CISA Chapter 5 Practice

Logical access controls (Logical access controls are the most effective
way to safeguard critical data within information processing facilities.
Logical access controls are technical controls, such as authentication,
encryption, firewall, IDS, and so on, which are very difficult to bypass by
a layman. The security committee addresses the broader perspective of
security. The other options are not as effective as logical access
controls.)
The most effective safeguard for securing software and data within an
information processing facility is:
A. Training and awareness
B. Logical access controls
C. Physical controls
D. The security committee
The information system security policy (Logical access controls are
designed and developed based on the approved information system
security policy of the organization. The user requirements and industry
practices should be considered when developing a security policy.
However, the implementation of logical controls should be done by the
approved security policy of the organization.)
Logical access controls are designed and developed on the basis of:
A. The user requirements
B. The information system security policy
C. Industry practices
D. System configuration files
Brainpower
Read More
The data and systems owners (It is the responsibility of the appointed
owner to ensure that their data and systems have appropriate security
arrangements. System owners may delegate routine security
responsibilities to a security administrator. However, it is the owners who
remain accountable for the maintenance of appropriate security
measures.)
Who among the following should be made accountable for the
appropriate maintenance of security controls over information assets?
A. The network administrator
B. The data and systems owners
C. The system developer
D. The systems operations group
To establish ownership (Without the owner being defined, it is difficult to
conduct criticality analysis or to develop an access matrix. Hence,
establishing ownership is the first step in data classification.)
Which of the following is the first step in data classification?
A. To establish ownership
B. To conduct critical analysis
C. To develop an access matrix
D. To tag classification nomenclature on assets
Authorization for access from the data owner and implementation of user
authorization tables by the administrator. (It is the accountability and
responsibility of the data owner to approve the access rights to the user.
Once the user is approved, system administrators should then
implement or update user authorization tables.)
The best method to provide access to a user is:
A. Authorization for access from the data owner and implementation of
user authorization tables by the administrator.
B. Joint authorization by the data owner and system administrator.
C. Joint creation and update of user authorization tables by the data
owner and system administrator.
D. The data owner creates and updates the user authorization tables.
The data owners (It is the accountability and responsibility of the data
owner for approving the access rights to the user.)
Responsibility of granting access to data with the help of security officer
resides with:
A. The data owners
B. The system developer
C. The library controller
D. The system administrator
The data owners (It is the accountability and responsibility of the data
owner for reviewing users' access rights.)
Responsibility for reviewing users' access rights resides with:
A. The data owners
B. The IS auditor
C. The library controller
D. The security administrator
Sufficiency (An IS auditor should first ensure the adequacy and
sufficiency of the baseline to address the organization's security
requirements. Other aspects, such as the documentation, process, and
compliance, can be determined once sufficiency is evaluated.)
With respect to the IT security baseline, the IS auditor should first
ensure:
A. The documentation
B. Sufficiency
C. Audit and compliance
D. The process
Are there any data privacy concerns about this process? (It is essential
to adhere to the applicable data privacy laws. For example, one of the
privacy principles requires organizations to use client data only for the
purpose for which it is collected. The IS should ensure the clients have
obtained consent to use their data for promotional activities.)
An organization proposes to use its existing client database to promote
its new range of products. Which of the following is an area of concern
for an IS auditor?
A. Are there any data privacy concerns about this process?
B. Whether the existing client database is updated.
C. Does this comply with the organization's promotional policy?
D. Whether the client database is appropriately secured against
unauthorized access.
Integrity checkers (Integrity checkers compute a binary number on a
virus-free program stored in a database file. When that program
executes, the checker computes the CRC on the program and compares
it to the number in the database. A match means no infection; a
mismatch means a program change. A program change could mean a
virus. Scanners look for sequences of bits called signatures. They
examine memory, disk boot sectors, executable files, and command files
for bit patterns that match a virus. Therefore, scanners need to update
periodically. Active Monitors interpret disk operating system and read-
only memory basic input-output system calls, looking for virus-like
actions. They can be deceptive because they can't distinguish between
a user request and a program or virus request. Users are asked to
confirm actions like formatting a disk or deleting files. Vaccines are
known to be good but must update periodically.)
Which of the following is the MOST effective type of antivirus software to
detect an infected application?
A. Scanners
B. Active monitors
C. Integrity checkers
D. Vaccines
encrypted with the recipient's public key and decrypted with the
recipient's private key (Encrypting a message with the recipient's public
key and decrypting it with the recipient's private key ensures message
confidentiality. A is wrong because encrypting a message with the
sender's private key and decrypting it with its public key ensures that the
message came from the sender; however, it does not guarantee
message confidentiality. With public key infrastructure (PKI), a message
encrypted with a private key must be decrypted with the responding
public key and vice versa. B is wrong because the sender could not
access the receiver's private key. C is wrong because the message
encrypted with the sender's private key could only be opened using the
sender's public key.)
An IS auditor is reviewing an organization's controls related to email
encryption. The company's policy states that all sent email must be
encrypted to protect the confidentiality of the message because the
organization shares nonpublic information through email. In a public-key
infrastructure implementation properly configured to provide
confidentiality, email is:
A. encrypted with the sender's private key and decrypted with the
sender's public key
B. encrypted with the recipient's private key and decrypted with the
sender's private key
C. encrypted with the sender's private key and decrypted with the
recipient's private key
D. encrypted with the recipient's public key and decrypted with the
recipient's private key
customer over the authenticity of the hosting organization.
Use of asymmetric encryption in an Internet e-commerce site, where
there is one private key for the hosting server and the public key is
widely distributed to the customers, is MOST likely to provide comfort to
the:
A. customer over the authenticity of the hosting organization.
B. hosting organization over the authenticity of the customer.
C. customer over the confidentiality of messages from the hosting
organization.
D. hosting organization over the confidentiality of messages passed to
the customer.
verify that the firewall is not dropping any forwarded packets. (The
firewall will permit or deny traffic according to its rules. It should drop
unacceptable traffic. B is wrong because Address Resolution Protocol
(ARP) tables are used by a switch to map media access control (MAC)
addresses to IP addresses. C is wrong because a proxy-based firewall
works as an intermediary (proxy) between the service or application and
the client. It connects with the client, opens a different connection with
the server, and analyzes all the traffic between the two connections
based on specific filters and rules. Unlike a packet-filtering gateway, a
proxy-based firewall does not forward any packets. Mapping between
MAC and IP addresses is a task for protocols such as address resolution
protocol (ARP)/reverse address resolution protocol (RARP). D is wrong
because a proxy-based firewall is not used to forward routing
information.)
When auditing a proxy-based firewall, an IS auditor should:
A. verify that the firewall is not dropping any forwarded packets.
B. review Address Resolution Protocol (ARP) tables for appropriate
mapping between media access control (MAC) and Internet protocol (IP)
addresses.
C. verify that the filters applied to services such as hypertext
transmission protocol (HTTP) are effective.
D. test whether routing information is forwarded by the firewall.
session key with the receiver's public key. (Access to the session key
can only be obtained using the receiver's private key. A is wrong
because this will ensure authentication and nonrepudiation. B is wrong
because this will make the message accessible to only the sender. C is
wrong because, ideally, a sender cannot have access to a receiver's
private key.)
Which of the following can be used to help ensure confidentiality of
transmitted data? Encrypting the:
A. message digest with the sender's private key.
B. session key with the sender's public key.
C. message with the receiver's private key.
D. session key with the receiver's public key.
verifies information supplied by the subject requesting a certificate. (A
registration authority is responsible for verifying information supplied by
the subject requesting a certificate and verifies the requestor's right to
request a certificate on behalf of themselves or their organization. B is
wrong because certification authorities, not registration authorities, issue
certificates once the information is verified. C is wrong because the
sender, who has control of his/her private key, signs the message, not
the registration authority. D is wrong because registering signed
messages is not a task performed by registration authorities.)
In a public key infrastructure (PKI), a registration authority:
A. verifies information supplied by the subject requesting a certificate.
B. issues the certificate after the required attributes are verified and the
keys are generated.
C. digitally signs a message to achieve nonrepudiation of the signed
message.
D. registers signed messages to protect them from future repudiation.
periodic review of user activity logs. (General operating system access
control functions include logging user activities, events, etc. Reviewing
these logs may identify users performing activities that should not have
been permitted. B is wrong because verification of user authorization at
the field level is a database- and/or an application-level access control
function and does not apply to an operating system. C is wrong because
reviewing data communication access activity logs is a network control
feature. D is wrong because a periodic review of changing data files is
related to a change control process.)
During an IS audit of a bank, the IS auditor is assessing whether the
enterprise properly manages staff member access to the operating
system. The IS auditor should determine whether the enterprise
performs:
A. periodic review of user activity logs.
B. verification of user authorization at the field level.
C. review of data communication access activity logs.
D. periodic review of changing data files.
Install a firewall between the networks. (In this case, a firewall could be
used as a strong control to allow authorized users on the wireless
network to access the wired network. A is wrong because while having
two physically separate networks would ensure the security of customer
data, it would make it impossible for authorized wireless users to access
that data. B is wrong because while a VLAN would separate the two
networks, it is possible, with sufficient knowledge, for an attacker to gain
access to one VLAN from the other. C is wrong because a dedicated
router between the two networks would separate them; however, this
would be less secure than a firewall.)
An organization stores and transmits sensitive customer information
within a secure wired network. It has implemented an additional wireless
local area network (WLAN) to support general-purpose staff computing
needs. A few employees with WLAN access have legitimate business
reasons for also accessing customer information. Which of the following
represents the BEST control to ensure separation of the two networks?
A. Establish two physically separate networks.
B. Implement virtual local area network (VLAN) segmentation.
C. Install a dedicated router between the two networks.
D. Install a firewall between the networks.
Digital certificates (A digital certificate contains the public key and
identifying information about the owner of the public key. The associated
private key pair is kept secret by the owner. A trusted authority generally
verifies these certificates to associate a person's identity with the public
key. Email confidentiality and integrity are obtained by following the
public key-private key encryption. With the digital certificate verified by
the trusted third party, nonrepudiation of the sender is obtained. A is
wrong because symmetric key encryption uses a single passphrase to
encrypt and decrypt the message. B is wrong because digital signatures
provide message integrity and nonrepudiation, not confidentiality. C is
wrong because message digest algorithms are a way to design hashing
functions to verify the integrity of the message/data.)
An online stock trading firm is in the process of implementing a system
to provide secure email exchange with its customers. What is the BEST
option to ensure confidentiality, integrity and nonrepudiation?
A. Symmetric key encryption
B. Digital signatures
C. Message digest algorithms
D. Digital certificates
Only select personnel should have rights to view or delete audit logs.
(Granting access to audit logs to only system administrators and security
administrators would reduce the possibility of these files being deleted. A
is wrong because having additional copies of log file activity would not
prevent the original log files from being deleted. B is wrong because for
servers and applications to operate correctly, write access cannot be
disabled. D is wrong because frequent backups of audit logs would not
prevent the logs from being deleted.)
Which of the following is the BEST control to prevent the deletion of
audit logs by unauthorized individuals in an organization?
A. Actions on log files should be tracked in another log.
B. Write access to audit logs should be disabled.
C. Only select personnel should have rights to view or delete audit logs.
D. Backups of audit logs should be performed periodically.
A smart card requiring the user's personal identification number (PIN)
Which of the following is the BEST way to satisfy a two-factor user
authentication?
A. A smart card requiring the user's personal identification number (PIN)
B. User ID along with password
C. Iris scanning plus fingerprint scanning
D. A magnetic card requiring the user's PIN
Computation speed (The main advantage of elliptic curve encryption
(ECC) over RSA encryption is its computation speed. This is partly due
to using much smaller keys in the ECC algorithm than in RSA. B is
wrong because both encryption methods support digital signatures. C is
wrong because both encryption methods are used for public key
encryption and distribution. D is wrong because both ECC and RSA offer
message integrity controls.)
Which of the following is an advantage of elliptic curve encryption (ECC)
over RSA encryption?
A. Computation speed
B. Ability to support digital signatures
C. Simpler key distribution
D. Message integrity controls
Address Resolution Protocol (ARP) (Address Resolution Protocol (ARP)
provides dynamic address mapping between an IP address and
hardware (MAC) address. A is wrong because Simple Object Access
Protocol (SOAP) is a platform-independent XML-based protocol,
enabling applications to communicate with each other over the Internet,
and does not deal with media access control (MAC) addresses. C is
wrong because Routing Information Protocol (RIP) specifies how routers
exchange routing table information. D is wrong because Transmission
Control Protocol (TCP) enables two hosts to establish a connection and
exchange data streams.)
An IS auditor should review the configuration of which of the following
protocols to detect unauthorized mappings between the IP address and
the media access control (MAC) address?
A. Simple Object Access Protocol (SOAP)
B. Address Resolution Protocol (ARP)
C. Routing Information Protocol (RIP)
D. Transmission Control Protocol (TCP)
Change the system configuration to enforce strong passwords. (The best
control is a preventive control through validation when the password is
created or changed. A is wrong because changing the enterprise's
security policy provides information to users but does little to enforce this
control. B is wrong because educating users about the risk of weak
passwords will not enforce the policy. C is wrong because requiring a
periodic review of matching user IDs and passwords for detection and
ensuring correction is a detective control.)
