CISA All Difficulty Correct Protection of Information Assets Questions
The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when: A. Connecting points are available in the facility to connect laptops to the network. B. Users take precautions to keep their passwords confidential. C. Terminals with password protection are located in insecure locations. D. Terminals are located within the facility in small clusters under the supervision of an administrator.
A. Connecting points are available in the facility to connect laptops to the network. Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access.
With the help of a security officer, granting access to data is the responsibility of: A. Data owners. B. Programmers. C. System analysts. D. Librarians.
A. Data owners. These individuals are responsible for the access to and use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners' approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update).
The MOST serious challenge in the operation of an intrusion detection system is: A. Filtering false positive alerts. B. Learning vendor specific protocols. C. Updating vendor-specific protocols. D. Blocking eligible connections.
A. Filtering false positive alerts. Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive.
If inadequate, which of the following would be the MOST likely contributor to a denial-of-service attack? A. Router configuration and rules. B. Design of the internal network. C. Updates to the router system software. D. Audit testing and review techniques.
A. Router configuration and rules Improper router configuration and rules could lead to an exposure to denial-of-service (DoS) attacks.
An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A. Maintenance of access logs of usage of various system resources. B. Authorization and authentication of the user prior to granting access to system resources. C. Adequate protection of stored data on servers by encryption or other means. D. Accountability system and the ability to identify any terminal accessing system resources.
B. Authorization and authentication of the user prior to granting access to system resources. This is the most significant aspect in a telecommunication access control review because it is a preventive control. Weak controls at this level can affect all other aspects of security.
A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? A. Work is completed in tunnel mode with IP security. B. A digital signature with RSA has been implemented. C. Digital certificates with RSA are being used. D. Work is being completed in TCP services.
A. Work is completed in tunnel mode with IP security. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security.
Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? A. Server-based antivirus software. B. Enterprise-based antivirus software. C. Workstation-based antivirus software. D. Perimeter-based antivirus software.
B. Enterprise-based antivirus software. An important means of controlling the spread of viruses is to deploy an enterprise wide antivirus solution that will monitor and analyze traffic at many points. This provides a layered defense model that is more likely to detect malware regardless of how it comes into the organization— through a universal serial bus (USB) or portable storage, a network, an infected download or malicious web application.
In an online banking application, which of the following would BEST protect against identity theft? A. Encryption of personal password. B. Restricting the user to a specific terminal. C. Two-factor authentication. D. Periodic review of access logs.
C. Two-factor authentication. This requires two independent methods for establishing identity and privileges. Factors include something you know such as a password; something you have such as a token; and something you are which is biometric. Requiring two of these factors makes identity theft more difficult.
The use of digital signatures: A. Requires the use of a one-time password generator. B. Provides encryption to a message. C. Validates the source of a message. D. Ensures message confidentiality.
C. Validates the source of a message. The use of a digital signature verifies the identity of the sender.
Which of the following is BEST suited for secure communications within a small group? A. Key distribution center. B. Certificate authority. C. Web of trust. D. Kerberos Authentication System.
C. Web of trust. This is a key distribution method suitable for communication in a small group. It is used by tools such as pretty good privacy and distributes the public keys of users within a group.
A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern? A. Most employees use laptops. B. A packet filtering firewall is used. C. The IP address space is smaller than the number of PCs. D. Access to a network port is not restricted.
D. Access to a network port is not restricted. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.
An IS auditor evaluating logical access controls should FIRST: A. Document the controls applied to the potential access paths to the system. B. Test controls over the access paths to determine if they are functional. C. Evaluate the security environment in relation to written policies and practices. D. Obtain an understanding of the security risk to information processing.
D. Obtain an understanding of the security risk to information processing. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk.
Which of the following is a passive attack to a network? A. Message modification. B. Masquerading. C. Denial-of-service. D. Traffic analysis.
D. Traffic analysis. This allows a watching threat actor to determine the nature of the flow of traffic between defined hosts, which may allow the threat actor to guess the type of communication taking place without taking an active role.
The implementation of which of the following would MOST effectively prevent unauthorized access to a system administration account on a web server? A. Host intrusion detection software installed on a server. B. Password expiration and lockout policy. C. Password complexity rules. D. Two-factor authentication.
