CISA Questions (601-700)
Which of the following is the GREATEST risk of an organization using reciprocal agreements for disaster recovery between two business units? Select an answer: A. The documents contain legal deficiencies. B. Both entities are vulnerable to the same incident. C. IT systems are not identical. D. One party has more frequent disruptions than the other.
You are correct, the answer is B. A. Inadequate agreements between two business units is a risk, but generally a lesser one than the risk that both organizations will suffer a disaster at the same time. B. The use of reciprocal disaster recovery is based on the probability that both organizations will not suffer a disaster at the same time. C. While incompatible IT systems could create problems, it is a less significant risk than both organizations suffering from the same disaster at the same time. D. While one party may utilize the other's resources more frequently, this can be addressed by contractual provisions and is not a major risk.
Which of the following is the BEST method for determining the criticality of each application system in the production environment? Select an answer: A. Interview the application programmers. B. Perform a gap analysis. C. Review the most recent application audits. D. Perform a business impact analysis (BIA).
You are correct, the answer is D. A. Interviews with the application programmers will provide limited information related to the criticality of the systems. B. A gap analysis is relevant to system development and project management but does not determine application criticality. C. The audits may not contain the required information about application criticality or may not have been done recently. D. A business impact analysis (BIA) will give the impact of the loss of each application. A BIA is conducted with representatives of the business that can accurately describe the criticality of a system and its importance to the business.
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that: Select an answer: A. an unauthorized user may use the ID to gain access. B. user access management is time consuming. C. passwords are easily guessed. D. user accountability may not be established.
You are correct, the answer is D. A. The ability of unauthorized users to use a shared ID is more likely than of an individual ID—but the misuse of another person's ID is always a risk. B. Using shared IDs would not pose an increased risk due to work effort required for managing access. C. Shared user IDs do not necessarily have easily guessed passwords. D. The use of a user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is impossible to hold anyone accountable.
An employee has received a digital photo frame as an anonymous gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that: Select an answer: A. the photo frame storage media could be used to steal corporate data. B. the drivers for the photo frame may be incompatible and crash the user's PC. C. the employee may bring inappropriate photographs into the office. D. the photo frame could be infected with malware.
You are correct, the answer is D. A. While any storage device could be used to steal data, the damage caused by malware could be widespread and severe for the enterprise. B. While device drivers may be incompatible and crash the user's PC, the damage caused by malware could be widespread and severe for the enterprise. C. While inappropriate content could result, the damage caused by malware could be widespread and severe for the enterprise. D. Any storage device can be a vehicle for infecting other computers with malware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs.
When reviewing an organization's logical access security to its remote systems, which of the following would be of GREATEST concern to an IS auditor? Select an answer: A. Passwords are shared. B. Unencrypted passwords are used. C. Redundant logon IDs exist. D. Third-party users are granted administrator-level access.
You are correct, the answer is B. A. The passwords should not be shared, but this is less important than ensuring that the password files are encrypted. B. When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered. C. Checking for the redundancy of logon IDs is essential, but is less important than ensuring that the passwords are encrypted. D. There may be business requirements such as the use of contractors that requires them to have system access, so this may not be a concern.
A development team has developed and is currently maintaining a customer-facing web application which is hosted at their regional office versus at the central data center. The GREATEST risk in this scenario is that the: Select an answer: A. additional traffic of the web site would slow down Internet access for the regional office. B. development team may lack the expertise and staffing to manage and maintain a hosted application environment. C. regional office may not have the same level of fire detection and suppression that exists at the main data center. D. regional office may not have a firewall or network that is sufficiently secure for a web server.
You are correct, the answer is B. A. The risk of an impact on Internet access from the regional office is not as serious as the risk related to improper configuration or maintenance of the web application. B. Maintaining a critical web application requires continuous monitoring and maintenance that is normally performed by data center operations personnel, not by a development team. While system developers may be capable of performing computer operations tasks, they would not normally be on site 24/7 as would computer operations staff. C. The physical security of a data center in a regional office should be sufficient to protect its systems, many of which may be more critical than a web application. D. While it may be true that the regional office may not have a network architecture and infrastructure suitable for hosting a web application, this is just one risk associated with a development team attempting to operate a web application.
Security administration procedures require read-only access to: Select an answer: A. access control tables. B. security log files. C. logging options. D. user profiles.
You answered A. The correct answer is B. A. Security administration procedures require write access to access control tables to manage and update the privileges according to authorized business requirements. B. Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities. C. Logging options require write access to allow the administrator to update the way the transactions and user activities are monitored, captured, stored, processed and reported. D. The security administrator is often responsible for user-facing issues such as managing user roles, profiles and settings. This requires the administrator to have more than read-only access.
An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods? Select an answer: A. Piggybacking B. Dumpster diving C. Shoulder surfing D. Impersonation
You answered B. The correct answer is C. A. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. B. This policy only refers to "the display of passwords," not dumpster diving (looking through an organization's trash for valuable information). C. If a password is displayed on a monitor, any person or camera nearby could look over the shoulder of the user to obtain the password. D. Impersonation refers to someone acting as an employee in an attempt to retrieve desired information.
The MOST important factor in planning a black box penetration test is: Select an answer: A. the documentation of the planned testing procedure. B. a realistic evaluation of the environment architecture to determine scope. C. knowledge by the management staff of the client organization. D. scheduling and deciding on the timed length of the test.
You answered B. The correct answer is C. A. A penetration test should be carefully planned and executed, but the most important factor is proper approvals. B. In a black box penetration test, the environment is not known to the testing organization. C. Black box penetration testing assumes no prior knowledge of the infrastructure to be tested. Testers simulate an attack from someone who is unfamiliar with the system. It is important to have management knowledge of the proceedings so that if the test is identified by the monitoring systems, the legality of the actions can be determined quickly. D. A test must be scheduled so as to minimize the risk of affecting critical operations; however, this is part of working with the management of the organization.