An IS auditor discovers that, in many cases, a username and password
are the same, which is contrary to policy. What is the BEST
recommendation?
A. Modify the enterprise's security policy.
B. Educate users about the risk of weak passwords.
C. Require a periodic review of matching user IDs and passwords for
detection and correction.
D. Change the system configuration to enforce strong passwords.
Spoofing (Spoofing is a form of impersonation where one computer tries
to take on the identity of another computer. When an attack originates
from the external network but uses an internal network address, the
attacker is most likely trying to bypass firewalls and other network
security controls by impersonating (or spoofing) the payroll server's
internal network address. By impersonating the payroll server, the
attacker may be able to access sensitive internal resources.)
During a review of intrusion detection logs, an IS auditor notices traffic
coming from the Internet, which appears to originate from the internal IP
address of the company payroll server. Which of the following malicious
activities would MOST likely cause this type of result?
A. A denial-of-service (DoS) attack
B. Spoofing
C. Port scanning
D. A man-in-the-middle attack
It binds a digital certificate and its public key to an individual subscriber's
identity. (PKI is primarily used to gain assurance that protected data or
services originated from a legitimate source. It is strict and rigorous to
ensure the subscriber identity's validity by linking it to the digital
certificate/public key. A is wrong because while some email applications
depend on public key infrastructure (PKI)-issued certificates for
nonrepudiation, PKI aims to authenticate the individual and link an
individual with their private key. The certificate authority (CA) does not
ordinarily create the user's private key. C is wrong because personal
details are not stored in or provided by components in the PKI. D is
wrong because authentication services within operating systems and
applications may be built on PKI-issued certificates, but PKI does not
provide authentication services for object access.)
Which of the following is the MOST significant function of a corporate
public key infrastructure (PKI) and certificate authority (CA) employing
X.509 digital certificates?
A. It provides the public/private key set for the encryption and signature
services used by email and file space.
B. It binds a digital certificate and its public key to an individual
subscriber's identity.
C. It provides the authoritative source for employee identity and personal
details.
D. It provides the authoritative authentication source for object access.
Review the parameter settings. (A review of the parameter settings will
provide a good basis for comparison of the actual configuration to the
security policy and will provide audit evidence documentation. B is wrong
because an interview with the firewall administrator will not ensure the
firewall is configured correctly. C is wrong because reviewing the actual
procedures is good but will not ensure the firewall rules are correct and
compliant with policy. D is wrong because recent attacks may indicate
problems with the firewall but will not ensure that it is correctly
configured.)
Which of the following is the BEST audit procedure to determine if a
firewall is configured in compliance with an organization's security
policy?
A. Review the parameter settings.
B. Interview the firewall administrator.
C. Review the actual procedures.
D. Review the device's log file for recent attacks.
forward error control. (Forward error control involves transmitting
additional redundant information with each character or frame to
facilitate detection and correction of errors. In feedback error control,
only enough additional information is transmitted so the receiver can
identify that an error has occurred. Choices B and D are error detection
methods but not error correction methods. Block sum check is an
extension of parity check wherein an additional set of parity bits is
computed for a block of characters. A cyclic redundancy check is a
technique wherein a single set of check digits is generated based on the
contents of the frame for each frame transmitted.)
Transmitting redundant information with each character or frame to
facilitate detection and correction of errors is called a:
A. feedback error control.
B. block sum check.
C. forward error control.
D. cyclic redundancy check.
Digital certificates (Digital certificates are issued by a trusted third party.
The message sender attaches the certificate, and the recipient can verify
authenticity with the certificate repository. A is wrong because digital
signatures are used for both authentication and integrity, but the digital
certificate would still confirm the identity of the sender. B is wrong
because asymmetric cryptography, such as public key infrastructure
(PKI), appears to authenticate the sender but is vulnerable to a man-in-
the-middle attack. D is wrong because the message authentication code
is used for message integrity verification.)
Which of the following is the MOST reliable method to ensure identity of
sender for messages transferred across Internet?
A. Digital signatures
B. Asymmetric cryptography
C. Digital certificates
D. Message authentication code
The organization should conduct a risk assessment and design and
implement appropriate controls. (Physical access to information
processing facilities (IPFs) by an external agency introduces additional
threats to an organization. Therefore, a risk assessment should be
conducted and controls designed accordingly. A is wrong because the
processes of the external agency are not of concern here. The agency's
interaction with the organization needs to be protected. Auditing their
processes would not be relevant in this scenario. B is wrong because
training the employees of the external agency may be one control
procedure but could be performed after access has been granted. C is
wrong because sometimes an external agency may require access to
processing facilities beyond common areas. For example, an agency
undertaking server maintenance may require access to the main server
room.)
What should an organization do before providing an external agency
physical access to its information processing facilities (IPFs)?
A. The processes of the external agency should be subjected to an IS
audit by an independent agency.
B. Employees of the external agency should be trained on the security
procedures of the organization.
C. Any access by an external agency should be limited to the
demilitarized zone (DMZ).
D. The organization should conduct a risk assessment and design and
implement appropriate controls.
authorization and authentication of the user prior to granting access to
system resources.
An IS auditor performing a telecommunication access control review
should be concerned PRIMARILY with the:
A. maintenance of access logs of usage of various system resources.
B. authorization and authentication of the user prior to granting access to
system resources.
C. adequate protection of stored data on servers by encryption or other
means.
D. accountability system and the ability to identify any terminal accessing
system resources.
packets may arrive out of order. (User Datagram Protocol (UDP) utilizes
a simple transmission model without implicit handshaking routines for
reliability, ordering, or data integrity. Thus, UDP provides an unreliable
service; datagrams may arrive out of order, appear duplicated, or get
dropped. B is wrong because the advantage of UDP is that the lack of
error checking allows for reduced latency. Time-sensitive applications,
such as online video or audio, often use UDP because of the reduced
latency of this protocol. C is wrong because UDP is compatible with
packet broadcast (sending to all on the local network) and multicasting
(sending to all subscribers). D is wrong because UDP assumes that
error checking and correction is either unnecessary or performed in the
application, avoiding the overhead of such processing at the network
interface level.)
A characteristic of User Datagram Protocol (UDP) in network
communications is:
A. packets may arrive out of order.
B. increased communication latency.
C. incompatibility with packet broadcast.
D. error correction may slow down processing.
the integrity of data transmitted by the sender. (If the hash sum is
different from what is expected, it implies that the message has been
altered. This is an integrity test. A is wrong because a hash function
ensures integrity of a message; encrypting with a secret key provides
confidentiality. B is wrong because signing the message with the private
key of the sender ensures nonrepudiation and authenticity. C is wrong
because authenticity of the message is provided by the digital signature.)
The cryptographic hash sum of a message is recalculated by the
receiver. This is to ensure:
A. the confidentiality of the message.
B. nonrepudiation by the sender.
C. the authenticity of the message.
D. the integrity of data transmitted by the sender.
Application gateway (An application gateway firewall prevents
applications such as File Transfer Protocols (FTPs) from entering the
organization's network. A is wrong because a circuit gateway firewall can
prevent paths or circuits, not applications, from entering the
organization's network. C is wrong because a packet filter firewall or
screening router will allow or prevent access based on IP
packets/addresses. D is wrong because a screening router cannot
effectively control application-level security.)
Reconfiguring which of the following firewall types will prevent inward
downloading of files through the File Transfer Protocol (FTP)?
A. Circuit gateway
B. Application gateway
C. Packet filter
D. Screening router
which has the lowest EER.
The MOST effective biometric control system is the one:
A. which has the highest equal-error rate (EER).
B. which has the lowest EER.
C. for which the false-rejection rate (FRR) is equal to the false-
acceptance rate (FAR).
D. for which the FRR is equal to the failure-to-enroll rate (FER).
Controlling how proprietary information systems are used (Users'
inappropriate use of proprietary IT resources exposes enterprises to
various risk scenarios. An acceptable use policy ensures that users are
made aware of acceptable usage and the need to acknowledge that they
are aware. A is wrong because employee orientation and user
awareness training are the most effective processes to raise user
awareness about the acceptable use of proprietary IT resources. B is
wrong because the acceptable use policy is a subset of information
security policies focusing on end-users. Information security policies are
much broader in overall content and include a wider audience. C is
wrong because although the policy may include a statement regarding
the sanctions for noncompliance, prevention, not sanctions, is the
primary objective of the acceptable use policy.)
Which of the following is a PRIMARY objective of an acceptable use
policy?
A. Creating awareness about the secure use of proprietary resources
B. Ensuring compliance with information security policies
C. Defining sanctions for noncompliance
D. Controlling how proprietary information systems are used
The SAN presents a potential risk because only one employee has
access. (The most significant potential risk in this scenario is that the
SAN administrator represents a "single point of failure." The organization
is susceptible to risk because only one administrator has knowledge and
access required to administer the system. Having a single administrator
for an extensive system presents a risk of segregation of duties. A is
wrong because the most critical risk is that only one person has the
knowledge and ability to maintain the system. B is wrong because hard
zoning is more secure and used to separate different data sources from
each other. C is wrong because the question needs information
regarding whether logs are reviewed promptly, and the auditor needs
more information to determine whether this is a risk area.)
The IS auditor is reviewing the implementation of a storage area network
(SAN). The SAN administrator indicates that logging and monitoring is
active, hard zoning is used to isolate data from different business units
and all unused SAN ports are disabled. The administrator implemented
the system, performed and documented security testing during
implementation, and determined that he/she is the only user with
administrative rights to the system. What should the IS auditor's initial
determination be?
A. The SAN is secure and no significant risk exists.
B. The SAN presents a potential risk because soft zoning should be
used.
C. The SAN presents a potential risk because audit logs are not
reviewed in a timely manner.
D. The SAN presents a potential risk because only one employee has
access.
A long asymmetric encryption key is used. (Computer processing time is
increased for longer asymmetric encryption keys, and the increase may
be disproportionate. For example, one benchmark showed that doubling
the length of an RSA key from 512 bits to 1,024 bits caused the decrypt
time to increase nearly six-fold. A is wrong because an asymmetric
algorithm requires more processing time than symmetric algorithms. C is
wrong because a hash is usually shorter than the original message;
therefore, a smaller overhead is required if the hash is encrypted rather
than the message. D is wrong because use of a secret key, as a
symmetric encryption key, is generally small and used for the purpose of
encrypting user data.)
Which of the following cryptography options would increase
overhead/cost?
A. The encryption is symmetric rather than asymmetric.
B. A long asymmetric encryption key is used.
C. The hash is encrypted rather than the message.
D. A secret key is used.
Domain name system (DNS) server security hardening
Which of the following is the BEST control to mitigate the risk of
pharming attacks to an Internet banking application?
A. User registration and password policies
B. User security awareness
C. Use of intrusion detection/intrusion prevention systems (IDSs/IPSs)
D. Domain name system (DNS) server security hardening
the entire message, enciphering the message digest using the sender's
private key, enciphering the message with a symmetric key and
enciphering the key by using the receiver's public key. (Applying a
cryptographic hashing algorithm against the entire message addresses
the message integrity issue. Enciphering the message digest using the
sender's private key creates a digital signature and addresses
nonrepudiation. Encrypting the message with a symmetric key most
efficiently addresses the confidentiality of the message, and, thereafter,
enciphering the symmetric key using the receiver's public key transports
(distributes) the symmetric key securely to the receiver. B is wrong
because only hashing a part of the message would only verify the
integrity of that part of the message. C and D are wrong because
enciphering the message with a public key would be much too slow to be
practical.)
To ensure message integrity, confidentiality and nonrepudiation between
two parties, the MOST effective method would be to create a message
digest by applying a cryptographic hashing algorithm against:
A. the entire message, enciphering the message digest using the
sender's private key, enciphering the message with a symmetric key and
enciphering the key by using the receiver's public key.
B. any part of the message, enciphering the message digest using the
sender's private key, enciphering the message with a symmetric key and
enciphering the key using the receiver's public key.
C. the entire message, enciphering the message digest using the
sender's private key, enciphering the message with a symmetric key and
enciphering both the encrypted message and digest using the receiver's
public key.
D. the entire message, enciphering the message digest using the
sender's private key and enciphering the message using the receiver's
public key.
integrity. (Digital signatures provide integrity because the digital
signature of a signed message (file, mail, document, etc.) changes every
time a single bit of the document changes; thus, a signed document
cannot be altered. A digital signature provides for message integrity,
nonrepudiation, and proof of origin. A is wrong because a digital
signature does not, in itself, address message confidentiality. C is wrong
because this is not related to digital signatures. D is wrong because
correctness is generally unrelated to digital signatures. A digital signature
guarantees data integrity; however, it cannot ensure the correctness of
signed data.)
The PRIMARY reason for using digital signatures is to ensure data:
A. confidentiality.
B. integrity.
C. availability.
D. correctness.
the source routing field is enabled. (IP spoofing takes advantage of the
source-routing option in the IP protocol. With this option enabled, an
attacker can insert a spoofed source IP address. The packet will travel
the network according to the information within the source-routing field,
bypassing the logic in each router, including dynamic and static routing.