D. Two-factor authentication. This requires a user to use a password in combination with another identification factor that is not easily stolen or guessed by an attacker. Types of two-factor authentication include electronic access tokens that show one-time passwords on their display panels or biometric authentication systems.
The reliability of an application system's audit trail may be questionable if: A. User IDs are recorded in the audit trail. B. The security administrator has read-only rights to the audit file. C. Date and time stamps are recorded when an action occurs. D. Users can amend audit trail records when correcting system errors.
D. Users can amend audit trail records when correcting system errors. An audit trail is not effective if the details in it can be amended.
Which of the following cryptography options would increase overhead/cost? A. The encryption is symmetric rather than asymmetric. B. A long asymmetric encryption key is used. C. The hash is encrypted rather than the message. D. A secret key is used.
B. A long asymmetric encryption key is used. Computer processing time is increased for longer asymmetric encryption keys, and the increase may be disproportionate. For example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold.
The review of router access control lists should be conducted during: A. An environmental review. B. A network security review. C. A business continuity review. D. A data integrity review.
B. A network security review. These include reviewing router access control lists, port scanning, internal and external connections to the system, etc.
An IS auditor reviewing a network log discovers that an employee ran elevated commands on their PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack? A. A race condition. B. A privilege escalation. C. A buffer overflow. D. An impersonation.
B. A privilege escalation. This is a type of attack where higher-level system authority is obtained by various methods. In this example, the task scheduler service runs with administrator permissions, and a security flaw allows programs launched by the scheduler to run at the same permission level.
After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over Internet Protocol technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application? A. Fine-grained access control. B. Role-based access control. C. Access control lists. D. Network/service access control.
B. Role-based access control. Authorization in this case can best be addressed by RBAC technology. RBAC controls access according to job roles or functions. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation.
Over the long term, which of the following has the greatest potential to improve the security incident response process? A. A walk-through review of incident response procedures. B. Simulation exercises performed by incident response team. C. Ongoing security training for users. D. Documenting responses to an incident.
B. Simulation exercises performed by incident response team. Simulation exercises to find the gaps and shortcomings in the actual incident response processes will help improve the process over time.
A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment? A. Reviewing logs frequently. B. Testing and validating the rules. C. Training a local administrator at the new location. D. Sharing firewall administrative duties.
B. Testing and validating the rules A mistake in the rule set can render a firewall ineffective or insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment.
The MOST effective biometric control system is the one with: A. The highest equal-error rate. B. The lowest equal-error rate. C. False-rejection rate equal to the false-acceptance rate. D. A false-rejection rate equal to the failure-to-enroll rate.
B. The lowest equal-error rate. The EER of a biometric system denotes the percent at which the false-acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the lowest EER is the most effective.
An organization discovers that the computer of the chief financial officer has been infected with malware that includes a keystroke logger and a rootkit. The FIRST action to take would be to: A. Contact the appropriate law enforcement authorities to begin an investigation. B. Immediately ensure that no additional data are compromised. C. Disconnect the PC from the network. D. Update the antivirus signature on the PC to ensure that the malware or virus is detected and removed.
C. Disconnect the PC from the network. The most important task is to prevent further data compromise and preserve evidence by disconnecting the computer from the network.
Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data? A. Inheritance. B. Dynamic warehousing. C. Encapsulation. D. Polymorphism.
C. Encapsulation. This is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.
Confidentiality of the data transmitted in a wireless local area network is BEST protected if the session is: A. Restricted to predefined media access control addresses. B. Encrypted using static keys. C. Encrypted using dynamic keys. D. Initiated from devices that have encrypted storage.
C. Encrypted using dynamic keys. When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted.
After installing a network, an organization implemented a vulnerability assessment tool to identify possible weaknesses. Which type of reporting poses the MOST serious risk associated with such tools? A. Differential. B. False-positive. C. False-negative. D. Less-detail.
C. False-negative. This type of reporting on weaknesses means the control weaknesses in the network are not identified and, therefore, may not be addressed, leaving the network vulnerable to attack.
When reviewing the configuration of network devices, an IS auditor should FIRST identify: A. The good practices for the type of network devices deployed. B. Whether components of the network are missing. C. The importance of the network devices in the topology. D. Whether subcomponents of the network are being used appropriately.
