PECB Lead Implementer (ISO/IEC 27001) — Question 20

Can Socket Inc. find out that no persistent backdoor was placed and that the attack was initiated from an employee inside the company by reviewing event logs that record user faults and exceptions? Refer to scenario 3.

Answer options

• A. Yes, Socket Inc. can find out that no persistent backdoor was placed by only reviewing user faults and exceptions logs
• B. No, Socket Inc. should also have reviewed event logs that record user activities
• C. No, Socket Inc. should have reviewed all the logs on the syslog server

Correct answer: C

Explanation

The correct answer is C because reviewing only user faults and exceptions logs would not provide a complete picture of user activities and potential security events. To thoroughly investigate the incident, Socket Inc. needs to analyze all logs on the syslog server to identify any suspicious activities related to the attack.