B is wrong because if a packet has a broadcast destination address, it is
suspicious and will be sent to all addresses in the subnet if allowed to
pass. This is not related to IP spoofing. C is wrong because turning on
the reset flag (RST) is part of the normal procedure to end a
transmission control protocol (TCP) connection. D is wrong because
dynamic or static routing will not represent a spoofing attack.)
To prevent Internet protocol (IP) spoofing attacks, a firewall should be
configured to drop a packet if:
A. the source routing field is enabled.
B. it has a broadcast address in the destination field.
C. a reset flag (RST) is turned on for the transmission control protocol
(TCP) connection.
D. dynamic routing is used instead of static routing.
system administrators use shared login credentials. (The use of shared
login credentials makes accountability impossible. This is especially a
risk with privileged accounts. A is wrong because if user accounts are
not locked after multiple failed attempts, a brute force attack could be
used to gain access to the system. While this is a risk, a typical user
would have limited system access compared to an administrator. B is
wrong because the reuse of passwords is a risk. However, the use of
shared login credentials by administrators is a more severe risk. D is
wrong because if password expiration is not automated, employees will
most likely not change their passwords regularly. However, this is not as
serious as passwords being shared, and administrators' use of shared
login credentials is a more severe risk.)
An IS auditor reviewing the authentication controls of an organization
should be MOST concerned if:
A. user accounts are not locked out after five failed attempts.
B. passwords can be reused by employees within a defined time frame.
C. system administrators use shared login credentials.
D. password expiration is not automated.
Review of the access control privilege authorization process (In this
case, the IS auditor should recommend reviewing the access control
management process. Emergency system administration-level access
should only be granted as needed and configured to a predefined
expiration date. Accounts with temporary privileges require strong
controls to limit the lifetime of the privileges, and the use of these
accounts should be closely monitored. B is wrong because while
implementing an identity management system (IMS) may solve the
problem, reviewing access privileges would be most cost-efficient. C is
wrong because enhancing procedures to audit changes made to
sensitive customer data does not prevent the misuse of these accounts
and should be performed after reviewing the process. D is wrong
because granting fire call accounts only to managers is not realistic.)
An IT executive of an insurance company asked an external auditor to
evaluate the user IDs for emergency access (fire call ID). The IS auditor
found that fire call accounts are granted without a predefined expiration
date. What should the IS auditor recommend?
A. Review of the access control privilege authorization process
B. Implementation of an identity management system (IMS)
C. Enhancement of procedures to audit changes made to sensitive
customer data
D. Granting of fire call accounts only to managers
approval of user access. (Without an owner to approve user access to
the group, unauthorized individuals could potentially gain access to any
sensitive data within the group's rights. A is wrong because updating
data about the group is not a great concern when compared to
unauthorized access. B is wrong because while the periodic review of
user accounts is a good practice, this is a detective control and not as
robust as preventing unauthorized access to the group in the first place.
D is wrong because revoking access to terminated users is a
compensating control for the normal termination process and is also a
detective control.)
During an access control review for a mainframe application, an IS
auditor discovers user security groups without designated owners.
Which of the following is the PRIMARY reason that this is a concern to
the IS auditor? Without ownership there is no responsibility for:Select an
answer:
A. updating group metadata.
B. reviewing existing user access.
C. approval of user access.
D. removing terminated users.
Unauthorized individuals wait for controlled doors to open and walk in
behind those authorized. (Piggybacking or tailgating can compromise the
physical access controls. B is wrong because the contingency plan for
the organization cannot effectively test controlled access practices. C is
wrong because duplicating access control cards or keys is technically
challenging. D is wrong because an access control system should have
easily followed procedures for managing user access throughout the
access life cycle.)
What is a risk associated with attempting to control physical access to
sensitive areas such as computer rooms using card keys or locks?
A. Unauthorized individuals wait for controlled doors to open and walk in
behind those authorized.
B. The contingency plan for the organization cannot effectively test
controlled access practices.
C. Access cards, keys and pads can be easily duplicated allowing easy
compromise of the control.
D. Removing access for those who are no longer authorized is complex.
Developer training (Of the given choices, teaching developers to write
secure code is the best way to secure a web application. A is wrong
because password masking is a necessary preventive control but is not
the best way to secure an application. C is wrong because encryption
will protect data, but is not sufficient to secure an application because
other flaws in coding could compromise the application and data.
Ensuring that applications are designed securely is the best way to
secure an application. This is accomplished by ensuring developers are
adequately educated on secure coding practices. D is wrong because
vulnerability testing can help ensure web application security; however,
the best preventive control is developer education because building
secure applications from the start is more effective.)
Which of the following preventive controls BEST helps secure a web
application?
A. Password masking
B. Developer training
C. Encryption
D. Vulnerability testing
Properly locating it in the network architecture (Proper location of an
intrusion detection system (IDS) in the network is the most important
decision during installation. A poorly located IDS could leave key areas
of the network unprotected. B is wrong because a network IDS will
monitor network traffic, and a host-based IDS will monitor activity on the
host, but it has no capability of preventing a denial-of-service (DoS)
attack. C is wrong because configuring an IDS can be challenging
because it may require the IDS to "learn" what normal activity is, but the
most important part of the installation is installing it in the right places. D
is wrong because an IDS is only a monitoring device and does not reject
traffic. Rejection errors would apply to a biometric device.)
When installing an intrusion detection system (IDS), which of the
following is MOST important?
A. Properly locating it in the network architecture
B. Preventing denial-of-service (DoS) attacks
C. Identifying messages that need to be quarantined
D. Minimizing the rejection errors
Spoofing (Spoofing is a form of impersonation where one computer tries
to take on the identity of another computer. A is wrong because a DoS
attack is designed to limit the availability of a resource and characterized
by a high number of requests that require a response from the resource.
The target spends so many resources responding to the attack requests
that legitimate requests are not serviced. C is wrong because port
scanning is a reconnaissance technique designed to gather information
about a target before a more active attack. D is wrong because a man-
in-the-middle attack is a form of active eavesdropping where the attacker
intercepts a computerized conversation between two parties and then
allows the conversation to continue by relaying the appropriate data to
both parties while simultaneously monitoring the same data passing
through the attacker's conduit.)
During a review of intrusion detection logs, an IS auditor notices traffic
coming from the Internet, which appears to originate from the internal IP
address of the company payroll server. Which of the following malicious
activities would MOST likely cause this type of result?
A. A denial-of-service (DoS) attack
B. Spoofing
C. Port scanning
D. A man-in-the-middle attack
Web of trust (Web of trust is a key distribution method suitable for
communication in a small group. It is used by tools such as Pretty Good
Privacy (PGP) and distributes users' public keys within a group. A is
wrong because a key distribution center is part of a Kerberos
implementation suitable for internal communication for a large group
within an institution, and it will distribute symmetric keys for each
session. B is wrong because the certificate authority (CA) is a trusted
third party that ensures the authenticity of the certificate's owner. This is
necessary for large groups and formal communication. D is wrong
because a Kerberos Authentication System extends the function of a key
distribution center by generating "tickets" to define the facilities on
networked machines, which are accessible to each user.)
Which of the following is BEST suited for secure communications within
a small group?Select an answer:
A. Key distribution center
B. Certificate authority (CA)
C. Web of trust
D. Kerberos Authentication System
Power line conditioners (Power line conditioners are used to
compensate for peaks and valleys in the power supply and reduce peaks
in the power flow to what is needed by the machine. Any valleys are
removed by power stored in the equipment. B is wrong because surge
protection devices protect against high-voltage bursts. C is wrong
because alternative power supplies are intended for power failures that
last longer and are normally coupled with other devices, such as an
uninterruptible power supply (UPS), to compensate for the power loss
until the alternate power supply becomes available. D is wrong because
an interruptible power supply would cause the equipment to come down
whenever there was a power failure.)
Which of the following environmental controls is appropriate to protect
computer equipment against short-term reductions in electrical power?
A. Power line conditioners
B. Surge protective devices
C. Alternative power supplies
D. Interruptible power supplies
facilitates interoperability. (Open systems are those for which suppliers
provide components whose interfaces are defined by public standards,
thus facilitating interoperability between systems made by different
vendors. B is wrong because closed system components are built to
proprietary standards so that other suppliers' systems cannot or will not
interface with existing systems. C is wrong because the ability to obtain
volume discounts is achieved through bulk purchasing or a primary
vendor, not through open system architecture. D is wrong because open
systems may be less expensive than proprietary systems depending on
the supplier, but the primary benefit of open system architecture is its
interoperability between vendors.)
A benefit of open system architecture is that it:
A. facilitates interoperability.
B. facilitates the integration of proprietary components.
C. will be a basis for volume discounts from equipment vendors.
D. allows for the achievement of more economies of scale for
equipment.
Configuration management (Configuration management establishes how
the network will function internally and externally and deals with the
management of configuration and monitoring performance. It ensures
that the setup and management of the network are done properly,
including managing changes to the configuration, removing default
passwords, and possibly hardening the network by disabling unneeded
services. B is wrong because topological mappings provide outlines of
the components of the network and its connectivity. This is important to
address issues such as single points of failure and proper network
isolation, but it is not the most critical component of network
management. C is wrong because application monitoring is not critical to
network management. D is wrong because proxy server troubleshooting
is used for troubleshooting purposes, and managing a proxy is only a
small part of network management.)
Which of the following is widely accepted as one of the critical
components in networking management?
A. Configuration management
B. Topological mappings
C. Application of monitoring tools
D. Proxy server troubleshooting
Kerberos (Kerberos is a network authentication protocol for client-server
applications that can restrict access to the database to authorized users.
B is wrong because vitality detection ensures that a user presenting a
biometric is "alive" and not merely an image or photocopy of the
biometric values. C is wrong because multimodal biometrics uses a
combination of biometric methods to authenticate a user. If the attacker
can access the biometric templates, using multiple templates will not be
an effective control. D is wrong because before-image/after-image
logging of database transactions is a detective control, as opposed to
Kerberos, which is a preventive control.)
An IS auditor examining a biometric user authentication system
establishes the existence of a control weakness that would allow an
unauthorized individual to update the centralized database on the server
that is used to store biometric templates. Of the following, which is the
BEST control against this risk?
A. Kerberos
B. Vitality detection
C. Multimodal biometrics
D. Before-image/after-image logging
Authentication (A hash function aims to produce a "fingerprint" of data to
ensure integrity and authentication. A hash of a password also provides
for authentication of a user or process attempting to access resources. B
is wrong because hash functions are used to validate the authenticity of
the identity. C is wrong because authorization is provided after the
authentication has been established. D is wrong because hash functions
are algorithms that map or translate one set of bits into another
(generally smaller) so that a message yields the same result every time
the algorithm is executed using the same message as input. It is
computationally infeasible for a message to be derived or reconstituted
from the result produced by the algorithm or to find two different
messages that produce the same hash result using the same algorithm.
Hash functions do not encrypt data.)
Where would an IS auditor MOST likely see a hash function applied?
A. Authentication
B. Identification
C. Authorization
D. Encryption
Unencrypted passwords are used. (When evaluating the technical
aspects of logical security, unencrypted passwords represent the
greatest risk because it would be assumed that remote access would be
over an untrusted network where passwords could be discovered. A is
wrong because the passwords should not be shared, but this is less
important than ensuring password files are encrypted. C is wrong
because checking for the redundancy of logon IDs is essential but less
important than ensuring the passwords are encrypted. D is wrong
because there may be business requirements, such as the use of
contractors that require them to have system access, so this may not be
a concern.)
When reviewing an organization's logical access security to its remote
systems, which of the following would be of GREATEST concern to an
IS auditor?
A. Passwords are shared.
B. Unencrypted passwords are used.
C. Redundant logon IDs exist.
D. Third-party users are granted administrator-level access.
signer to have a private key and the receiver to have a public key.
(Digital signatures are intended to verify the integrity of the data and the
sender's identity to a recipient. The digital signature standard is based
on the sender encrypting a digest of the message with their private key
and the receiver validating the message with the public key. A is wrong
because if a sender encrypts a message with a public key, it will provide
confidential transmission to the receiver with the private key. C is wrong
because asymmetric key cryptography always works with key pairs.
Therefore, a message encrypted with a public key could only be opened
with a private key. D is wrong because if both the sender and receiver
have a private key, there would be no way to validate the digital
signature.)
Digital signatures require the:
A. signer to have a public key and the receiver to have a private key.
B. signer to have a private key and the receiver to have a public key.
C. signer and receiver to have a public key.
D. signer and receiver to have a private key.
Self-signed digital certificates (Self-signed digital certificates are not
signed by a certificate authority (CA) and can be created by anyone.
Thus, they can be used by attackers to impersonate a website, which
may lead to data theft or perpetrate a man-in-the-middle attack. A is
wrong because an expired certificate leads to blocked access to the
website, leading to unwanted downtime. However, there is no loss of
data. Therefore, the comparative risk is lower. C is wrong because using
the same digital certificate is not a significant risk. Wildcard digital
certificates may be used for multiple subdomain websites. D is wrong
because 56-bit digital certificates may be needed to connect with older
versions of operating systems (OSs) or browsers. While they have lower
strength than 128-bit or 256-bit digital certificates, the comparative risk of
a self-signed certificate is higher.)