C. The importance of the network devices in the topology. The first step is to understand the importance and role of the network device within the organization's network topology.
When using public key encryption to secure data being transmitted across a network: A. Both the key used to encrypt and decrypt the data are public. B. The key used to encrypt is private, but the key used to decrypt the data is public. C. The key used to encrypt is public, but the key used to decrypt the data is private. D. Both the key used to encrypt and decrypt the data are private.
C. The key used to encrypt is public, but the key used to decrypt the data is private. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.
A human resources company offers wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST addresses the situation? A. The password for the wireless network is changed on a weekly basis. B. A stateful inspection firewall is used between the public wireless and company networks. C. The public wireless network is physically segregated from the company network. D. An intrusion detection system is deployed within the wireless network.
C. The public wireless network is physically segregated from the company network. Keeping the wireless network physically separate from the company network is the best way to secure the company network from intrusion.
Java applets and Active X controls are distributed programs that execute in the background of a client web browser. This practice is considered reasonable when: A. A firewall exists. B. A secure web connection is used. C. The source of the executable file is certain. D. The host web site is part of the organization.
C. The source of the executable file is certain. Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere.
In wireless communication, which of the following controls allows the receiving device to verify that the received communications have not been altered in transit? A. Device authentication and data origin authentication. B. Wireless intrusion detection and intrusion prevention systems. C. The use of cryptographic hashes. D. Packet headers and trailers.
C. The use of cryptographic hashes. Calculating cryptographic hashes for wireless communications allows the receiving device to verify that the received communications have not been altered in transit. This prevents masquerading and message modification attacks.
A laptop computer belonging to a company database administrator (DBA) and containing a file of production database passwords has been stolen. What should the organization do FIRST? A. Send a report to the IS audit department. B. Change the name of the DBA account. C. Suspend the DBA account. D. Change the database password.
D. Change the database password. The password should be changed immediately because there is no way to know whether it has been compromised.
The role of the certificate authority (CA) as a third party is to: A. Provide secured communication and networking services based on certificates. B. Host a repository of certificates with the corresponding public and secret keys issued by that CA. C. Act as a trusted intermediary between two communication partners. D. Confirm the identity of the entity owning a certificate issued by that CA.
D. Confirm the identity of the entity owning a certificate issued by that CA. The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued.
Which of the following would effectively verify the originator of a transaction? A. Using a secret password between the originator and the receiver. B. Encrypting the transaction with the receiver's public key. C. Using a portable document format to encapsulate transaction content. D. Digitally signing the transaction with the source's private key.
D. Digitally signing the transaction with the source's private key. A digital signature is an electronic identification of a person, created by using a public key algorithm, to verify the identity of the source of a transaction and the integrity of its content to a recipient.
An accuracy measure for a biometric system is: A. System response time. B. Registration time. C. Input file size. D. False-acceptance rate.
D. False-acceptance rate. Three main accuracy measures are used for a biometric solution: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate.
Which of the following should be a concern for an IS auditor reviewing an organization's cloud computing strategy which is based on a software as a service (SaaS) model with an external provider? A. Workstation upgrades must be performed. B. Long-term software acquisition costs are higher. C. Contract with the provider does not include onsite technical support. D. Incident handling procedures with the provider are not well defined.
D. Incident handling procedures with the provider are not well defined. A software-as-a-service (SaaS) provider does not normally have onsite support for the organization. Therefore, incident handling procedures between the organization and its provider are critical for the detection, communication and resolution of incidents, including effective lines of communication and escalation processes.
Which of the following is the MOST reliable form of single factor personal identification? A. Smart card. B. Password. C. Photo identification. D. Iris scan.
D. Iris scan. Because no two irises are alike, identification and verification can be done with confidence.
Which of the following is the MAIN reason an organization should have an incident response plan? The plan helps to: A. Ensure prompt communication of adverse events to relevant management. B. Contain costs related to maintaining disaster recovery plan capabilities. C. Ensure that customers are promptly notified of issues such as security breaches. D. Minimize the duration and impact of system outages and security incidents.