A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achieve this requirement? Select an answer: A. Mandatory B. Role-based C. Discretionary D. Single sign-on (SSO)
You answered A. The correct answer is B. A. An access control system based on mandatory access control (MAC) would be expensive, and difficult to implement and maintain in a large complex organization. B. Role-based access control limits access according to job roles and responsibilities and would be the best method to allow only authorized users to view reports on a need-to-know basis. C. Discretionary access control (DAC) is where the owner of the resources decides who should have access to that resource. Most access control systems are an implementation of DAC. This answer is not specific enough for this scenario. D. Single sign-on (SSO) is an access control technology used to manage access to multiple systems, networks and applications. This answer is not specific enough for this question.
A human resources (HR) company offers wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST addresses the situation? Select an answer: A. The password for the wireless network is changed on a weekly basis. B. A stateful inspection firewall is used between the public wireless and company networks. C. The public wireless network is physically segregated from the company network. D. An intrusion detection system (IDS) is deployed within the wireless network
You answered A. The correct answer is C. A. Changing the password for the wireless network does not secure against unauthorized access to the company network, especially because a guest could gain access to the wireless local area network (WLAN) at any time prior to the weekly password change interval. B. A stateful inspection firewall will screen all packets from the wireless network into the company network; however, the configuration of the firewall would need to be audited and firewall compromises, although unlikely, are possible. C. Keeping the wireless network physically separate from the company network is the best way to secure the company network from intrusion. D. An intrusion detection system (IDS) will detect intrusions but will not prevent unauthorized individuals from accessing the network.
Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network (VPN) implementation? Computers on the network that are located: Select an answer: A. on the enterprise's internal network. B. at the backup site. C. in employees' homes. D. at the enterprise's remote offices.
You answered A. The correct answer is C. A. On an enterprise's internal network, there should be security policies and controls in place to detect and halt an outside attack that uses an internal machine as a staging platform. B. Computers at the backup site are subject to the corporate security policy and, therefore, are not high-risk computers. C. One risk of a virtual private network (VPN) implementation is the chance of allowing high-risk computers onto the enterprise's network. All machines that are allowed onto the virtual network should be subject to the same security policy. Home computers are least subject to the corporate security policies and, therefore, are high-risk computers. Once a computer is hacked and "owned," any network that trusts that computer is at risk. Implementation and adherence to corporate security policy is easier when all computers on the network are on the enterprise's campus. D. Computers on the network that are at the enterprise's remote offices, perhaps with different IS and security employees who have different ideas about security, are more risky than computers in the main office or backup site, but obviously less risky than home computers.
Which of the following presents an inherent risk with no distinct identifiable preventive controls? Select an answer: A. Piggybacking B. Viruses C. Data diddling D. Unauthorized application shutdown
You answered A. The correct answer is C. A. Piggybacking is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights (e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions). This could be prevented by encrypting the message. B. Viruses are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer disks, transfer of logic over telecommunication lines or direct contact with an infected machine. Antivirus software can be used to protect the computer against viruses. C. Data diddling involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. D. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls.
Which of the following would be the MOST appropriate recovery strategy for a sensitive system with a high recovery time objective (RTO)? Select an answer: A. Warm site B. Hot site C. Cold site D. Mobile recovery site
You answered A. The correct answer is C. A. While a warm site may be a good solution, it would not be the most appropriate because it is more expensive than a cold site. B. A hot site is used for those systems classified as critical that have a low recovery time objective (RTO). C. Sensitive systems having a high RTO can be performed manually at a tolerable cost for an extended period of time. The cold site would be the most cost-effective solution for such a system. D. A mobile recovery site would not be as cost-effective as a cold site and would not be appropriate for systems with high RTOs.
Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)? Select an answer: A. Analyzer B. Administration console C. User interface D. Sensor
You answered A. The correct answer is D. A. Analyzers receive input from sensors and determine the presence of and type of intrusive activity. B. An administration console is the management interface component of an intrusion detection system (IDS). C. A user interface allows the administrators to interact with the IDS. D. Sensors are responsible for collecting data. Sensors may be attached to a network, server or other location and may gather data from many points for later analysis.
An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? Select an answer: A. Digitalized signatures B. Hashing C. Parsing D. Steganography
You answered A. The correct answer is D. A. Digitalized signatures are the scans of a signature (not the same as a digital signature) and not related to digital rights management. B. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. C. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing. D. Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data (e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities).
The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation and determined that he/she is the only user with administrative rights to the system. What should the IS auditor's initial determination be? Select an answer: A. The SAN is secure and no significant risk exists. B. The SAN presents a potential risk because soft zoning should be used. C. The SAN presents a potential risk because audit logs are not reviewed in a timely manner. D. The SAN presents a potential risk because only one employee has access.
You answered A. The correct answer is D. A. While the storage area network (SAN) may have been implemented with good controls, the greatest risk is that only one person has the knowledge and ability to maintain the system. B. Hard zoning is more secure and is preferred to soft zoning. Zoning is used to separate different data sources from each other (for instance, to ensure that payroll and human resource [HR] data are stored separately from sales data). Hard zones are enforced by the infrastructure (in hardware) and are therefore more secure than soft zones, which are implemented in software or firmware. C. The question does not provide information regarding whether logs are reviewed in a timely manner, and thus, the IS auditor does not have enough information to determine whether this is a risk area. D. The largest potential risk in this scenario is the risk that the SAN administrator represents a "single point of failure." Because only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN in his/her absence. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. If the SAN is securely configured, using hard zoning, logging and monitoring, and disabling of unused ports, no significant risk appears to exist regarding that configuration.
