: Official ISC2 Guide to the CISSP CBK - p.
197
Network-Based ID System - "a network device, or dedicated system attached to teh
network, that monitors traffic traversing teh network segment for which it is integrated."
Source: Official ISC2 Guide to the CISSP CBK - p. 196

The systems auditor

It is the systems auditor that should lead the effort to ensure that the security
controls are in place and effective. The audit would verify that the controls comply with
polices, procedures, laws, and regulations where applicable. The findings would provide
these to senior management.
The following answers are incorrect:
the local security specialist. Is incorrect because an independent review should take place
by a third party. The security specialist might offer mitigation strategies but it is the auditor
that would ensure the effectiveness of the controls
the business manager. Is incorrect because the business manager would be responsible
that the controls are in place, but it is the auditor that would ensure the effectiveness of the
controls.
the central security manager. Is incorrect because the central security manager would be
responsible for implementing the controls, but it is the auditor that is responsibe for
ensuring their effectiveness.

Tripwire

It is a data integrity assurance software aimed at detecting and reporting
accidental or malicious changes to data.
The following answers are incorrect :
Nessus is incorrect as it is a vulnerability scanner used by hackers in discovering
vulnerabilities in a system.
Saint is also incorrect as it is also a network vulnerability scanner likely to be used by
hackers.
Nmap is also incorrect as it is a port scanner for network exploration and likely to be used
by hackers.
Reference :
Tripwire : http://www.tripwire.com
Nessus : http://www.nessus.org
Saint : http://www.saintcorporation.com/saint
Nmap : http://insecure.org/nmap