D. Minimize the duration and impact of system outages and security incidents. An incident response plan helps minimize the impact of an incident because it provides a controlled response to incidents. The phases of the plan include planning, detection, evaluation, containment, eradication, escalation, response, recovery, reporting, postincident review and a review of lessons learned.
The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor's initial determination be? A. There is no significant potential risk. B. Soft zoning presents a potential risk. C. Disabling of unused ports presents a potential risk. D. The SAN administrator presents a potential risk.
D. The SAN administrator presents a potential risk. The potential risk in this scenario is posed by the SAN administrator. One concern is having a "single point of failure." Because only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. The organization currently relies entirely on the SAN administrator to implement, maintain, and validate all security controls; this means that the SAN administrator could modify or remove those controls without detection.
Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet? A. Customers are widely dispersed geographically, but the certificate authorities (CAs) are not. B. Customers can make their transactions from any computer or mobile device. C. The CA has several data processing subcenters to administer certificates. D. The organization is the owner of the CA.
D. The organization is the owner of the CA. If the CA belongs to the same organization, this would pose a risk. The management of a CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust.
An IS auditor is reviewing an organization to ensure that evidence related to a data breach case is preserved. Which of the following choices would be of MOST concern to the IS auditor? A. End users are not aware of incident reporting procedures. B. Log servers are not on a separate network. C. Backups are not performed consistently. D. There is no chain of custody policy.
D. There is no chain of custody policy. Organizations should have a policy in place that directs employees to follow certain procedures when collecting evidence that may be used in a court of law. Chain of custody involves documentation of how digital evidence is acquired, processed, handled, stored and protected, and who handled the evidence and why. If there is no policy in place, it is unlikely that employees will ensure that the chain of custody is maintained during any data breach investigation.
Which of the following controls would BEST detect intrusion? A. User IDs and user privileges are granted through authorized procedures. B. Automatic logoff is used when a workstation is inactive for a particular period of time. C. Automatic logoff of the system occurs after a specified number of unsuccessful attempts. D. Unsuccessful logon attempts are monitored by the security administrator.
D. Unsuccessful logon attempts are monitored by the security administrator. Intrusion is detected by the active monitoring and review of unsuccessful logon attempts.
When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? A. Using a cryptographic hashing algorithm. B. Enciphering the message digest. C. Calculating a checksum of the transaction. D. Using a sequence number and time stamp.
D. Using a sequence number and time stamp. When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection and could be used to verify that a payment instruction was not duplicated.
When auditing a role-based access control system, the IS auditor noticed that some IT security employees have system administrator privileges on some servers, which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make? A. Ensure that these employees are adequately supervised. B. Ensure that backups of the transaction logs are retained. C. Implement controls to detect the changes. D. Write transaction logs in real time to Write Once and Read Many drives.
D. Write transaction logs in real time to Write Once and Read Many drives. Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. It is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution.
Which of the following is the MOST reliable method to ensure identity of sender for messages transferred across Internet? A. Digital signatures. B. Asymmetric cryptography. C. Digital certificates. D. Message authentication code.
C. Digital certificates. These are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository.
A digital signature contains a message digest to: A. Show if the message has been altered after transmission. B. Define the encryption algorithm. C. Confirm the identity of the originator. D. Enable message transmission in a digital format.
A. Show if the message has been altered after transmission. The message digest is calculated and included in a digital signature to prove that the message has not been altered. The message digest sent with the message should have the same value as the recalculation of the digest of the received message.
Which of the following intrusion detection systems will MOST likely generate false alarms resulting from normal network activity? A. Statistical-based. B. Signature-based. C. Neural network. D. Host-based.
A. Statistical-based. A statistical-based intrusion detection system (IDS) relies on a definition of known and expected behavior of systems. Because normal network activity may, at times, include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious.
The Secure Sockets Layer protocol ensures the confidentiality of a message by using: A. Symmetric encryption. B. Message authentication codes. C. Hash function. D. Digital signature certificates.
A. Symmetric encryption. Secure Sockets Layer (SSL) uses a symmetric key for message encryption.
Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Administrators are implementing vendor patches to vendor-supplied software without following change control procedures. C. Operations support staff members are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.
A. Application programmers are implementing changes to production programs. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data.
The PRIMARY goal of a web site certificate is: A. Authentication of the web site that will be surfed. B. Authentication of the user who surfs through that site. C. Preventing surfing of the web site by hackers. D. The same purpose as that of a digital certificate.