Which of the following is the MOST effective control for restricting access to unauthorized Internet sites in an organization? Select an answer: A. Routing outbound Internet traffic through a content-filtering proxy server B. Routing inbound Internet traffic through a reverse proxy server C. Implementing a firewall with appropriate access rules D. Deploying client software utilities that block inappropriate content
You answered B. The correct answer is A. A. A content-filtering proxy server will effectively monitor user access to Internet sites and block access to unauthorized web sites. B. When a client web browser makes a request to an Internet site, those requests are outbound from the corporate network. A reverse proxy server is used to allow secure remote connection to a corporate site, not to control employee web access. C. A firewall exists to block unauthorized inbound and outbound network traffic. Some firewalls can be used to block or allow access to certain sites, but the term firewall is generic—there are many types of firewalls, and this is not the best answer. D. While client software utilities do exist to block inappropriate content, installing and maintaining additional software on a large number of PCs is less effective than controlling the access from a single, centralized proxy server.
Which of the following is the BEST way to minimize unauthorized access to unattended end-user PC systems? Select an answer: A. Enforce use of a password-protected screen saver B. Implement proximity-based authentication system C. Terminate user session at predefined intervals D. Adjust power management settings so the monitor screen is blank
You answered B. The correct answer is A. A. A password-protected screen saver with a proper time interval is the best measure to prevent unauthorized access to unattended end-user systems. It is important to ensure that users lock the workstation when they step away from the machine, which is something that could be reinforced via awareness training. B. There are solutions that will lock machines when users steps away from their desks, and those would be suitable here; however, those tools are a more expensive solution, which would normally include the use of smart cards and extra hardware. Therefore, the use of a password-protected screen saver would be a better solution. C. Terminating user sessions is often done for remote login (periodic re-authentication) or after a certain amount of inactivity on a web or server session. There is more risk related to leaving the workstation unlocked; therefore, this is not the correct answer. D. Switching off the monitor would not be a solution because the monitor could simply be switched on.
Which of the following disaster recovery testing techniques is the MOST efficient way to determine the effectiveness of the plan? Select an answer: A. Preparedness tests B. Paper tests C. Full operational tests D. Actual service disruption
You answered B. The correct answer is A. A. Preparedness tests involve simulation of the entire environment (in phases) at relatively low cost and help the team to better understand and prepare for the actual test scenario. B. Paper tests in a walk-through test the entire plan, but there is no simulation and less is learned. It also is difficult to obtain evidence that the team has understood the test plan. C. Full operational tests would require approval from management, are not easy or practical to test in most scenarios and may trigger a real disaster. D. An actual service disruption is not recommended in most cases unless required by regulation or policy.
When reviewing a disaster recovery plan (DRP), an IS auditor should be MOST concerned with the lack of: Select an answer: A. process owner involvement. B. well-documented testing procedures. C. an alternate processing facility. D. a well-documented data classification scheme.
You answered B. The correct answer is A. A. Process owner involvement is a critical part of the business impact analysis (BIA), which is used to create the disaster recovery plan (DRP). If the IS auditor determined that process owners were not involved, this would be a significant concern. B. While well-documented testing procedures are important, unless process owners are involved there is no way to know whether the priorities and critical elements of the plan are valid. C. An alternate processing facility may be a requirement to meet the needs of the business; however, such a decision needs to be based on the BIA. D. A data classification scheme is important to ensure that controls over data are appropriate; however, this is a lesser concern than a lack of process owner involvement.
Which of the following would be an indicator of the effectiveness of a computer security incident response team (CSIRT)? Select an answer: A. Financial impact per security incident B. Number of security vulnerabilities that were patched C. Percentage of business applications that are being protected D. Number of successful penetration tests
You answered B. The correct answer is A. A. The most important indicator is the financial impact per security incident. The team should be able to limit the cost of incidents through effective prevention, detection and response to incidents. B. Patching of security vulnerabilities is important but not a direct responsibility of the computer security incident response team (CSIRT). C. The CSIRT is not responsible for the protection of systems. That is the responsibility of the security team. D. The number of penetration tests measures the effectiveness of the security team and the patch management process, but not the effectiveness of the CSIRT.
Which of the following types of firewalls provide the GREATEST degree and granularity of control? Select an answer: A. Screening router B. Packet filter C. Application gateway D. Circuit gateway
You answered B. The correct answer is C. A. Screening routers and packet filters work at the protocol, service and/or port level. This means that they analyze packets from layers 3 and 4 and not from higher levels. B. A packet filter works at too low of a level of the communication stack to provide granular control. C. The application gateway is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has a Hypertext Transmission Protocol (HTTP) proxy that acts as an intermediary between externals and internals, but is specifically for HTTP. This means that it not only checks the packet IP addresses (layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (layers 5 and 7). Therefore, it works in a more detailed (granularity) way than the other choices. D. A circuit gateway is based on a proxy or program that acts as an intermediary between external and internal accesses. This means that during an external access, instead of opening a single connection to the internal server, two connections are established-one from the external server to the proxy (which conforms the circuit-gateway) and one from the proxy to the internal server. Layers 3 and 4 (IP and transmission control protocol [TCP]) and some general features from higher protocols are used to perform these tasks.
To ensure structured disaster recovery, it is MOST important that the business continuity plan (BCP) and disaster recovery plan (DRP) are: Select an answer: A. stored at an alternate location. B. communicated to all users. C. tested regularly. D. updated regularly.