An IS auditor is reviewing Secure Sockets Layer (SSL) enabled web
sites for the company. Which of the following choices would be the
HIGHEST risk?
A. Expired digital certificates
B. Self-signed digital certificates
C. Using the same digital certificate for multiple web sites
D. Using 56-bit digital certificates
the users may not remember to manually encrypt the data before
transmission. (If the data is not encrypted, an unauthorized external
party may download sensitive company data. B is wrong because even
though the possibility exists that the logon information was captured from
the emails, data should be encrypted, so the theft of the data would not
allow the attacker to read it. C is wrong because some of the employees
at the consulting firm will have access to the sensitive data and the
consulting firm must have procedures in place to protect the data. D is
wrong because tracing accountability is of minimal concern compared to
the compromise of sensitive data.)
A consulting firm has created a File Transfer Protocol (FTP) site for the
purpose of receiving financial data and has communicated the site's
address, user ID and password to the financial services company in
separate email messages. The company is to transmit its data to the
FTP site after manually encrypting the data. The IS auditor's GREATEST
concern with this process is that:
A. the users may not remember to manually encrypt the data before
transmission.
B. the site credentials were sent to the financial services company via
email.
C. personnel at the consulting firm may obtain access to sensitive data.
D. the use of a shared user ID to the FTP site does not allow for user
accountability.
Hardening the server configuration (Hardening a system means
configuring it most securely to prevent nonprivileged users from gaining
the right to execute privileged instructions and, thus, take control of the
entire machine, jeopardizing the integrity of the OS. A is wrong because
protecting the server in a secure location is a good practice. Still, it
doesn't ensure that a user will not try to exploit logical vulnerabilities and
compromise the OS. B is wrong because setting a boot password is a
good practice, but it doesn't ensure that a user will not try to exploit
logical vulnerabilities and compromise the OS. D is wrong because
activity logging has two weaknesses in this scenario—it is a detective
control, and the attacker who already gained privileged access can
modify or disable logs.)
Which of the following BEST ensures the integrity of a server's operating
system (OS)?
A. Protecting the server in a secure location
B. Setting a boot password
C. Hardening the server configuration
D. Implementing activity logging
configure a hard-to-guess username. (Knowledge of a username and
password is required to compromise an account successfully using a
brute force attack. If a username is guessable, brute-force attacks are
much more feasible. A is wrong because increasing the password length
is not as good as having a username that cannot be discovered. B is
wrong because session timeouts do not prevent unauthorized access. C
is wrong because vulnerability scans typically test for default usernames
and passwords and are a good detective control, but performing periodic
vulnerability scans does not prevent brute force attacks.)
An IS auditor observed brute force attacks on the administrator account.
The BEST recommendation to prevent a successful brute force attack
would be to:
A. increase the password length for the user.
B. configure a session timeout mechanism.
C. perform periodic vulnerability scans.
D. configure a hard-to-guess username.
implementing security awareness training. (Dumpster diving is used to
steal documents or computer media that were not properly discarded.
Users should know the risk of carefully discarding sensitive documents
and other items. B is wrong because the shred bins may not be properly
used if users are not aware of proper security techniques. C is wrong
because a media disposal policy is a good idea; however, it may be
ineffective if users are not aware of the policy. D is wrong because the
shredders may not be properly used if users are not aware of proper
security techniques.)
The risk of dumpster diving is BEST mitigated by:
A. implementing security awareness training.
B. placing shred bins in copy rooms.
C. developing a media disposal policy.
D. placing shredders in individual offices.
verify that security requirements have been properly specified in the
project plan. (If an IS auditor identifies significant security issues, the first
question is whether the security requirements were correct in the project
plan. Depending on whether the requirements were included in the plan
would affect the recommendations the auditor would make. A is wrong
because while it is important for programmers to understand security, it
is more important to state the security requirements in the project plan
properly. B is wrong because system administrators may have changed
the controls, but it is assumed that the auditor is reviewing the system as
designed a week before implementation, so the administrators still need
to configure it. D is wrong because security requirements may change
based on new vulnerabilities over time. If there are missing controls, this
indicates a faulty design due to incomplete requirements.)
An IS auditor is reviewing a new web-based order entry system the week
before it goes live. The IS auditor has identified that the application, as
designed, may be missing several critical controls regarding how the
system stores customer credit card information. The IS auditor should
FIRST:
A. determine whether system developers have proper training on
adequate security measures.
B. determine whether system administrators have disabled security
controls for any reason.
C. verify that security requirements have been properly specified in the
project plan.
D. validate whether security controls are based on requirements which
are no longer valid.
There is no chain of custody policy. (Organizations should have a policy
that directs employees to follow certain procedures when collecting
evidence that may be used in a court of law. Chain of custody involves
documentation of how digital evidence is acquired, processed, handled,
stored, and protected, and who handled the evidence and why. If there is
no policy in place, it is unlikely that employees will ensure that the chain
of custody is maintained during any data breach investigation. A is wrong
because end users should be aware of incident reporting procedures,
but is not likely to affect data integrity related to the breach. B is wrong
because having log servers segregated on a separate network might be
a good idea because ensuring the integrity of log server data is
important. C is wrong because while not having valid backups would be
a concern, data breach evidence is not generally retrieved from
backups.)
An IS auditor is reviewing an organization to ensure that evidence
related to a data breach case is preserved. Which of the following
choices would be of MOST concern to the IS auditor?
A. End users are not aware of incident reporting procedures.
B. Log servers are not on a separate network.
C. Backups are not performed consistently.
D. There is no chain of custody policy.
digital certificate. (A digital certificate is an electronic document that
declares a public key holder is who the holder claims to be. The
certificates handle data authentication as they are used to determine
who sent a particular message. A is wrong because a certificate
revocation list (CRL) is the list of certificates that can no longer be
trusted. B is wrong because a digital signature ensures the integrity of
the message being sent and solves the nonrepudiation issue of
message origination. D is wrong because the sender's public key cannot
be opened by any key except the sender's private key.)
The sender of a public key would be authenticated by a:
A. certificate revocation list (CRL).
B. digital signature.
C. digital certificate.
D. receiver's private key.
Screened subnet firewall (A screened subnet firewall would provide the
best protection. The screening router can be a commercial router or a
node with routing capabilities and the ability to allow or avoid traffic
between nets or nodes based on addresses, ports, protocols, interfaces,
etc. The subnet would isolate Internet-based traffic from the rest of the
corporate network. B is wrong because application-level gateways are
mediators between two entities that want to communicate, also known
as proxy gateways. This would be the best solution to protect an
application but not a network. C is wrong because a packet filtering
router examines the header of every packet or data traveling between
the Internet and the corporate network. D is wrong because a circuit-
level gateway, such as a Socket Secure (SOCKS) server, will protect
users by acting as a proxy but is not the best defense for a network.)
Which of the following types of firewalls would BEST protect a network
from an Internet attack?
A. Screened subnet firewall
B. Application filtering gateway
C. Packet filtering router
D. Circuit-level gateway
Man-in-the-middle (A man-in-the-middle attack is similar to piggybacking
in that the attacker pretends to be the legitimate destination and then
merely retransmits whatever is sent by the authorized user along with
additional transactions after authentication has been accepted. This is
done in many instances of bank fraud. A is wrong because a denial-of-
service attack does not relate to authentication. C is wrong because key
logging could circumvent single-factor authentication but not two-factor
authentication. D is wrong because brute force could circumvent single-
factor authentication but not two-factor authentication.)
Two-factor authentication can be circumvented through which of the
following attacks?
A. Denial-of-service
B. Man-in-the-middle
C. Key logging
D. Brute force
reduces crosstalk between pairs. (The use of unshielded twisted-pair
(UTP) in copper will reduce the likelihood of crosstalk. B is wrong
because while the twisted nature of the media will reduce sensitivity to
electromagnetic disturbances, an unshielded copper wire does not
provide adequate protection against wiretapping. C is wrong because
attenuation sets in if copper twisted-pair cable is used for longer than
100 meters, necessitating the use of a repeater. D is wrong because the
tools and techniques to install UTP are not simpler or easier than other
copper-based cables.)
An advantage of using unshielded twisted-pair (UTP) cable for data
communication over other copper-based cables is that UTP cable:
A. reduces crosstalk between pairs.
B. provides protection against wiretapping.
C. can be used in long-distance networks.
D. is simple to install.
Report the incident to management. (Reporting the suspected incident to
management will help initiate the incident response process, which is the
most appropriate action. Management is responsible for making
decisions regarding the appropriate response. It is not the IS auditor's
role to respond to incidents during an audit. A is wrong because the IS
auditor should follow the organization's incident response process. The
auditor is not authorized to shut the system down. C is wrong because
the IS auditor is not authorized to lead the investigation or suspend user
accounts. The auditor should report the incident to management. D is
wrong because management is responsible for setting up and following
an incident management plan; that is not the responsibility of the IS
auditor.)
An IS auditor suspects an incident is occurring while an audit is being
performed on a financial system. What should the IS auditor do FIRST?
A. Request that the system be shut down to preserve evidence.
B. Report the incident to management.
C. Ask for immediate suspension of the suspect accounts.
D. Investigate the source and nature of the incident.
hardware is protected against power surges. (A voltage regulator
protects against short-term power fluctuations. B is wrong because a
voltage regulator does not maintain the integrity if power is interrupted or
lost. C is wrong because an uninterruptible power supply (UPS) provides
constant power even if the main power is lost. D is wrong because a
voltage regulator protects against short-term power fluctuations.)
When auditing security for a data center, an IS auditor should look for
the presence of a voltage regulator to ensure that the:
A. hardware is protected against power surges.
B. integrity is maintained if the main power is interrupted.
C. immediate power will be available if the main power is lost.
D. hardware is protected against long-term power fluctuations.
perform an additional analysis. (The IS auditor needs to perform
substantive testing and additional analysis to determine why the
approval and workflow processes are not working as intended. Before
making any recommendation, the IS auditor should understand the
problem's scope and what factors caused this incident. The IS auditor
should identify whether the issue was caused by managers not following
procedures, a problem with the workflow of the automated system, or a
combination of the two. B is wrong because the IS auditor needs more
information to report the problem. C is wrong because changing the
scope of the IS audit or conducting a security risk assessment would
require more detailed information about the processes and violations
being reviewed. D is wrong because the IS auditor must first determine
the root cause and impact of the findings and needs more information to
recommend fixing the workflow issues.)
When auditing the provisioning procedures of the identity management
(IDM) system of a large organization, an IS auditor immediately finds a
small number of access requests that had not been authorized by
managers through the normal predefined workflow steps and escalation
rules. The IS auditor should:
A. perform an additional analysis.
B. report the problem to the audit committee.
C. conduct a security risk assessment.
D. recommend that the owner of the IDM system fix the workflow issues.
is irreversible. (Hashing works one way—by applying a hashing
algorithm to a message, a message hash/digest is created. If the same
hashing algorithm is applied to the message digest, it will not result in
the original message. As such, hashing is irreversible, while encryption is
reversible. This is the basic difference between hashing and encryption.
B is wrong because hashing creates a fixed-length output that is usually
smaller than the original message, and encryption creates an output that
is usually the same length as the original message. C is wrong because
hashing is used to verify the integrity of the message and does not
address security. The same hashing algorithm is used at the sending
and receiving ends to generate and verify the message hash/digest. D is
wrong because encryption may use different keys or a reverse process
at the sending and receiving ends to encrypt and decrypt.)
The MOST important difference between hashing and encryption is that
hashing:
A. is irreversible.
B. output is the same length as the original message.
C. is concerned with integrity and security.
D. is the same at the sending and receiving end.
Role-based (Role-based access control limits access according to job
roles and responsibilities and would be the best method to allow only
authorized users to view reports on a need-to-know basis. A is wrong
because an access control system based on mandatory access control
would be expensive and difficult to implement and maintain in a large,
complex organization. C is wrong because discretionary access control
(DAC) is where the owner of the resources decides who should have
access to that resource. Most access control systems are implemented
using DAC. This answer is not specific enough for this scenario. D is
wrong because single sign-on is an access control technology used to
manage access to multiple systems, networks, and applications. This
answer is not specific enough for this question.)
A new business application has been designed in a large, complex
organization, and the business owner has requested that the various
reports be viewed on a "need to know" basis. Which of the following
access control methods would be the BEST method to achieve this
requirement?
A. Mandatory
B. Role-based
C. Discretionary
D. Single sign-on
an automated password management tool be used. (Using an
automated password management tool is a preventive control measure.
The software would prevent repetition (semantic) and enforce syntactic
rules, thus making the passwords robust. It would also provide a method
for ensuring frequent changes and prevent the same user from reusing
his/her old password for a designated time. A is wrong because the
policy is appropriate and does not require change. Changing the policy
would not ensure compliance. B is wrong because having a requirement
to change passwords periodically is good practice and should be in the
password policy. D is wrong because security awareness training would
not enforce compliance.)