A. Authentication of the web site that will be surfed. This is the primary goal of a web certificate.
Which of the following is the MOST effective control for restricting access to unauthorized Internet sites in an organization? A. Routing outbound Internet traffic through a content-filtering proxy server. B. Routing inbound Internet traffic through a reverse proxy server. C. Implementing a firewall with appropriate access rules. D. Deploying client software utilities that block inappropriate content.
A. Routing outbound Internet traffic through a content-filtering proxy server. A content-filtering proxy server will effectively monitor user access to Internet sites and block access to unauthorized web sites.
Which of the following types of firewalls would BEST protect a network from an Internet attack? A. Screened subnet firewall. B. Application filtering gateway. C. Packet filtering router. D. Circuit-level gateway.
A. Screened subnet firewall. This would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network.
Which of the following would MOST effectively reduce social engineering incidents? A. Security awareness training. B. Increased physical security measures. C. Email monitoring policy. D. Intrusion detection systems.
A. Security awareness training. Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents.
Which of the following BEST describes the role of a directory server in a public key infrastructure? A. Encrypts the information transmitted over the network. B. Makes other users' certificates available to applications. C. Facilitates the implementation of a password policy. D. Stores certificate revocation lists.
B. Makes other users' certificates available to applications. A directory server makes other users' certificates available to applications.
A company determined that its web site was compromised, and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident? A. A host-based intrusion prevention system. B. A network-based intrusion detection system. C. A firewall. D. Operating system patching.
A. A host-based intrusion prevention system. This prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator.
An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? A. An application-level gateway. B. A remote access server. C. A proxy server. D. Port scanning.
A. An application-level gateway. This is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection model, but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol, File Transfer Protocol, Simple Network Management Protocol, etc.).
A review of wide area network (WAN) usage discovers that traffic on one communication line between sites, synchronously linking the master and standby database, peaks at 96 percent of the line capacity. An IS auditor should conclude that: A. Analysis is required to determine if a pattern emerges that results in a service loss for a short period of time. B. WAN capacity is adequate for the maximum traffic demands because saturation has not been reached. C. The line should immediately be replaced by one with a larger capacity to provide approximately 85 percent saturation. D. Users should be instructed to reduce their traffic demands or distribute them across all service hours to flatten bandwidth consumption.
A. Analysis is required to determine if a pattern emerges that results in a service loss for a short period of time. The peak at 96 percent could be the result of a one-off incident (e.g., a user downloading a large amount of data); therefore, analysis to establish whether this is a regular pattern and what causes this behavior should be carried out before expenditure on a larger line capacity is recommended.
An IS auditor performing detailed network assessments and access control reviews should FIRST: A. Determine the points of entry into the network. B. Evaluate users' access authorization. C. Assess users' identification and authorization. D. Evaluate the domain-controlling server configuration.
A. Determine the points of entry into the network. In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry, accordingly, for appropriate controls.
The IS auditor is reviewing findings from a prior IT audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor's response be? A. Digital signatures are not adequate to protect confidentiality. B. Digital signatures are adequate to protect confidentiality. C. The IS auditor should gather more information about the specific implementation. D. The IS auditor should recommend implementation of digital watermarking for secure email.
A. Digital signatures are not adequate to protect confidentiality. Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior-year's finding.
An organization can ensure that the recipients of emails from its employees can authenticate the identity of the sender by: A. Digitally signing all email messages. B. Encrypting all email messages. C. Compressing all email messages. D. Password protecting all email messages.
A. Digitally signing all email messages. By digitally signing all email messages, the receiver will be able to validate the authenticity of the sender.
Which of the following is MOST indicative of the effectiveness of an information security awareness program? A. Employees report more information regarding security incidents. B. All employees have signed the information security policy. C. Most employees have attended an awareness session. D. Information security responsibilities have been included in job descriptions.
A. Employees report more information regarding security incidents. Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. The reporting of incidents implies that employees are acting as a consequence of the awareness program.
During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: A. Encryption. B. Callback modems. C. Message authentication. D. Dedicated leased lines.