You answered B. The correct answer is C. A. Storing the business continuity plan (BCP) at an alternate location is useful in the case of complete site outage; however, the BCP is not useful during a disaster without adequate tests. B. Communicating to users is not of much use without actual tests. C. If the BCP is tested regularly, the BCP and disaster recovery plan (DRP) team is adequately aware of the process and that helps in structured disaster recovery. D. Even if the plan is updated regularly, it is of less use during an actual disaster if it is not adequately tested.
Java applets and Active X controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when: Select an answer: A. a firewall exists. B. a secure web connection is used. C. the source of the executable file is certain. D. the host web site is part of the organization.
You answered B. The correct answer is C. A. There should always be a firewall on an Internet connection; however, whether to allow active models is a decision made depending on the source of the module. B. A secure web connection provides confidentiality. Neither a secure web connection nor a firewall can identify an executable file as friendly. C. Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere. D. Hosting the web site as part of the organization is impractical. The client will accept the program if the parameters are established to do so.
Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility? Select an answer: A. Verify compatibility with the hot site B. Review the implementation report C. Perform a walk-through of the disaster recovery plan (DRP) D. Update the IT asset inventory
You answered B. The correct answer is D. A. Before validating that the new hardware is compatible with the recovery site, the business continuity manager should update the listing of all equipment and IT assets included in the business continuity plan (BCP). B. The implementation report will be of limited value to the business continuity manager because the equipment has been installed. C. The walk-through of the plan should only be done after the asset inventory has been updated. D. An IT assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflect changes in the IT infrastructure.
A small organization has only one database administrator (DBA) and one system administrator. The DBA has root access to the UNIX server, which hosts the database application. How should segregation of duties be enforced in this scenario? Select an answer: A. Hire a second DBA and split the duties between the two individuals. B. Remove the DBA's root access on all UNIX servers. C. Ensure that all actions of the DBA are logged and that all logs are backed up to tape. D. Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access.
You answered B. The correct answer is D. A. Hiring additional staff would be a costly way to ensure segregation of duties. B. The database administrator (DBA) would need root access to the database servers to install upgrades or patches. C. The administrator could modify or erase logs prior to the tape backup event. D. By creating logs that the DBA cannot erase or modify, segregation of duties is enforced.
Which of the following is the MOST effective method for dealing with the spread of a network worm that exploits vulnerability in a protocol? Select an answer: A. Install the vendor's security fix for the vulnerability. B. Block the protocol traffic in the perimeter firewall. C. Block the protocol traffic between internal network segments. D. Stop the service until an appropriate security fix is installed.
You answered B. The correct answer is D. A. If the service is not stopped, installing the fix is not the most effective method because the worm continues spreading until the fix becomes effective. B. Blocking the protocol on the perimeter does not stop the worm from spreading if it is introduced to the internal network(s) via a universal serial bus (USB) or other portable media. C. Blocking the protocol helps to slow the spread, but also prohibits any software that utilizes it from working between segments. D. Stopping the service and installing the security fix is the safest way to prevent the worm from spreading.
The PRIMARY purpose of a business impact assessment (BIA) is to: Select an answer: A. define recovery strategies. B. identify the alternate site. C. improve recovery testing. D. calculate the annual loss expectancy (ALE).
You are correct, the answer is A. A. One of the primary outcomes of a business impact assessment (BIA) is the recovery time objective (RTO) and the recovery point objective (RPO), which help in defining the recovery strategies. B. A BIA, itself, will not help in identifying the alternate site. That is determined during the recovery strategy phase of the project. C. A BIA, itself, will not help improve recovery testing. That is done during the implementation and testing phase of the project. D. The annual loss expectancy (ALE) of critical business assets and processes is determined during risk assessment and will be reviewed in the BIA, but this is not the primary advantage.
An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to: Select an answer: A. recommend that mandatory access control (MAC) be implemented. B. report this as an issue. C. report this issue to the data owners to determine whether it is an exception. D. not report this issue because discretionary access controls (DACs) are in place.
You answered B. The correct answer is D. A. Recommending mandatory access control (MAC) is not correct because it is more appropriate for data owners to have discretionary access controls (DAC) in a low-risk application. B. The use of DAC may not be an exception and, until confirmed, should not be reported as an issue. C. While an IS auditor may consult with data owners regarding whether this access is allowed normally, the IS auditor should not rely on the auditee to determine whether this is an issue. D. DAC allows data owners to modify access, which is a normal procedure and is a characteristic of DAC.
Which of the following types of firewalls would BEST protect a network from an Internet attack? Select an answer: A. Screened subnet firewall B. Application filtering gateway C. Packet filtering router D. Circuit-level gateway
You answered C. The correct answer is A. A. A screened subnet firewall would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network. B. Application-level gateways are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not just at a packet level. This would be the best solution to protect an application but not a network. C. A packet filtering router examines the header of every packet or data traveling between the Internet and the corporate network. This is a low-level control. D. A circuit level gateway, such as a Socket Secure (SOCKS) server, will protect users by acting as a proxy but is not the best defense for a network.
The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan (DRP)? Select an answer: A. Contact information of key personnel B. Server inventory documentation C. Individual roles and responsibilities D. Procedures for declaring a disaster
You answered C. The correct answer is A. A. In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan. B. Asset inventory is important and should be linked to the change management process of the organization, but having access to key people may compensate for outdated records. C. Individual roles and responsibilities are important, but in a disaster many people could fill different roles depending on their experience. D. The procedures for declaring a disaster are important because this can affect response, customer perception and regulatory issues, but not as important as having the right people there when needed.
Which of the following is an example of a passive attack initiated through the Internet? Select an answer: A. Traffic analysis B. Masquerading C. Denial-of-service (DoS) D. Email spoofing
You answered C. The correct answer is A. A. Internet security threats/vulnerabilities are divided into passive and active attacks. A passive attack is one that monitors or captures network traffic but does not in any way modify, insert or delete the traffic. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. B. Because masquerading alters the data by modifying the origin, it is an active attack. C. Because a denial-of-service (DoS) attack floods the network with traffic or sends malformed packets over the network, it is an active attack. D. Because email spoofing alters the email header, it is an active attack.