To ensure compliance with a security policy requiring that passwords be
a combination of letters and numbers, an IS auditor should recommend
that:
A. the company policy be changed.
B. passwords are periodically changed.
C. an automated password management tool be used.
D. security awareness training is delivered.
traffic analysis. (In traffic analysis, which is a passive attack, an intruder
determines the nature of the traffic flow between defined hosts, and
through an analysis of session length, frequency, and message length,
the intruder can guess the type of communication taking place. This is
typically used when messages are encrypted, and eavesdropping would
not yield meaningful results. A is wrong because, in eavesdropping, a
passive attack, the intruder gathers the information flowing through the
network to acquire message contents for personal analysis or third
parties. B is wrong because spoofing is an active attack. In spoofing, a
user receives an email that appears to have originated from one source
when it was sent from another. D is wrong because the intruder presents
an identity other than the original one in masquerading. This is an active
attack.)
A perpetrator looking to gain access to and gather information about
encrypted data being transmitted over the network would use:
A. eavesdropping.
B. spoofing.
C. traffic analysis.
D. masquerading.
The battery room does not contain hydrogen sensors. (Lead-acid
batteries emit hydrogen, which is a highly explosive gas. Hydrogen
detectors are a compensating control for ventilation system failure. All
battery rooms should have hydrogen sensors as well as adequate
ventilation systems. A is wrong because while a valid service contract is
important, the bigger risk would be from a hydrogen explosion. C is
wrong because it is good practice to keep the door to the battery room
locked to prevent entry by unauthorized personnel. D is wrong because,
with the generators located outdoors, the risk of a hydrogen explosion
caused by the generators is negligible. Hydrogen sensors would notify
data center personnel of a potential gas buildup so they could take the
appropriate measures.)
An IS auditor performing a data center review for a large company
discovers that the data center has a lead-acid battery room to provide
power to its uninterruptable power supply (UPS) during short-term
outages and a diesel generator to provide long-term power backup.
Which of the following items would cause the IS auditor the GREATEST
concern?
A. The service contract on the diesel generator is not current.
B. The battery room does not contain hydrogen sensors.
C. The door to the battery room is kept locked.
D. The battery room is next to the diesel generator yard.
authentication of the web site that will be surfed. (Authenticating the site
to be surfed is the primary goal of a web certificate. B is wrong because
authentication of a user is achieved through passwords and not by a
website certificate. C is wrong because the site certificate does not
prevent hacking or authenticate a person. D is wrong because website
certificates may serve the same purpose as a digital certificate, but the
goal of certificates is authentication.)
The PRIMARY goal of a web site certificate is:
A. authentication of the web site that will be surfed.
B. authentication of the user who surfs through that site.
C. preventing surfing of the web site by hackers.
D. the same purpose as that of a digital certificate.
establish accountability and responsibility for processed transactions.
(Enabling audit trails help establish the accountability and responsibility
of processed transactions by tracing transactions through the system. A
is wrong because the objective of enabling software to provide audit
trails is not to improve system efficiency because it often involves
additional processing, which may reduce response time for users. C is
wrong because enabling audit trails involves storage, thus occupying
disk space and may decrease operational efficiency. D is wrong because
audit trails are used to track transactions for various purposes, not just
for audit. The use of audit trails for IS auditors is valid; however, it is not
the primary reason.)
The PRIMARY purpose of audit trails is to:
A. improve response time for users.
B. establish accountability and responsibility for processed transactions.
C. improve the operational efficiency of the system.
D. provide useful information to auditors who may wish to track
transactions.
Training provided on a regular basis to all current and new employees
(Regular training is an important part of a security awareness program. A
is wrong because utilizing an intrusion detection system to report
incidents that occur is an implementation of a security program and is
not effective in establishing a security awareness program. B is wrong
because mandating the use of passwords is a policy decision, not an
awareness issue. C is wrong because installing an efficient user log
system is not a part of an awareness program.)
The management of an organization has decided to establish a security
awareness program. Which of the following would MOST likely be a part
of the program?
A. Utilizing of intrusion detection system to report incidents
B. Mandating the use of passwords to access all software
C. Installing an efficient user log system to track the actions of each user
D. Training provided on a regular basis to all current and new employees
Double-blind testing (In double-blind testing, the penetration tester has
little or limited knowledge about the target system, and personnel at the
target site have not been informed that a test is being performed.
Because the administrator and security staff at the target are unaware of
the test, it can effectively evaluate the system administrator's incident
handling and response capability. A is wrong because penetration testers
are provided with information related to the target and network design in
targeted testing, and the target's IT team is aware of the testing
activities. B is wrong because internal testing refers to attacks and
control circumvention attempts on the target from within the perimeter. D
is wrong because external testing is a generic term that refers to attacks
and control circumvention attempts on the target from outside the target
system.)
Which of the following types of penetration tests effectively evaluates the
incident handling and response capability of the system administrator?
A. Targeted testing
B. Internal testing
C. Double-blind testing
D. External testing
A host-based intrusion prevention system (IPS)
A company determined that its web site was compromised and a rootkit
was installed on the server hosting the application. Which of the
following choices would have MOST likely prevented the incident?
A. A host-based intrusion prevention system (IPS)
B. A network-based intrusion detection system (IDS)
C. A firewall
D. Operating system (OS) patching
The local area network (LAN) switches are not connected to
uninterruptible power supply (UPS) units. (VoIP telephone systems use
standard network cabling, and typically, each telephone gets power over
the network cable (POE) from the wiring closet where the network switch
is installed. Suppose the LAN switches do not have backup power. In
that case, the phones will lose power if there is a utility interruption, and
they cannot make emergency calls. B is wrong because while improper
cabling can create reliability issues, the more critical issue in this case
would be the lack of power protection. C is wrong because an advantage
of VoIP telephone systems is that they use the same cable types and
even network switches as standard PC network connections. Therefore,
this would not be a concern. D is wrong because this would not be a
significant risk if the power and telephone equipment were separated.)
An IS auditor performing an audit of the newly installed Voice-over
Internet Protocol(VoIP) system was inspecting the wiring closets on each
floor of a building. What would be the GREATEST concern?
A. The local area network (LAN) switches are not connected to
uninterruptible power supply (UPS) units.
B. Network cabling is disorganized and not properly labeled.
C. The telephones are using the same cable used for LAN connections.
D. The wiring closet also contains power lines and breaker panels.
user accountability may not be established. (The use of a user ID by
more than one individual precludes knowing who used that ID to access
a system; therefore, it is impossible to hold anyone accountable. A is
wrong because the ability of unauthorized users to use a shared ID is
more likely than an individual ID—but the misuse of another person's ID
is always a risk. B is wrong because sharing IDs would not pose an
increased risk due to the work effort required to manage access. C is
wrong because shared user IDs do not necessarily have easily guessed
passwords.)
During a logical access controls review, an IS auditor observes that user
accounts are shared. The GREATEST risk resulting from this situation is
that:
A. an unauthorized user may use the ID to gain access.
B. user access management is time consuming.
C. passwords are easily guessed.
D. user accountability may not be established.
Ethernet switches are not protected by uninterrupted power supply
(UPS) units. (VoIP telephone systems use a company's LAN
infrastructure for communication, typically using Ethernet connectivity to
connect individual phones to the system. Most companies have a
backup power supply for the main servers and systems but usually do
not have UPS units for LAN switches. A is wrong because VoIP
telephone systems use the LAN infrastructure for communication, which
can save on wiring costs and simplify installation and support of the
telephone system. C is wrong because VoIP devices generally do not
encrypt the local network's voice traffic and typically connect to a
telephone company voice circuit. D is wrong because the personnel
supporting and maintaining that infrastructure are now responsible for
the data and voice network by default.)
An IS auditor is reviewing the network infrastructure of a call center and
determines that the internal telephone system is based on Voice-over
Internet Protocol (VoIP) technology. Which of the following is the
GREATEST concern?
A. Voice communication uses the same equipment that is used for data
communication.
B. Ethernet switches are not protected by uninterrupted power supply
(UPS) units.
C. Voice communication is not encrypted on the local network.
D. The team that supports the data network also is responsible for the
telephone system.
System patches are not applied. (Web servers should have up-to-date
patches because they are accessible to the Internet and are prone to
attack. B is wrong because it is not typically required that the web server
be accessed by a virtual private network (VPN). After all, the web server
contains public information. C is wrong because while logging is
important, the lack of system patching is a more significant issue. D is
wrong because network address translation does not impact server
security and, therefore, is not a concern.)
An IS auditor is reviewing a corporate web server. Which of the following
should be of MOST concern to the IS auditor?
A. System patches are not applied.
B. The server is not accessed through a virtual private network (VPN).
C. Server logs are not being captured.
D. The network address translation is not enabled.
the blocking of critical systems or services due to false triggers. (An IPS
prevents a connection or service based on how it is programmed to react
to specific incidents. If the IPS is triggered based on incorrectly defined
or nonstandard behavior, it may block the service or connection of a
critical internal system. A is wrong because several false positives may
cause excessive administrator workload, but this is a relatively minor
risk. B is wrong because the intrusion prevention system (IPS) will not
generate any traffic that would impact network performance. D is wrong
because configuring an IPS can take months of learning what is and is
unacceptable behavior, but this does not require specialized expertise.)
The GREATEST risk from an improperly implemented intrusion
prevention system (IPS) is:
A. that there will be too many alerts for system administrators to verify.
B. decreased network performance due to IPS traffic.
C. the blocking of critical systems or services due to false triggers.
D. reliance on specialized expertise within the IT organization.
Two-factor authentication (Two-factor authentication requires two
independent methods for establishing identity and privileges. Factors
include something you know, such as a password; something you have,
such as a token; and something you are, which is biometric. Requiring
two of these factors makes identity theft more difficult. A is wrong
because a password alone is only single-factor authentication and could
be guessed or broken. B is wrong because restricting the user to a
specific terminal is not a practical alternative for an online application
because the users may need to log in from multiple devices. D is wrong
because periodic review of access logs is a detective control and does
not protect against identity theft.)
In an online banking application, which of the following would BEST
protect against identity theft?
A. Encryption of personal password
B. Restricting the user to a specific terminal
C. Two-factor authentication
D. Periodic review of access logs
Confirm the current version of the virus signature file with the vendor.
(The IS auditor can use externally provided information to confirm that
the most recent vendor-provided virus signature file has been
automatically updated in the scanner. B is wrong because reviewing the
log files and confirming that the virus signature file was updated only
suggests that an update was performed, but not that this is the latest
version. The latest version of the virus signature file should be installed
in real-time. C is wrong because confirmation is requested from the
security administrator about the most recent update to the virus
signature file, and the information is provided internally by the security
administrator. It is not as reliable as that from an external source. D is
wrong because inspection only indicates that the control has been
implemented and is not necessarily operating effectively.)
The IS auditor has been informed by the security administrator that the
virus scanner is updated in real time. The IS auditor confirms that the
virus scanner has been configured to update automatically. What is the
NEXT step for the IS auditor to confirm that the control is effective?
A. Confirm the current version of the virus signature file with the vendor.
B. Review the log files, and confirm that the virus signature file was
updated.
C. Request a confirmation from the security administrator about the most
recent update to the virus signature file.
D. The IS auditor's work is adequate, and no further work is required.
participating applications will have bandwidth guaranteed. (The main
function of QoS is to optimize network performance by assigning priority
to business applications and end users through the allocation of
dedicated parts of the bandwidth to specific traffic. A is wrong because
QoS will not guarantee that the communication itself will be improved.
While the speed of data exchange for specific applications could be
faster, availability will not be improved. B is wrong because the QoS
tools that many carriers use do not provide service-level reports;
however, other tools will generate service-level reports. D is wrong
because even when QoS is integrated with firewalls, virtual private
networks (VPNs), encryption tools, and others, the tool itself is not
intended to provide security controls.)
A benefit of quality of service (QoS) is that the:
A. entire network's availability and performance will be significantly
improved.
B. telecom carrier will provide the company with accurate service-level
compliance reports.
C. participating applications will have bandwidth guaranteed.
D. communications link will be supported by security controls to perform
secure online transactions.
Access to a network port is not restricted. (Given physical access to a
port, anyone can connect to the internal network. This would allow
individuals who were not authorized to be on the corporate network to
connect. A is wrong because DHCP provides laptop users convenience
(an advantage). B is wrong because the existence of a firewall can be a
security measure. C is wrong because a limited number of IP addresses
can be addressed through network address translation (NAT).)
A company is implementing a Dynamic Host Configuration Protocol
(DHCP). Given that the following conditions exist, which represents the
GREATEST concern?
A. Most employees use laptops.
B. A packet filtering firewall is used.
C. The IP address space is smaller than the number of PCs.
D. Access to a network port is not restricted.
The certificate revocation list (CRL) is not current. (If the certificate
revocation list (CRL) is not current, there could be a digital certificate that
is not revoked and could be used for unauthorized or fraudulent
activities. A is wrong because the certificate authority (CA) can assume
responsibility without registration authority (RA). C is wrong because
digital certificates contain a public key to encrypt messages and verify
digital signatures; therefore, this is not a risk. D is wrong because
subscribers reporting key compromises to the CA is not a risk. After all,
reporting this to the CA enables the CA to take appropriate action.)
When reviewing a digital certificate verification process, which of the
following findings represents the MOST significant risk?
A. There is no registration authority (RA) for reporting key compromises.
B. The certificate revocation list (CRL) is not current.
C. Digital certificates contain a public key that is used to encrypt
messages and verify digital signatures.