A. Encryption. Encryption of data is the most secure method of protecting confidential data from exposure.
The FIRST step in data classification is to: A. Establish ownership. B. Perform a criticality analysis. C. Define access rules. D. Create a data dictionary.
A. Establish ownership. Data classification is necessary to define access rules based on a need-to-do and need-to- know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification.
Email message authenticity and confidentiality is BEST achieved by signing the message using the: A. Sender's private key and encrypting the message using the receiver's public key. B. Sender's public key and encrypting the message using the receiver's private key. C. Receiver's private key and encrypting the message using the sender's public key. D. Receiver's public key and encrypting the message using the sender's private key.
A. Sender's private key and encrypting the message using the receiver's public key. By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. Encrypting with the receiver's public key provides confidentiality.
An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important? A. False-acceptance rate. B. Equal-error rate. C. False-rejection rate. D. False-identification rate.
A. False-acceptance rate This is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptances is more important that the impact on the false reject rate.
Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? A. Firewalls. B. Routers. C. Layer 2 switches. D. Virtual local area networks.
A. Firewalls. Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls.
When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the: A. Hardware is protected against power surges. B. Integrity is maintained if the main power is interrupted. C. Immediate power will be available if the main power is lost. D. Hardware is protected against long-term power fluctuations.
A. Hardware is protected against power surges. A voltage regulator protects against short-term power fluctuations.
Validated digital signatures in an email software application will: A. Help detect spam. B. Provide confidentiality. C. Add to the workload of gateway servers. D. Significantly reduce available bandwidth.
A. Help detect spam. Validated electronic signatures are based on qualified certificates that are created by a certificate authority, with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority after a proof of identity has been passed. Using strong signatures in email traffic, nonrepudiation can be assured, and a sender can be tracked. The recipient can configure his/her email server or client to automatically delete emails from specific senders.
During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: A. Periodic review of user activity logs. B. Verification of user authorization at the field level. C. Review of data communication access activity logs. D. Periodic review of changing data files.
A. Periodic review of user activity logs. General operating system access control functions include logging user activities, events, etc. Reviewing these logs may identify users performing activities that should not have been permitted.
The information security policy that states "each individual must have his/her badge read at every controlled door" addresses which of the following attack methods? A. Piggybacking. B. Shoulder surfing. C. Dumpster diving. D. Impersonation.
A. Piggybacking. This refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. If every employee must have their badge read at every controlled door, no unauthorized person could enter the sensitive area.
Web and email filtering tools are valuable to an organization PRIMARILY because they: A. Protect the organization from viruses and nonbusiness materials. B. Maximize employee performance. C. Safeguard the organization's image. D. Assist the organization in preventing legal issues
A. Protect the organization from viruses and nonbusiness materials. The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email.
An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice: A. Reduces the risk of unauthorized access to the network. B. Is not suitable for small networks. C. Automatically provides an IP address to anyone. D. Increases the risk associated with Wireless Encryption Protocol.
A. Reduces the risk of unauthorized access to the network. Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used, and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access.
Which of the following is an example of a passive cybersecurity attack? A. Traffic analysis. B. Masquerading. C. Denial-of-service. D. Email spoofing.
A. Traffic analysis. Cybersecurity threats/vulnerabilities are divided into passive and active attacks. A passive attack is one that monitors or captures network traffic but does not in any way modify, insert or delete the traffic. Examples of passive attacks include network analysis, eavesdropping and traffic analysis.
What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks? A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. B. The contingency plan for the organization cannot effectively test controlled access practices. C. Access cards, keys and pads can be easily duplicated allowing easy compromise of the control. D. Removing access for those who are no longer authorized is complex.
A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. Piggybacking or tailgating can compromise the physical access controls.
An IS auditor is performing a review of a network. Users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for the network management team should be to FIRST: A. Use a protocol analyzer to perform network analysis and review error logs of local area network equipment. B. Take steps to increase the bandwidth of the connection to the Internet. C. Create a baseline using a protocol analyzer and implement quality of service to ensure that critical business applications work as intended. D. Implement virtual local area networks to segment the network and ensure performance.
A. Use a protocol analyzer to perform network analysis and review error logs of local area network equipment. In this case, the first step is to identify the problem through review and analysis of network traffic. Using a protocol analyzer and reviewing the log files of the related switches or routers will determine whether there is a configuration issue or hardware malfunction.