A disaster recovery plan (DRP) for an organization should: Select an answer: A. reduce the length of the recovery time and the cost of recovery. B. increase the length of the recovery time and the cost of recovery. C. reduce the duration of the recovery time and increase the cost of recovery. D. not affect the recovery time or the cost of recovery.
You answered C. The correct answer is A. A. One of the objectives of a disaster recovery plan (DRP) is to reduce the duration and cost of recovering from a disaster. B. A DRP would increase the cost of operations before and after the disaster occurs. C. A DRP should reduce the time to return to normal operations. D. A DRP should reduce the cost that could result from a disaster.
Which of the following is an advantage of elliptic curve encryption (ECC) over RSA encryption? Select an answer: A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Message integrity controls
You answered C. The correct answer is A. A. The main advantage of elliptic curve encryption (ECC) over RSA encryption is its computation speed. This is due in part to the use of much smaller keys in the ECC algorithm than in RSA. B. Both encryption methods support digital signatures. C. Both encryption methods are used for public key encryption and distribution. D. Both ECC and RSA offer message integrity controls.
A digital signature contains a message digest to: Select an answer: A. show if the message has been altered after transmission. B. define the encryption algorithm. C. confirm the identity of the originator. D. enable message transmission in a digital format.
You answered C. The correct answer is A. A. The message digest is calculated and included in a digital signature to prove that the message has not been altered. The message digest sent with the message should have the same value as the recalculation of the digest of the received message. B. The message digest does not define the algorithm; it is there to ensure integrity. C. The message digest does not confirm the identity of the user; it is there to ensure integrity. D. The message digest does not enable the transmission in digital format; it is there to ensure integrity.
Which of the following results in a denial-of-service (DoS) attack? Select an answer: A. Brute force attack B. Ping of death C. Leapfrog attack D. Negative acknowledgement (NAK) attack
You are correct, the answer is B. A. A brute force attack is typically a text attack that exhausts all possible key combinations used against encryption keys or passwords. B. The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. C. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host. D. A negative acknowledgment (NAK) is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.
Web application developers sometimes use hidden fields on web pages to save information about a client session. This technique is used, in some cases, to store session variables that enable persistence across web pages, such as maintaining the contents of a shopping cart on a retail web site application. The MOST likely web-based attack due to this practice is: Select an answer: A. parameter tampering. B. cross-site scripting. C. cookie poisoning. D. stealth commanding.
You answered C. The correct answer is A. A. Web application developers sometimes use hidden fields to save information about a client session or to submit hidden parameters, such as the language of the end user, to the underlying application. Because hidden form fields do not display in the browser, developers may feel safe passing unvalidated data in the hidden fields (to be validated later). This practice is not safe because an attacker can intercept, modify and submit requests, which can discover information or perform functions that the web developer never intended. The malicious modification of web application parameters is known as parameter tampering. B. Cross-site scripting involves the compromise of the web page to redirect users to content on the attacker web site. The use of hidden fields has no impact on the likelihood of a cross-site scripting attack because these fields are static content that cannot ordinarily be modified to create this type of attack. Web applications use cookies to save session state information on the client machine so that the user does not need to log on every time a page is visited. C. Cookie poisoning refers to the interception and modification of session cookies to impersonate the user or steal logon credentials. The use of hidden fields has no relation to cookie poisoning. D. Stealth commanding is the hijacking of a web server by the installation of unauthorized code. While the use of hidden forms may increase the risk of server compromise, the most common server exploits involve vulnerabilities of the server operating system or web server.
Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test? Select an answer: A. Due to the limited test time window, only the most essential systems were tested. The other systems were tested separately during the rest of the year. B. During the test, some of the backup systems were defective or not working, causing the test of these systems to fail. C. The procedures to shut down and secure the original production site before starting the backup site required far more time than planned. D. Every year, the same employees perform the test. The recovery plan documents are not used because every step is well known by all participants.
You answered C. The correct answer is B. A. This is not a concern because over the course of the year, all the systems were tested. B. The purpose of the test is to test the backup plan. When the backup systems are not working then the plan cannot be counted on in a real disaster. This is the most serious problem. C. In a real disaster, there is no need for a clean shutdown of the original production environment because the first priority is to bring the backup site up. D. A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely on key staff because a disaster can occur when they are not available. However, the fact that the test works is less serious than the failure of the systems and infrastructure that the recovery plan counts on. Good practice would rotate different people through the test and ensure that the plan itself is followed and tested.
Which of the following provides the BEST evidence of an organization's disaster recovery readiness? Select an answer: A. A disaster recovery plan (DRP) B. Customer references for the alternate site provider C. Processes for maintaining the DRP D. Results of tests and exercises
You answered C. The correct answer is D. A. Having a plan is important, but a plan cannot be considered effective until it has been tested. B. Customer references may aid in choosing an alternate site provider, but will not ensure the effectiveness of the plan. C. A disaster recovery plan (DRP) must be kept up to date through a regular maintenance and review schedule, but this is not as important as testing. D. Only tests and exercises demonstrate the adequacy of the plans and provide reasonable assurance of an organization's disaster recovery readiness.
An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network (VPN) when the CIO travels outside of the office. The IS auditor should: Select an answer: A. do nothing because the inherent security features of GSM technology are appropriate. B. recommend that the CIO stop using the laptop computer until encryption is enabled. C. ensure that media access control (MAC) address filtering is enabled on the network so unauthorized wireless users cannot connect. D. suggest that two-factor authentication be used over the wireless link to prevent unauthorized communications.