D. Subscribers report key compromises to the certificate authority (CA).
Financial impact per security incident (The most important indicator is
the financial impact. The team should be able to limit the cost of
incidents through effective prevention, detection, and response to
incidents. B is wrong because patching security vulnerabilities is
important but not a direct responsibility of the computer security incident
response team (CSIRT). C is wrong because the CSIRT is not
responsible for the protection of systems. That is the responsibility of the
security team. D is wrong because the number of penetration tests
measures the effectiveness of the security team and the patch
management process but not the effectiveness of the CSIRT.)
Which of the following would be an indicator of the effectiveness of a
computer security incident response team (CSIRT)?
A. Financial impact per security incident
B. Number of security vulnerabilities that were patched
C. Percentage of business applications that are being protected
D. Number of successful penetration tests
Damage of wires around computers and servers (The primary reason for
having a raised floor is to enable ventilation systems, power cables, and
data cables to be installed underneath the floor. This eliminates the
safety and damage risk posed when cables are placed in a spaghetti-like
fashion on an open floor. B is wrong because static electricity should be
avoided in the machine room; therefore, specially manufactured carpet
or shoes would be more appropriate for static prevention than a raised
floor. C is wrong because raised floors do not address shocks from
earthquakes. Anti-seismic architecture would be required to establish a
quake-resistant structural framework to address earthquakes. D is wrong
because computer equipment needs to be protected against water.
However, a raised floor would not prevent damage to the machines in
the event of overhead water pipe leakage.)
Which of the following would be BEST prevented by a raised floor in the
computer machine room?
A. Damage of wires around computers and servers
B. A power failure from static electricity
C. Shocks from earthquakes
D. Water flood damage
Firewalls (Firewall systems are the primary tool enabling an organization
to prevent unauthorized network access. An organization may choose to
deploy one or more systems that function as firewalls. B is wrong
because routers can filter packets based on parameters, such as source
address, but are not primarily a security tool. C is wrong because based
on Media Access Control (MAC) addresses, layer 2 switches separate
traffic without determining whether it is authorized or unauthorized. D is
wrong because a virtual local area network (VLAN) is a functionality of
some switches that allows them to control traffic between different ports
even though they are in the same physical local access network (LAN).
Nevertheless, they do not effectively deal with authorized versus
unauthorized traffic.)
Which of the following network components is PRIMARILY set up to
serve as a security measure by preventing unauthorized traffic between
different segments of the network?
A. Firewalls
B. Routers
C. Layer 2 switches
D. Virtual local area networks (VLANs)
Logs are collected but not analyzed. (One of the most common problems
with audit logs is that they are collected but not analyzed. In most
circumstances, audit logs are reviewed only in the case of an incident,
error, or exception. A is wrong because logs can be accessed and
reviewed by authorized personnel with minimal training; however, in
most cases, no one reviews the logs regularly. B is wrong because log
analysis tools range from simple filters to complex security event and
incident management (SEIM) systems. C is wrong because logs are
rarely backed up and may be subject to alteration by administrators.)
Which of the following is the MOST common concern for an IS auditor
regarding audit logs?
A. Logs can be examined only by system administrators.
B. Logs require special tools for collection and review.
C. Logs are typically not backed up regularly.
D. Logs are collected but not analyzed.
integrity and nonrepudiation. (A digital signature is created by signing a
message hash with the sender's private key. This provides for the
message's integrity (through the hash) and proof of origin
(nonrepudiation). All other options are wrong because a digital signature
does not encrypt the message so it cannot provide confidentiality and
security.)
Applying a digital signature to data traveling in a network provides:
A. confidentiality and integrity.
B. security and nonrepudiation.
C. integrity and nonrepudiation.
D. confidentiality and nonrepudiation.
Switches (Switches are at a low level of network security and transmit a
packet to the device to which it is addressed. This reduces the ability of
one device to capture the packets meant for another device. A is wrong
because hubs will broadcast all data to all network ports. C is wrong
because routers allow packets to be given or denied access based on
the sender and receiver addresses and the packet type. D is wrong
because firewalls are a collection of computer and network equipment
that allows communications to flow out of the organization and restricts
communications from flowing into the organization.)
Which of the following BEST reduces the ability of one device to capture
the packets that are meant for another device?
A. Hubs
B. Switches
C. Routers
D. Firewalls
symmetric encryption. (Secure Sockets Layer (SSL) uses a symmetric
key for message encryption. B is wrong because a message
authentication code (MAC) is used to ensure data integrity. C is wrong
because the hash function generates a message digest that can provide
message integrity; it is not used for message encryption. D is wrong
because SSL uses digital signature certificates for server
authentication.)
The Secure Sockets Layer (SSL) protocol addresses the confidentiality
of a message through:
A. symmetric encryption.
B. message authentication code (MAC).
C. hash function.
D. digital signature certificates.
resolution service for the name/address. (DNS is utilized primarily on the
Internet to resolve the name/address of the website. It is an Internet
service that translates domain names into IP addresses. Because
names are alphabetic, they are easier to remember. However, the
Internet is based on IP addresses. A DNS service must translate the
name into the corresponding IP address whenever a domain name is
used. A is wrong because the DNS enables users to access the Internet
using URLs based on words instead of needing to know the IP
addresses of a website. C is wrong because the DNS is a translation or
cross-reference tool; it does not provide the IP addresses for the
Internet. D is wrong because the DNS within an organization is part of
the global Domain Name System.)
In a client-server architecture, a domain name service (DNS) is MOST
important because it provides the:
A. address of the domain server.
B. resolution service for the name/address.
C. IP addresses for the Internet.
D. domain name system.
firewall and the organization's network. (Attack attempts that the firewall
could not recognize will be detected if a network-based intrusion
detection system (IDS) is placed between the firewall and the
organization's network. B is wrong because a network-based IDS
between the Internet and the firewall will detect attack attempts, whether
the firewall notices them or not. C is wrong because placing an IDS
outside the web server will identify attacks directed at the web server but
will not detect attacks missed by the firewall. D is wrong because placing
the IDS after the web server would identify attacks that have made it
past the web server but will not indicate whether the firewall would have
been able to detect the attacks.)
To detect attack attempts that the firewall is unable to recognize, an IS
auditor should recommend placing a network intrusion detection system
between the:
A. firewall and the organization's network.
B. Internet and the firewall.
C. Internet and the web server.
D. web server and the firewall.

Sensor (Sensors are responsible for collecting data. Sensors may be

attached to a network, server, or other location and may gather data
from many points for later analysis. A is wrong because analyzers
receive input from sensors and determine the presence and type of
intrusive activity. B is wrong because an administration console is the
management interface component of an intrusion detection system
(IDS). C is wrong because a user interface allows the administrators to
interact with the IDS.)
Which of the following components is responsible for the collection of
data in an intrusion detection system (IDS)?
A. Analyzer
B. Administration console
C. User interface
D. Sensor
the source of the executable file is certain. (Acceptance of these
mechanisms should be based on established trust. The control is
provided by only knowing the source and then allowing the acceptance
of the applets. Hostile applets can be received from anywhere. A is
wrong because there should always be a firewall on an Internet
connection; however, whether to allow active models depends on the
module's source. B is wrong because a secure web connection provides
confidentiality. Neither a secure web connection nor a firewall can
identify an executable file as friendly. D is wrong because hosting the
web site as part of the organization is impractical. The client will accept
the program if the parameters are established to do so.)
Java applets and Active X controls are distributed executable programs
that execute in the background of a web browser client. This practice is
considered reasonable when:
A. a firewall exists.
B. a secure web connection is used.
C. the source of the executable file is certain.
D. the host web site is part of the organization.
Malicious code attacks (Malicious code, including brute force, password
cracking, and Trojans, commonly attempt to log on to administrator
accounts. A is wrong because a synchronize (SYN) attack is a denial-of-
service (DoS) attack on a particular network service and does not
attempt to log on to administrator accounts. C is wrong because a buffer
overflow attack attacks application coding errors but will not directly
result in multiple logon failures.)
Event log entries related to failed local administrator logon attempts are
observed by the IS auditor. Which of the following is the MOST likely
cause of multiple failed login attempts?
A. Synchronize (SYN) flood attacks
B. Social engineering
C. Buffer overflow attacks
D. Malicious code attacks
not report this issue because discretionary access controls (DACs) are in
place. (DAC allows data owners to modify access, a normal procedure
and characteristic of DAC. A is wrong because it is more appropriate for
data owners to have discretionary access controls (DAC) in a low-risk
application. B is wrong because the use of DAC may not be an
exception and, until confirmed, should not be reported as an issue. C is
wrong because while an IS auditor may consult with data owners
regarding whether this access is allowed normally, the IS auditor should
not rely on the auditee to determine whether this is an issue.)
An IS auditor is reviewing access controls for a manufacturing
organization. During the review, the IS auditor discovers that data
owners have the ability to change access controls for a low-risk
application. The BEST course of action for the IS auditor is to:
A. recommend that mandatory access control (MAC) be implemented.
B. report this as an issue.
C. report this issue to the data owners to determine whether it is an
exception.
D. not report this issue because discretionary access controls (DACs)
are in place.
Honeypot (The design of a honeypot is such that it lures the hacker and
provides clues as to the hacker's methods and strategies and the
resources required to address such attacks. A honeypot allows the
attack to continue to obtain information about the hacker's strategy and
methods. A is wrong because a bastion host is a hardened system used
to host services. It does not provide information about an attack. B is
wrong because intrusion detection systems (IDSs) are designed to
detect and address an attack in progress and stop it as soon as
possible. D is wrong because intrusion prevention systems are designed
to detect and address an attack in progress and stop it as soon as
possible.)
Which of the following provides the MOST relevant information for
proactively strengthening security settings?
A. Bastion host
B. Intrusion detection system (IDS)
C. Honeypot
D. Intrusion prevention system
the key used to encrypt is public, but the key used to decrypt the data is
private.
When using public key encryption to secure data being transmitted
across a network:
A. both the key used to encrypt and decrypt the data are public.
B. the key used to encrypt is private, but the key used to decrypt the
data is public.
C. the key used to encrypt is public, but the key used to decrypt the data
is private.
D. both the key used to encrypt and decrypt the data are private.
be used to gain access to systems containing proprietary information.
(Password sniffing attacks can be used to access systems where
proprietary information is stored. A is wrong because spoofing attacks
can be used to enable one party to act as if they are another party. B is
wrong because data modification attacks can be used to modify the
contents of certain transactions. D is wrong because repudiation of
transactions can cause major problems with billing systems and
transaction processing agreements.)
An Internet-based attack using password sniffing can:
A. enable one party to act as if they are another party.
B. cause modification to the contents of certain transactions.
C. be used to gain access to systems containing proprietary information.
D. result in major problems with billing systems and transaction
processing agreements.
preservation. (Preservation and documentation of evidence for review by
law enforcement and judicial authorities are of primary concern when
conducting an investigation. Failure to properly preserve the evidence
could jeopardize the admissibility of the evidence in legal proceedings. A
is wrong because analysis is important but not the primary concern
related to evidence in a forensic investigation. B is wrong because
evaluation is important but not the primary concern related to evidence in
a forensic investigation. D is wrong because disclosure is important but
not of primary concern to the IS auditor in a forensic investigation.)
When performing a computer forensic investigation, in regard to the
evidence gathered, an IS auditor should be MOST concerned with:
A. analysis.
B. evaluation.
C. preservation.
D. disclosure.
stress the importance of having a system control framework in place.
(Experience has demonstrated that reliance purely on preventive
controls is dangerous. Preventive controls may not be as strong as
anticipated, or their effectiveness can deteriorate over time. In this
situation, the IS auditor needs to be proactive. The IS auditor must point
out control weaknesses that give rise to unacceptable risks to the
organization and work with management to have these corrected. A is
wrong because reviewing the system access controls is important, but
system access controls are preventive and will not detect misconduct by
staff. B is wrong because an auditor should only accept management's
statement after validating the controls and explaining the associated risk.
D is wrong because reviewing background checks on accounts payable
staff does not provide evidence that fraud will not occur.)
An IS auditor reviewing an accounts payable system discovers that audit
logs are not being reviewed. When this issue is raised with management
the response is that additional controls are not necessary because
effective system access controls are in place. The BEST response the
auditor can make is to:
A. review the integrity of system access controls.
B. accept management's statement that effective access controls are in
place.
C. stress the importance of having a system control framework in place.
D. review the background checks of the accounts payable staff.
validity of data transfer. (The accuracy of blocks of data transfers, such
as data transfer from hard disks, is validated by a CRC. A is wrong
because accuracy of data input can be enforced by data validation
controls such as picklists, cross checks, reasonableness checks, control
totals, allowed character checks and others. B is wrong because a
checksum or digital signature is commonly used to validate the integrity
of a downloaded program or other transferred data. C is wrong because
encryption adequacy is driven by the sensitivity of the data to be
protected and algorithms that determine how long it would take to break
a specific encryption method.)