Which of the following is the MOST effective control over visitor access to a data center? A. Visitors are escorted. B. Visitor badges are required. C. Visitors sign in. D. Visitors are spot-checked by operators.
A. Visitors are escorted. Escorting visitors will provide the best assurance that visitors have permission to access defined areas within the data processing facility.
An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers—one filled with carbon dioxide (CO2), the other filled with halon. Which of the following should be given the HIGHEST priority in the IS auditor's report? A. The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer. B. Both fire suppression systems present a risk of suffocation when used in a closed room. C. The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires involving solid combustibles (paper). D. The documentation binders should be removed from the equipment room to reduce potential risk.
B. Both fire suppression systems present a risk of suffocation when used in a closed room. Protecting people's lives should always be of highest priority in fire suppression activities. Carbon dioxide (CO2) and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards. In many countries, installing or refilling halon fire suppression systems is not allowed.
Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce? A. Registration authority. B. Certificate authority. C. Certification revocation list. D. Certification practice statement.
B. Certificate authority. The CA maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication.
An IS auditor reviewing access controls for a client-server environment should FIRST: A. Evaluate the encryption technique. B. Identify the network access points. C. Review the identity management system. D. Review the application level access controls.
B. Identify the network access points. A client-server environment typically contains several access points and uses distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified.
An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? A. An implicit deny rule as the last rule in the rule base B. Installation on an operating system configured with default settings. C. Rules permitting or denying access to systems or networks. D. Configuration as a virtual private network endpoint.
B. Installation on an operating system configured with default settings. Default settings of most equipment—including operating systems—are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software.
The PRIMARY reason for using digital signatures is to ensure data: A. Confidentiality. B. Integrity. C. Availability. D. Correctness.
B. Integrity. Digital signatures provide integrity because the digital signature of a signed message (file, mail, document, etc.) changes every time a single bit of the document changes; thus, a signed document cannot be altered. A digital signature provides for message integrity, nonrepudiation and proof of origin.
Which of the following is the MOST significant function of a corporate public key infrastructure and certificate authority employing X.509 digital certificates? A. It provides the public/private key set for the encryption and signature services used by email and file space. B. It binds a digital certificate and its public key to an individual subscriber's identity. C. It provides the authoritative source for employee identity and personal details. D. It provides the authoritative authentication source for object access.
B. It binds a digital certificate and its public key to an individual subscriber's identity. Public key infrastructure (PKI) is primarily used to gain assurance that protected data or services originated from a legitimate source. The process to ensure the validity of the subscriber identity by linking to the digital certificate/public key is strict and rigorous.
When reviewing an intrusion detection system, an IS auditor should be MOST concerned about which of the following? A. High number of false-positive alarms. B. Low coverage of network traffic. C. Network performance downgrade. D. Default detection settings.
B. Low coverage of network traffic. The cybersecurity attacks might not be timely identified if only small portion of network traffic is analyzed.
An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when: A. The organization is not permitted to assess the controls in the participating vendor's site. B. The service level agreement does not address the responsibility of the vendor in the case of a security breach. C. Laws and regulations are different in the countries of the organization and the vendor. D. The organization is using an older version of a browser and is vulnerable to certain types of security risk.
B. The service level agreement does not address the responsibility of the vendor in the case of a security breach. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach.
An IS auditor finds that conference rooms have active network ports. Which of the following would prevent this discovery from causing concern? A. The corporate network is using an intrusion prevention system. B. This part of the network is isolated from the corporate network. C. A single sign-on has been implemented in the corporate network. D. Antivirus software is in place to protect the corporate network.
B. This part of the network is isolated from the corporate network. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated.
An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy? A. Stateful inspection firewall. B. Web content filter. C. Web cache server. D. Proxy server.
B. Web content filter. This accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available uniform resource locator blacklists and classifications for millions of web sites.
Neural networks are effective in detecting fraud because they can: A. Discover new trends because they are inherently linear. B. Solve problems where large and general sets of training data are not obtainable. C. Address problems that require consideration of a large number of input variables. D. Make assumptions about the shape of any curve relating variables to the output.