You answered D. The correct answer is A. A. The inherent security features of global system for mobile communications (GSM) technology combined with the use of a virtual private network (VPN) are appropriate. The confidentiality of the communication on the GSM radio link is ensured by the use of encryption and the use of a VPN signifies that an encrypted session is established between the laptop and the corporate network. GSM is a global standard for cellular telecommunications that can be used for both voice and data. Currently deployed commercial GSM technology has multiple overlapping security features which prevent eavesdropping, session hijacking or unauthorized use of the GSM carrier network. While other wireless technologies such as 802.11b wireless local area network (LAN) technologies have been designed to allow the user to adjust or even disable security settings, GSM does not allow any devices to connect to the system unless all relevant security features are active and enabled. B. Because the chief information officer (CIO) is using a VPN it can be assumed that encryption is enabled in addition to the security features in GSM. C. Media access control (MAC) filtering can be used on a wireless LAN but does not apply to a GSM network device. D. Because the GSM network is being used rather than a wireless LAN, it is not possible to configure settings for two-factor authentication over the wireless link.
A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? Select an answer: A. Issues of privacy B. Wavelength can be absorbed by the human body C. RFID tags may not be removable D. RFID eliminates line-of-sight reading
You answered D. The correct answer is A. A. The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because radio frequency identification (RFID) can carry unique identifier numbers. If desired, it would be possible for a firm to track individuals who purchase an item containing an RFID. B. That wavelength can be absorbed by the human body is a concern of less importance. C. That RFID tags may not be removable is a concern of less importance than the violation of privacy. D. RFID eliminates line-of-sight reading. This is a benefit of RFID, not a concern.
Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? Select an answer: A. Server-based antivirus software B. Enterprise-based antivirus software C. Workstation-based antivirus software D. Perimeter-based antivirus software
You answered D. The correct answer is B. A. An effective antivirus solution must be a combination of server-, network- and perimeter-based scanning and protection. B. An important means of controlling the spread of viruses is to deploy an enterprisewide antivirus solution that will monitor and analyze traffic at many points. This provides a layered defense model that is more likely to detect malware regardless of how it comes into the organization—through a universal serial bus (USB) or portable storage, a network, an infected download or malicious web application. C. Only checking for a virus on workstations would not be adequate because malware can infect many network devices or servers as well. D. Because malware can enter an organization through many different methods, only checking for malware at the perimeter is not enough to protect the organization.
An IS auditor reviewing an organization's disaster recovery plan should PRIMARILY verify that it is: Select an answer: A. tested every six months. B. regularly reviewed and updated. C. approved by the chief executive officer (CEO). D. communicated to every department head in the organization.
You answered D. The correct answer is B. A. The plan must be subjected to regular testing, but the period between tests will depend on the nature of the organization, the amount of change in the organization and the relative importance of IS. Three months, or even annually, may be appropriate in different circumstances. B. The plan should be reviewed at appropriate intervals, depending on the nature of the business and the rate of change of systems and personnel. Otherwise, it may become out of date and may no longer be effective. C. Although the disaster recovery plan should receive the approval of senior management, it need not be the chief executive officer (CEO) if another executive officer is equally or more appropriate. For a purely IS-related plan, the executive responsible for technology may have approved the plan. D. Although a business continuity plan is likely to be circulated throughout an organization, the IS disaster recovery plan will usually be a technical document and only relevant to IS and communication staff.
IT management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend: Select an answer: A. upgrading to a level 5 RAID. B. increasing the frequency of onsite backups. C. reinstating the offsite backups. D. establishing a cold site in a secure location.
You answered D. The correct answer is C. A. Upgrading to level 5 Redundant Array of Inexpensive Disks (RAID) will not address the problem of catastrophic failure of the data center housing all the data. B. Increasing the frequency of onsite backups is not relevant to RAID 1 because all data are being mirrored already. C. A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups. D. A cold site is an offsite recovery location, but will not provide for data recovery because a cold site is not used to store data.
Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy? Select an answer: A. Review the parameter settings. B. Interview the firewall administrator. C. Review the actual procedures. D. Review the device's log file for recent attacks.
You are correct, the answer is A. A. A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation. B. An interview with the firewall administrator will not ensure that the firewall is configured correctly. C. Reviewing the actual procedures is good but will not ensure that the firewall rules are correct and compliant with policy. D. Recent attacks may indicate problems with the firewall but will not ensure that it is correctly configured.
The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may: Select an answer: A. use this information to launch attacks. B. forward the security alert. C. implement individual solutions. D. fail to understand the threat.
You are correct, the answer is A. A. An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. B. Forwarding the security alert is not harmful to the organization. C. Implementing individual solutions is unlikely and inefficient, but not a serious risk. D. Users failing to understand the threat would not be a serious concern.
With the help of a security officer, granting access to data is the responsibility of: Select an answer: A. data owners. B. programmers. C. system analysts. D. librarians.
You are correct, the answer is A. A. Data owners are responsible for the access to and use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners' approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update). B. Programmers will develop the access control software that will regulate the ways that users can access the data (update, read, delete, etc.), but the programmers do not have responsibility for determining who gets access to data. C. Systems analysts work with the owners and programmers to design access controls according to the rules set by the owners. D. The librarians enforce the access control procedures they have been given but do not determine who gets access.
The IS auditor is reviewing prior findings from an IT audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor's response be? Select an answer: A. Digital signatures are not adequate to protect confidentiality. B. Digital signatures are adequate to protect confidentiality. C. The IS auditor should gather more information about the specific implementation. D. The IS auditor should recommend implementation of digital watermarking for secure email.