A cyclic redundancy check (CRC) is commonly used to determine the:
A. accuracy of data input.
B. integrity of a downloaded program.
C. adequacy of encryption.
D. validity of data transfer.
Unauthorized network activities (Unauthorized network activities—such
as employee use of file or music sharing sites, online gambling, or
personal email containing large files or photos—could contribute to
network performance issues. Because the IS auditor found the degraded
performance during business hours, this is the most likely cause. A is
wrong because malware on the organization's server could contribute to
network performance issues, but the degraded performance would not
likely be restricted to business hours. B is wrong because firewall
misconfiguration could contribute to network performance issues, but the
degraded performance would not likely be restricted to business hours.
C is wrong because spam on the organization's email server could
contribute to network performance issues, but the degraded
performance would not likely be restricted to business hours.)
An IS auditor is evaluating network performance for an organization that
is considering increasing its Internet bandwidth due to a performance
degradation during business hours. Which of the following is MOST
likely the cause of the performance degradation?
A. Malware on servers
B. Firewall misconfiguration
C. Increased spam received by the email server
D. Unauthorized network activities
Nonrepudiation (Nonrepudiation, achieved through digital signatures,
prevents the senders from denying that they generated and sent the
message later. B is wrong because encryption may protect the data
transmitted over the Internet but not prove that the transactions were
made. C is wrong because authentication is necessary to establish the
identification of all parties to a communication. D is wrong because
integrity ensures that transactions are accurate, but does not provide the
identification of the customer)
In a public key infrastructure (PKI), which of the following may be relied
upon to prove that an online transaction was authorized by a specific
customer?
A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
Honeypots (Honeypots are computer systems that are expressly set up
to attract and trap individuals who attempt to penetrate other individuals'
computer systems. The concept of a honeypot is to learn from an
intruder's actions. A properly designed and configured honeypot provides
data on methods used to attack systems. The data are then used to
improve measures that could curb future attacks. B is wrong because a
firewall is a preventive measure. C is wrong because trapdoors create a
vulnerability that provides an opportunity for the insertion of unauthorized
code into a system. D is wrong because traffic analysis is a passive
attack based on capturing network traffic.)
Which of the following acts as a decoy to detect active Internet attacks?
A. Honeypots
B. Firewalls
C. Trapdoors
D. Traffic analysis
sender's private key and encrypting the message using the receiver's
public key.
Email message authenticity and confidentiality is BEST achieved by
signing the message using the:
A. sender's private key and encrypting the message using the receiver's
public key.
B. sender's public key and encrypting the message using the receiver's
private key.
C. receiver's private key and encrypting the message using the sender's
public key.
D. receiver's public key and encrypting the message using the sender's
private key
Certification practice statement (CPS) (The certification practice
statement (CPS) is the how-to document used in policy-based public key
infrastructure (PKI). A is wrong because the certificate revocation list
(CRL) lists certificates revoked before their scheduled expiration date. C
is wrong because the certificate policy (CP) sets the requirements that
the CPS subsequently implements. D is wrong because the PKI
disclosure statement (PDS) covers critical items such as the warranties,
limitations, and obligations that legally bind each party.)
Which of the following public key infrastructure (PKI) elements provides
detailed descriptions for dealing with a compromised private key?
A. Certificate revocation list (CRL)
B. Certification practice statement (CPS)
C. Certificate policy (CP)
D. PKI disclosure statement (PDS)
Traffic analysis (The intruder determines the nature of the flow of traffic
(traffic analysis) between defined hosts and can guess the type of
communication taking place. A is wrong because message modification
involves capturing a message and making unauthorized changes or
deletions, changing the sequence, or delaying the transmission of
captured messages. An attack that modifies the data would be active. B
is wrong because masquerading is an active attack in which the intruder
presents an identity other than the original identity. C is wrong because
denial-of-service (DoS) occurs when a computer connected to the
Internet is flooded with data and/or requests that must be processed.
This is an active attack.)
Which of the following is a passive attack to a network?
A. Message modification
B. Masquerading
C. Denial-of-service (DoS)
D. Traffic analysis
Chain of custody of electronic evidence (Preserving evidence is the most
important consideration regarding security incident management. If data
and evidence are not collected properly, valuable information could be
lost and not admissible in a court of law should the company decide to
pursue litigation. B is wrong because system breach notification is an
important aspect and, in many cases, may even be required by laws and
regulations; however, the security incident may not be a breach, and the
notification procedure might not apply. C is wrong because escalation
procedures to external agencies are essential. Without a proper chain of
custody, vital evidence may be lost and not admissible in a court of law if
the company pursues litigation. D is wrong because while having
procedures to recover lost data is essential, it is critical to ensure that
evidence is protected to ensure follow-up and investigation.)
An IS auditor is reviewing security incident management procedures for
the company. Which of the following choices is the MOST important
consideration?
A. Chain of custody of electronic evidence
B. System breach notification procedures
C. Escalation procedures to external agencies
D. Procedures to recover lost data
Audit trails (Audit trails capture which user, at what time, and date, along
with other details, has performed the transaction, which helps establish
accountability among application users. A is wrong because two-factor
authentication would enhance security while logging into the human
resource management system (HRMS) application; however, it will not
establish accountability for actions taken after login. B is wrong because
a digital certificate will also enhance login security to authenticate users
who are logging into the application conclusively. However, it will not
establish accountability because user ID and transaction details will not
be captured without an audit trail. D is wrong because single sign-on
authentication allows users to log in seamlessly to the application, thus
easing the authentication process. However, this would also not
establish accountability.)
Which of the following choices is the MOST effective control that should
be implemented to ensure accountability for application users accessing
sensitive data in the human resource management system (HRMS) and
among interfacing applications to the HRMS?
A. Two-factor authentication
B. A digital certificate
C. Audit trails
D. Single sign-on authentication
Malicious code could be spread across the network.
What is the MOST prevalent security risk when an organization
implements remote virtual private network (VPN) access to its network?
A. Malicious code could be spread across the network.
B. The VPN logon could be spoofed.
C. Traffic could be sniffed and decrypted.
D. The VPN gateway could be compromised.
Steganography (Steganography is a technique for concealing the
existence of messages or information. An increasingly important
steganographic technique is digital watermarking, which hides data
within data (e.g., by encoding rights information in a picture or music file
without altering the picture or music's perceivable aesthetic qualities). A
is wrong because digitalized signatures are the scans of a signature (not
the same as a digital signature) and not related to digital rights
management. B is wrong because hashing creates a message hash or
digest, which is used to ensure the integrity of the message; it is usually
considered a part of cryptography. C is wrong because parsing is
splitting up a continuous stream of characters for analytical purposes
and is widely applied in the design of programming languages or data
entry editing.)
An IS auditor reviewing digital rights management (DRM) applications
should expect to find an extensive use for which of the following
technologies?
A. Digitalized signatures
B. Hashing
C. Parsing
D. Steganography
Use of a point-to-point leased line (A leased line will effectively extend
the LAN of the headquarters to the remote site, and the mainframe
Telnet connection would travel over the private line, which would be less
of a security risk when using an insecure protocol such as Telnet. B is
wrong because a firewall rule at the headquarters network only allows
Telnet connections from the IP address assigned to the remote site,
which would make the connection more secure; however, there is the
possibility that an attacker could spoof the source address. C is wrong
because while two-factor authentication would enhance login security, it
would not secure the transmission channel against eavesdropping. D is
wrong because attacks on network services start assuming that network
services use the standard (TCP)/IP port number assigned for the
service, port 23 for Telnet.)
An IS auditor is reviewing a manufacturing company and finds that
mainframe users at a remote site connect to the mainframe at
headquarters over the Internet via Telnet. Which of the following is the
BEST recommendation to ensure proper security controls?
A. Use of a point-to-point leased line
B. Use of a firewall rule to allow only the Internet protocol (IP) address of
the remote site
C. Use of two-factor authentication
D. Use of a nonstandard port for Telnet
establishing a link between the requesting entity and its public key
A certificate authority (CA) can delegate the processes of:
A: revocation and suspension of a subscriber's certificate
B: generation and distribution of the CA public key
C: establishing a link between the requesting entity and its public key
D: issuing and distributing subscriber certificates
Data transmitted between the biometric scanners and the access control
system do not use a securely encrypted tunnel.
An IS auditor is assessing a biometric system used to protect physical
access to a data center containing regulated data. Which of the following
observations is the GREATEST concern to the auditor?
A. Administrative access to the biometric scanners or the access control
system is permitted over a virtual private network (VPN).
B. Biometric scanners are not installed in restricted areas.
C. Data transmitted between the biometric scanners and the access
control system do not use a securely encrypted tunnel.
D. Biometric system risk analysis was last conducted three years ago.
Digitally signing the transaction with the source's private key (A digital
signature is an electronic identification of a person, created by using a
public key algorithm, to verify the identity of the source of a transaction
and the integrity of its content to a recipient. A is wrong because they are
a "shared secret" between the user and the system itself. Passwords are
considered a weaker means of authentication. B is wrong because
encrypting the transaction with the recipient's public key will provide
confidentiality for the information but will not verify the source. C is
wrong because using a PDF will protect the integrity of the content but
not necessarily authorship.)
Which of the following would effectively verify the originator of a
transaction?
A. Using a secret password between the originator and the receiver
B. Encrypting the transaction with the receiver's public key
C. Using a portable document format (PDF) to encapsulate transaction
content
D. Digitally signing the transaction with the source's private key
The hash code is encrypted using the sender's private key. (Encrypting
the hash code using the sender's private key provides assurance of the
authenticity of the message and prevents anyone from being able to
alter the hash code. A is wrong because the hash proves integrity, but it
can be altered in transit unless it is protected by signing it with a private
key. C is wrong because encrypting the hash and the message will
provide confidentiality and protect the hash from alteration. However, it
will not provide proof of origin or authenticity of the sender because both
the sender and receiver share the secret key. D is wrong because if a
sender uses the receiver's public key, that will provide confidentiality, but
it will not ensure the sender's authenticity.)
Which of the following provides the GREATEST assurance of message
authenticity?
A. The hash code is derived mathematically from the message being
sent.
B. The hash code is encrypted using the sender's private key.
C. The hash code and the message are encrypted using the secret key.
D. The sender attains the recipient's public key and verifies the
authenticity of its digital certificate with a certificate authority.
Bayesian (statistical) (Bayesian filtering applies statistical modeling to
messages by performing a frequency analysis on each word within the
message and then evaluating the message as a whole. Therefore, it can
ignore a suspicious keyword if the message is within normal bounds. A is
wrong because heuristic filtering is less effective. After all, new exception
rules may need to be defined when a valid message is labeled as spam.
B is wrong because signature-based filtering is useless against variable-
length messages because the calculated message-digest algorithm 5
(MD5) hash constantly changes. C is wrong because pattern matching is
actually a degraded rule-based technique where the rules operate at the
word level using wildcards and not at higher levels.)
Which of the following antispam filtering techniques would BEST prevent
a valid, variable-length email message containing a heavily-weighted
spam keyword from being labeled as spam?
A. Heuristic (rule-based)
B. Signature-based
C. Pattern matching
D. Bayesian (statistical)
Elliptical curve cryptography (ECC) (Elliptical curve cryptography (ECC)
requires limited bandwidth resources and is suitable for encrypting
mobile devices. B is wrong because the data encryption standard (DES)
uses less processing power when compared with the advanced
encryption standard (AES), but ECC is more suitable for encrypting data
on mobile devices. C is wrong because AES is a symmetric algorithm
with key management and distribution problems. ECC is an asymmetric
algorithm and is better suited for a mobile environment. D is wrong
because using the Blowfish algorithm consumes too much processing
power.)
Which of the following BEST encrypts data on mobile devices?
A. Elliptical curve cryptography (ECC)
B. Data encryption standard (DES)
C. Advanced encryption standard (AES)
D. The Blowfish algorithm
Periodic checking of hard drives (The periodic checking of hard drives
would be the most effective method of identifying illegal software
packages loaded onto the network. A is wrong because diskless
workstations act as a preventive control and are ineffective in preventing
users from accessing illegal software over the network. C is wrong
because antivirus software will not necessarily identify illegal software
unless the software contains a virus. D is wrong because policies are a
preventive control to lay out the software's loading rules, but will not
detect the actual occurrence.)
Which of the following procedures would MOST effectively detect the
loading of illegal software packages onto a network?
A. The use of diskless workstations
B. Periodic checking of hard drives
C. The use of current antivirus software
D. Policies that result in instant dismissal if violated
Secure Sockets Layer (This is used for many e-commerce applications
to set up a secure communication channel, providing confidentiality
through a combination of public and symmetric key encryption and
integrity through hash message authentication code. B is wrong because
this will log network activity but is not used to protect Internet traffic. C is
wrong because this is used in conjunction with SSL or for securing
communications such as e-commerce and email. D is wrong because
this is a generic term for a communications tunnel that can provide
confidentiality, integrity, and authentication (reliability). A VPN can
operate at different levels of the Open Systems Interconnection stack
and may not always be used in conjunction with encryption. SSL can be
called a type of VPN.)
Which of the following would be the BEST overall control for an Internet
business looking for confidentiality, reliability and integrity of data?
