Detective/Technical measures:
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Detective/Technical measures include intrusion detection systems and automatically-generated violation reports from audit trail information.
These reports can indicate variations from "normal" operation or detect known signatures of unauthorized access episodes.
In order to limit the amount of audit information flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set.
Source: KRUTZ, Ronald L.
& VINES, Russel.
D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.
Detective/technical measures refer to security controls that are used to identify or detect security breaches and attacks after they have occurred. These measures are designed to provide an early warning to security administrators, enabling them to investigate and respond to security incidents as quickly as possible. The question is asking which of the four options listed is correct in terms of the components of detective/technical measures.
Option A is correct as it correctly identifies two components of detective/technical measures - intrusion detection systems (IDS) and automatically-generated violation reports from audit trail information. IDS are software or hardware systems that monitor network traffic for signs of potential security breaches, such as malicious packets or unauthorized access attempts. If an IDS detects suspicious activity, it can trigger an alert to the security team. Audit trail information refers to the logs that are generated by various systems and applications that record all activity, such as logins, file access, and system changes. These logs can be analyzed to detect security incidents, such as a user attempting to access a file they shouldn't have access to or a system setting being changed without authorization. Automated reports can be generated from this information to help identify potential security breaches.
Option B is incorrect as it suggests that detective/technical measures do not include IDS or automated violation reports from audit trail information, which is not true.
Option C is incorrect as it suggests that detective/technical measures include IDS but do not include automated violation reports from audit trail information, which is not true.
Option D is incorrect as it suggests that detective/technical measures include IDS and customized-generated violation reports from audit trail information, which is not necessarily true. While customized reports can be useful in identifying specific types of security incidents, they are not a necessary component of detective/technical measures. Automated reports can often be more efficient in detecting and responding to security incidents.
In summary, the correct answer is A - detective/technical measures include intrusion detection systems and automatically-generated violation reports from audit trail information.