You are correct, the answer is A. A. Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior year's finding. B. Digital signatures do not encrypt message contents, which means that an attacker who intercepts a message can read the message because the data are in plain-text. C. Although gathering additional information is always a good step before drawing a conclusion on a finding, in this case the implemented solution simply does not provide confidentiality. D. Digital watermarking is used to protect intellectual property rights for documents rather than to protect the confidentiality of email.
A hot site should be implemented as a recovery strategy when the: Select an answer: A. disaster tolerance is low. B. recovery point objective (RPO) is high. C. recovery time objective (RTO) is high. D. maximum tolerable downtime (MTD) is long.
You are correct, the answer is A. A. Disaster tolerance is the time gap during which the business can accept nonavailability of IT facilities. If this time gap is low, recovery strategies that can be implemented within a short period of time, such as a hot site, should be used. B. The recovery point objective (RPO) is the earliest point in time at which it is possible to recover the data. A high RPO means that the process would result in greater losses of data. C. A high recovery time objective (RTO) means that additional time would be available for the recovery strategy, thus making other recovery alternatives—such as warm or cold sites—viable alternatives. D. If the maximum tolerable downtime (MTD) is long, then a warm or cold site is a more cost-effective solution.
The MOST important difference between hashing and encryption is that hashing: Select an answer: A. is irreversible. B. output is the same length as the original message. C. is concerned with integrity and security. D. is the same at the sending and receiving end.
You are correct, the answer is A. A. Hashing works one way—by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. B. Hashing creates a fixed-length output that is usually smaller than the original message, and encryption creates an output that is usually the same length as the original message. C. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. D. Encryption may use different keys or a reverse process at the sending and receiving ends to encrypt and decrypt.
Which of the following acts as a decoy to detect active Internet attacks? Select an answer: A. Honeypots B. Firewalls C. Trapdoors D. Traffic analysis
You are correct, the answer is A. A. Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. B. A firewall is a preventive measure. C. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. D. Traffic analysis is a type of passive attack based on capturing network traffic.
Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be: Select an answer: A. physically separated from the data center and not subject to the same risk. B. given the same level of protection as that of the computer data center. C. outsourced to a reliable third party. D. equipped with surveillance capabilities.
You are correct, the answer is A. A. It is important that there is an offsite storage location for IS files and that it is in a location not subject to the same risk as the primary data center. B. The offsite location may be shared with other companies and, therefore, have an even higher level of protection than the primary data center. C. An offsite location may be owned by a third party or by the organization itself. D. Physical protection is important but not as important as not being affected by the same crisis.
Which of the following scenarios provides the BEST disaster recovery plan (DRP) to implement for critical applications? Select an answer: A. Daily data backups that are stored offsite and a hot site located 140 kilometers from the main data center B. Daily data backups that are stored onsite in a fireproof safe C. Real-time data replication between the main data center and the hot site located 500 meters from the main site D. Daily data backups that are stored offsite with a warm site located 70 kilometers from the main data center
You are correct, the answer is A. A. Of the given choices, this is the most suitable answer. The disaster recovery plan (DRP) includes a hot site that is located sufficiently away from the main data center and will allow recovery in the event of a major disaster. Not having real-time backups may be a problem depending on recovery point objective (RPO). B. Having data backups is necessary, but not having a replication site would be insufficient for the critical application. C. Depending on the type of disaster, a hot site should normally be located more than 500 meters from the main facility. Having real-time backups may be the best option though, depending on the data RPO. D. A warm site may take days to recover, and therefore, it may not be a suitable solution.
The information security policy that states "each individual must have his/her badge read at every controlled door" addresses which of the following attack methods? Select an answer: A. Piggybacking B. Shoulder surfing C. Dumpster diving D. Impersonation
You are correct, the answer is A. A. Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. If every employee must have their badge read at every controlled door, no unauthorized person could enter the sensitive area. B. Shoulder surfing (looking over the shoulder of a person to view sensitive information on a screen or desk) would not be prevented by the implementation of this policy. C. Dumpster diving, looking through an organization's trash for valuable information, could be done outside the company's physical perimeter; therefore, this policy would not address this attack method. D. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack.
An organization has a business process with a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to one minute. This implies that the process can tolerate: Select an answer: A. a data loss of up to one minute, but the processing must be continuous. B. a one-minute processing interruption but cannot tolerate any data loss. C. a processing interruption of one minute or more. D. both a data loss and a processing interruption longer than one minute.
You are correct, the answer is A. A. Recovery time objective (RTO) measures an organization's tolerance for downtime and recovery point objective (RPO) measures how much data loss can be accepted. B. A processing interruption of one minute would exceed the zero RTO set by the organization. C. A processing interruption of one minute or more would exceed the continuous availability requirements of an RTO of zero. D. An RPO of one minute would only allow data loss of one minute.
Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data? Select an answer: A. Secure Sockets Layer (SSL) B. Intrusion detection system (IDS) C. Public key infrastructure (PKI) D. Virtual private network (VPN)
You are correct, the answer is A. A. Secure Sockets Layer (SSL) is used for many e-commerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code (HMAC). B. An intrusion detection system (IDS) will log network activity but is not used for protecting traffic over the Internet. C. Public key infrastructure (PKI) is used in conjunction with SSL or for securing communications such as e-commerce and email. D. A virtual private network (VPN) is a generic term for a communications tunnel that can provide confidentiality, integrity and authentication (reliability). A VPN can operate at different levels of the Open Systems Interconnection (OSI) stack and may not always be used in conjunction with encryption. SSL can be called a type of VPN.
An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following would meet this objective? Select an answer: A. VoIP infrastructure needs to be segregated using virtual local area networks (VLANs). B. Buffers need to be introduced at the VoIP endpoints. C. Ensure that end-to-end encryption is enabled in the VoIP system. D. Ensure that emergency backup power is available for all parts of the VoIP infrastructure.