A. Secure Sockets Layer
B. Intrusion detection system
C. Public key infrastructure
D. Virtual private network
The data owner formally authorizes access and an administrator
implements the user authorization tables. (The data owner holds the
privilege and responsibility for formally establishing the access rights. An
IS administrator should then implement or update user authorization
tables at the direction of the owner. B is wrong because the owner sets
the rules and conditions for access. It is best to obtain approval before
implementing the tables. C is wrong because the data owner may
consult with the IS manager to set out access control rules, but the
responsibility for appropriate access remains with the data owner. The IT
department should set up the access control tables at the direction of the
owner. D is wrong because the data owner would not usually manage
updates to the authorization tables.)
Which of the following would be the BEST access control procedure?
A. The data owner formally authorizes access and an administrator
implements the user authorization tables.
B. Authorized staff implements the user authorization tables and the data
owner approves them.
C. The data owner and an IS manager jointly create and update the user
authorization tables.
D. The data owner creates and updates the user authorization tables.
mandate a strong password policy. (Strong passwords are important in
any environment but take on special importance in an SSO environment,
where a user enters a password only once and has general access
throughout the environment. Of the options given, only a strong
password policy offers broad preventative effects. A is wrong because
ensuring that all failed authentication attempts are monitored is a good
practice but is not a preventive control. B is wrong because this can
increase the probability of detecting unauthorized access but will not
prevent unauthorized access. C is wrong because ensuring that all
unused accounts are deactivated is important; however, unauthorized
access may occur via a regularly used account.)
There is a concern that the risk of unauthorized access may increase
after implementing a single sign-on process. To prevent unauthorized
access, the MOST important action is to:
A. monitor failed authentication attempts.
B. review log files regularly.
C. deactivate unused accounts promptly.
D. mandate a strong password policy.
Database initialization parameters are appropriate. (When a database is
opened, many configuration options are governed by initialization
parameters. The system initialization parameters address many "global"
database settings, including authentication, remote access, and other
critical security areas. The IS auditor must examine the database
initialization parameters to audit a database implementation effectively. A
is wrong because database administrators would have access to all data
on the server, but there is no practical control to prevent that; therefore,
this would not be a concern. B is wrong because database audit logs
typically would not contain any confidential data; thus, encrypting the log
files is not required. C is necessary because if a stored procedure
contains a security-sensitive function, such as encrypting data, it can be
necessary to encrypt the stored procedure.)
The IS auditor is reviewing an organization's human resources (HR)
database implementation. The IS auditor discovers that the database
servers are clustered for high availability, all default database accounts
have been removed and database audit logs are kept and reviewed on a
weekly basis. What other area should the IS auditor check to ensure that
the databases are appropriately secured?
A. Database administrators are restricted from access to HR data.
B. Database logs are encrypted.
C. Database stored procedures are encrypted.
D. Database initialization parameters are appropriate.
topology diagrams. (The first step in assessing network monitoring
controls should be the review of the existence, completeness, accuracy,
and adequacy of network documentation, specifically topology diagrams.
If this information is not current, then monitoring processes and the
ability to diagnose problems will not be effective. B is wrong because the
first step must be to review the network layout, not network usage, such
as bandwidth. C is wrong because the first step in a network audit would
be to gather network data but not to analyze it. D is wrong because the
second step in the network audit would be to determine any potential
problems in the network layout, such as bottlenecks, inadequate
separation, bypassing of controls, etc.)
When assessing the design of network monitoring controls, an IS auditor
should FIRST review network:
A. topology diagrams.
B. bandwidth usage.
C. traffic analysis reports.
D. bottleneck locations.
Stop the service until an appropriate security fix is installed. (Stopping
the service and installing the security fix is the safest way to prevent the
worm from spreading. A is wrong because installing the fix is not the
most effective method if the service is not stopped due to the worm
continually spreading until the fix becomes effective. B is wrong because
blocking the perimeter protocol does not prevent the worm from
spreading if it is introduced to the internal network(s) via a USB or other
portable media. C is wrong because blocking the protocol helps slow the
spread and prohibits any software that utilizes it from working between
segments.)
Which of the following is the MOST effective method for dealing with the
spread of a network worm that exploits vulnerability in a protocol?
A. Install the vendor's security fix for the vulnerability.
B. Block the protocol traffic in the perimeter firewall.
C. Block the protocol traffic between internal network segments.
D. Stop the service until an appropriate security fix is installed.
Classification and categories of data process by the application. (Types
of data and their sensitivity are a primary consideration, as there might
be legal obligations related to data hosting and its level of protection
(e.g., personal information, banking information, health information, etc.).
B is wrong because the cost is an important factor for an organization to
consider when moving to the cloud. However, the highest risk is violating
data privacy laws. C is wrong because this is an important factor for an
organization to consider when moving to the cloud. However, the highest
risk is to violate data privacy laws. D is wrong because this is an
important factor for an organization to consider when moving to the
cloud. However, the highest risk is to violate data privacy laws.)
Which of the following is the MOST important security consideration to
an organization that wants to move a business application to external
cloud service (PaaS) provided by a vendor?
A. Classification and categories of data process by the application.
B. Cost of hosting the application internally versus externally.
C. A reputation of a vendor on the market and feedbacks from clients.
D. Drop of application performance due to use of shared services.
Advanced encryption standard (AES) (Advanced encryption standard
(AES) is a secure encryption algorithm that is appropriate for encrypting
passwords. A is wrong because while hashing functions are used to
protect passwords, hashing is not encryption. C is wrong because
Secure Shell (SSH) can only be used to encrypt passwords that are
being transmitted. It cannot encrypt data at rest. D is wrong because
Triple Data Encryption Standard (DES) is a valid encryption method;
however, AES is a stronger and more recent encryption algorithm.)
Which of the following provides the GREATEST assurance for database
password encryption?
A. Secure hash algorithm-256 (SHA-256)
B. Advanced encryption standard (AES)
C. Secure Shell (SSH)
D. Triple data encryption standard (DES)
User accounts are created with expiration dates and are based on
services provided. (The most effective control is to ensure that
temporary access is granted based on services to be provided and that
there is an expiration date associated with each unique ID. Using an
identity management system enforces temporary and permanent access
for users while ensuring proper accounting of their activities. A is wrong
because the SLA may have a provision for providing access, but this is
not a control; it would merely define the need for access. C is wrong
because vendors may require administrator access for a limited period
during service. D is wrong because deleting these user IDs after the
work is completed is necessary, but the deletion could be overlooked if
not automated. Access should only be granted at the required level of
work.)
Which of the following is the MOST effective control when granting
temporary access to vendors?
A. Vendor access corresponds to the service level agreement (SLA).
B. User accounts are created with expiration dates and are based on
services provided.
C. Administrator access is provided for a limited period.
D. User IDs are deleted when the work is completed.
Wiring and schematic diagram
When planning an audit of a network setup, an IS auditor should give
HIGHEST priority to obtaining which of the following network
documentation?
A. Wiring and schematic diagram
B. Users' lists and responsibilities
C. Application lists and their details
D. Backup and recovery procedures
in employees' homes. (One risk of a VPN implementation is the chance
of allowing high-risk computers onto the enterprise's network. All
machines allowed onto the VPN should be subject to the same security
policy. Home computers are least subject to corporate security policies
and, therefore, are high-risk. A is wrong because security policies and
controls should be in place to detect and halt an outside attack that uses
an internal machine as a staging platform. B is wrong because
computers at the backup site are subject to the corporate security policy
and, therefore, are not high-risk computers. D is wrong because
computers on the network at the enterprise's remote offices, perhaps
with different IS and security employees who have different ideas about
security, are riskier than computers in the main office or backup site but
less risky than home computers.)
Which of the following would be of MOST concern to an IS auditor
reviewing a virtual private network implementation? Computers on the
network that are located:
A. on the enterprise's internal network.
B. at the backup site.
C. in employees' homes.
D. at the enterprise's remote offices.
the photo frame could be infected with malware. (Any storage device can
be a vehicle for infecting other computers with malware. There are
several examples where it has been discovered that some devices are
infected in the factory during the manufacturing process, and controls
should exist to prohibit employees from connecting any storage media
devices to their company-issued PCs. A is wrong because although any
storage device could be used to steal data, the damage caused by
malware could be widespread and severe for the enterprise, which is the
more significant risk. B is wrong because although device drivers may be
incompatible and crash the user's PC, the damage caused by malware
could be widespread and severe for the enterprise. C is wrong because
although inappropriate content could result, the damage caused by
malware could be widespread and severe for the enterprise.)
An employee has received a digital photo frame as a gift and has
connected it to his/her work PC to transfer digital photos.
The PRIMARY risk that this scenario introduces is that:
A. the photo frame storage media could be used to steal corporate data.
B. the drivers for the photo frame may be incompatible and crash the
user's PC.
C. the employee may bring inappropriate photographs into the office.
D. the photo frame could be infected with malware.
Interview a sample of employees. (This is the best way to determine the
effectiveness of a security awareness and training program because
overall awareness must be determined, and effective security is
dependent on people. Reviewing the security training program would not
be the ultimate indicator of the effectiveness of the awareness training. A
is wrong because a security training program may be well designed, but
the program's results will be determined by employee awareness. B is
wrong because this would not show the effectiveness of a security
awareness and training program because such a program should target
more than just the administrator. D is wrong because this is not the best
way to determine the effectiveness of training awareness, and sending
reminders may result in little actual awareness.)
Which of the following is the BEST way for an IS auditor to determine
the effectiveness of a security awareness and training program?
A. Review the security training program.
B. Ask the security administrator.
C. Interview a sample of employees.
D. Review the security reminders to employees.
can be detected and displayed. (Emissions can be detected and
displayed by sophisticated equipment, thus giving unauthorized persons
access to data. TEMPEST refers to the investigation and study of
compromising emanations of unintentional intelligence-bearing signals
that may reveal their contents if intercepted and analyzed. A is wrong
because while a strong magnetic field can erase certain storage media,
terminals are designed to limit these emissions; therefore, this is not
normally a concern. B is wrong because electromagnetic emissions
should not cause disruption of central processing units. C is wrong
because most electromagnetic emissions are low level and do not pose
a significant health risk.)
Electromagnetic emissions from a terminal represent a risk because
they:
A. could damage or erase nearby storage media.
B. can disrupt processor functions.
C. could have adverse health effects on personnel.
D. can be detected and displayed.
assure that the integrity of the evidence is maintained. (The IS auditor
has been requested to perform an investigation to capture evidence that
may be used for legal purposes; therefore, maintaining the integrity of
the evidence should be the foremost goal. Improperly handled computer
evidence is subject to being ruled inadmissible in a court of law. A is
wrong because although an IS auditor needs to be impartial, in this
case, it is more critical that the evidence be preserved. B is wrong
because although an IS auditor needs to maintain independence, it is
more critical that the evidence be preserved in this case. D is wrong
because while assessing all relevant evidence is important, it is more
important to maintain the chain of custody, which ensures the integrity of
evidence.)
An IS auditor has been asked by management to review a potentially
fraudulent transaction. The PRIMARY focus of an IS auditor while
evaluating the transaction should be to:
A. maintain impartiality while evaluating the transaction.
B. ensure that the independence of an IS auditor is maintained.
C. assure that the integrity of the evidence is maintained.
D. assess all relevant evidence for the transaction.
the IDS is used to detect encrypted traffic.
An IS auditor reviewing the implementation of an intrusion detection
system (IDS) should be MOST concerned if:
A .IDS sensors are placed outside of the firewall.
B. a behavior-based IDS is causing many false alarms.
C. a signature-based IDS is weak against new types of attacks.
D. the IDS is used to detect encrypted traffic.
Portability (When drawing up a contract with a cloud service provider, the
ideal practice is to remove the customer lock-in clause. It may be
important for the client to secure the portability of their system assets
(i.e., the right to transfer from one vendor to another). A is wrong
because removing the customer lock-in clause will not secure the
availability of the system's resources stored in a cloud computing
environment. C is wrong because agility refers to the efficiency of
solutions enabling organizations to respond to business needs faster.
This is a desirable quality of cloud computing. D is wrong because
scalability is the strength of cloud computing, which is the ability to adjust
service levels according to changing business circumstances. Therefore,
this is not the best option.)
An organization is reviewing its contract with a cloud computing provider.
For which of the following reasons would the organization want to
remove a lock-in clause from the contract?
A. Availability
B. Portability
C. Agility
D. Scalability
specifies the route that a packet should take through the network (the
source routing field is enabled). (Internet Protocol (IP) spoofing takes
advantage of the source-routing option in the IP. With this option
enabled, an attacker can insert a spoofed source IP address. The packet
will travel the network according to the information within the source-
routing field, bypassing the logic in each router, including dynamic and
static routing. B is wrong because if a packet has a broadcast
destination address, it is suspicious and, if allowed to pass, will be sent
to all addresses in the subnet. This is not related to IP spoofing. C is
wrong because turning on the reset flag is part of the normal procedure
to end a Transmission Control Protocol connection. D is wrong because
dynamic or static routing will not represent a spoofing attack.)
To prevent Internet Protocol (IP) spoofing attacks, a firewall should be
configured to drop a packet for which the sender of a packet:
A. specifies the route that a packet should take through the network (the
source routing field is enabled).
B. puts multiple destination hosts (the destination field has a broadcast
address in the destination field).
C. indicates that the computer should immediately stop using the TCP
connection (a reset flag is turned on).
D. allows use of dynamic routing instead of static routing (Open Shortest
Path First protocol is enabled).

aa