C. Address problems that require consideration of a large number of input variables. Neural networks can be used to address problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends.
An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure? A. Data Encryption Standard. B. Message digest 5. C. Advanced Encryption Standard. D. Secure Shell.
C. Advanced Encryption Standard. This provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data.
Which of the following types of firewalls provide the GREATEST degree and granularity of control? A. Screening router. B. Packet filter. C. Application gateway. D. Circuit gateway.
C. Application gateway. This is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has a Hypertext Transmission Protocol (HTTP) proxy that acts as an intermediary between externals and internals but is specifically for HTTP. This means that it not only checks the packet Internet Protocol (IP) addresses (Open Systems Interconnection [OSI] Layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (OSI Layers 5 and 7). Therefore, it works in a more detailed (granularity) way than the other choices.
An Internet-based attack using password sniffing can: A. Enable one party to act as if they are another party. B. Cause modification to the contents of certain transactions. C. Be used to gain access to systems containing proprietary information. D. Result in major problems with billing systems and transaction processing agreements.
C. Be used to gain access to systems containing proprietary information. Password sniffing attacks can be used to gain access to systems on which proprietary information is stored.
Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a disposal? A. Overwriting the tapes. B. Initializing the tape labels. C. Degaussing the tapes. D. Erasing the tapes.
C. Degaussing the tapes. The best way to handle obsolete magnetic tapes is to degauss them. Degaussing is the application of a coercive magnetic force to the tape media. This action leaves a very low residue of magnetic induction, essentially erasing the data completely from the tapes.
Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network implementation? Computers on the network that are located: A. On the enterprise's internal network. B. At the backup site. C. In employees' homes. D. At the enterprise's remote offices.
C. In employees' homes. One risk of a virtual private network implementation is the chance of allowing high-risk computers onto the enterprise's network. All machines that are allowed onto the virtual network should be subject to the same security policy. Home computers are least subject to the corporate security policies and, therefore, are high-risk computers. Once a computer is hacked and "owned," any network that trusts that computer is at risk. Implementation and adherence to corporate security policy is easier when all computers on the network are on the enterprise's campus.
While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's NEXT step? A. Observe the response mechanism. B. Clear the virus from the network. C. Inform appropriate personnel immediately. D. Ensure deletion of the virus.
C. Inform appropriate personnel immediately. The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response.
Applying a digital signature to data traveling in a network provides: A. Confidentiality and integrity. B. Security and nonrepudiation. C. Integrity and nonrepudiation. D. Confidentiality and nonrepudiation.
C. Integrity and nonrepudiation. A digital signature is created by signing a hash of a message with the private key of the sender. This provides for the integrity (through the hash) and the proof of origin (nonrepudiation) of the message.
When protecting an organization's IT systems, which of the following is normally the next line of defense after the network firewall has been compromised? A. Personal firewall B. Antivirus programs C. Intrusion detection system D. Virtual local area network configuration
C. Intrusion detection system An IDS would be the next line of defense after the firewall. It would detect anomalies in the network/server activity and try to detect the perpetrator.
When reviewing the implementation of a local area network, an IS auditor should FIRST review the: A. Node list. B. Acceptance test report. C. Network diagram. D. Users list.
C. Network diagram. To properly review a local area network implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure.
The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called: A. Data integrity. B. Authentication. C. Nonrepudiation. D. Replay protection.
C. Nonrepudiation. Integrity, authentication, nonrepudiation and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message.
When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with: A. Analysis. B. Evaluation. C. Preservation. D. Disclosure.
C. Preservation. Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when investigating. Failure to properly preserve the evidence could jeopardize the admissibility of the evidence in legal proceedings.
An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods? A. Piggybacking B. Dumpster diving C. Shoulder surfing D. Impersonation
C. Shoulder surfing. If a password is displayed on a monitor, any person or camera nearby could look over the shoulder of the user to obtain the password.
A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action? A. Set up an exit interview with human resources. B. Initiate the handover process to ensure continuity of the project. C. Terminate the developer's logical access to IT resources. D. Ensure that management signs off on the termination paperwork.
C. Terminate the developer's logical access to IT resources. To protect IT assets, terminating logical access to IT resources is the first and most important action to take after management has confirmed the employee's clear intention to leave the enterprise.