You are correct, the answer is A. A. Segregating the Voice-over Internet Protocol (VoIP) traffic using virtual local area networks (VLANs) would best protect the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure uptime). B. The use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security method. C. Encryption is used when VoIP calls use the Internet (not the local LAN) for transport because the assumption is that the physical security of the building as well as the Ethernet switch and VLAN security is adequate. D. The design of the network and the proper implementation of VLANs are more critical than ensuring that all devices are protected by emergency power.
Which of the following would MOST effectively reduce social engineering incidents? Select an answer: A. Security awareness training B. Increased physical security measures C. Email monitoring policy D. Intrusion detection systems
You are correct, the answer is A. A. Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. B. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the incident. C. An email monitoring policy informs users that all email in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. D. Intrusion detection systems are used to detect irregular or abnormal traffic patterns.
A hacker could obtain passwords without the use of computer tools or programs through the technique of: Select an answer: A. social engineering. B. sniffers. C. back doors. D. Trojan horses
You are correct, the answer is A. A. Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else's personal data. B. A sniffer is a computer tool to monitor the traffic in networks. C. Back doors are computer programs left by hackers to exploit vulnerabilities. D. Trojan horses are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature.
The review of router access control lists should be conducted during: Select an answer: A. an environmental review. B. a network security review. C. a business continuity review. D. a data integrity review.
You are correct, the answer is B. A. Environmental reviews examine physical security such as power and physical access. They do not require a review of the router access control lists. B. Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the system, etc. C. Business continuity reviews ensure the business continuity plan (BCP) is up to date, adequate to protect the organization and tested, and do not require a review of the router access control lists. D. Data integrity reviews validate data accuracy and protect from improper alterations, but do not require a review of the router access control lists.
Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? Select an answer: A. Three users with the ability to capture and verify their own messages B. Five users with the ability to capture and send their own messages C. Five users with the ability to verify other users and to send their own messages D. Three users with the ability to capture and verify the messages of other users and to send their own messages
You are correct, the answer is A. A. The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message. B. Users may have the ability to send messages but should not be able to verify their own messages. C. This is an example of separation of duties. A person can send their own message but only verify the messages of other users. D. The ability to capture and verify the messages of others but only send their own messages is acceptable.
A live test of a mutual agreement for IT system recovery has been carried out, including a four-hour test of intensive usage by the business units. The test has been successful, but gives only partial assurance that the: Select an answer: A. system and the IT operations team can sustain operations in the emergency environment. B. resources and the environment could sustain the transaction load. C. connectivity to the applications at the remote site meets response time requirements. D. workflow of actual business operations can use the emergency system in case of a disaster.
You are correct, the answer is A. A. The applications have been operated intensively, but the capability of the system and the IT operations team to sustain and support this environment (ancillary operations, batch closing, error corrections, output distribution, etc.) is only partially tested. B. Because the test involved intensive usage, the backup would seem to be able to handle the transaction load. C. Because users were able to connect to and use the system, the response time must have been satisfactory. D. The intensive tests by the business indicated that the workflow systems worked correctly. Changes to the environment could pose a problem in the future, but it is working correctly now.
Which of the following would be the BEST access control procedure? Select an answer: A. The data owner formally authorizes access and an administrator implements the user authorization tables. B. Authorized staff implements the user authorization tables and the data owner sanctions them. C. The data owner and an IS manager jointly create and update the user authorization tables. D. The data owner creates and updates the user authorization tables.
You are correct, the answer is A. A. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner. B. The owner sets the rules and conditions for access. It is best to obtain approval before implementing the tables. C. The data owner may consult with the IS manager to set out access control rules, but the responsibility for appropriate access remains with the data owner. The IT department should set up the access control tables at the direction of the owner. D. The data owner would not usually manage updates to the authorization tables.
Web and email filtering tools are PRIMARILY valuable to an organization because they: Select an answer: A. protect the organization from viruses and nonbusiness materials. B. maximize employee performance. C. safeguard the organization's image. D. assist the organization in preventing legal issues
You are correct, the answer is A. A. The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email. B. Maximizing employee performance could be true in some circumstances (i.e., it would need to be implemented along with an awareness program so that employee performance can be significantly improved). However, the primary benefit is protecting the organization from viruses and nonbusiness activity. C. Safeguarding the organization's image is a secondary benefit. D. Preventing legal issues is important, but not the primary reason for filtering.
The security level of a private key system depends on the number of: Select an answer: A. encryption key bits. B. messages sent. C. keys. D. channels used.
You are correct, the answer is A. A. The security level of a private key system depends on the number of encryption key bits (the key length). The larger the number of bits, the more difficult it would be to brute force the key or defeat the algorithm. B. The more often a key is used, the higher the risk of compromise, but the main determination for the strength of an algorithm is based on key length. C. The number of keys used is not a valid measure for the strength of most cryptosystems. Triple Data Encryption Standard (DES) is an exception to this. D. Channels, which could be open or secure, are the medium for sending the message. The strength is provided through encryption and does not rely on the type of channel used.
A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? Select an answer: A. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP). B. A digital signature with RSA has been implemented. C. Digital certificates with RSA are being used. D. Work is being completed in TCP services.
You are correct, the answer is A. A. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header (AH) and encapsulating security payload (ESP) services can be nested. This is known as IP Security (IPSec). B. A digital signature with RSA provides authentication and integrity but not confidentiality. C. Digital certificates with RSA provide authentication and integrity but do not provide encryption. D. Transmission Control Protocol (TCP) services do not provide encryption and authentication.
Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization? Select an answer: A. Actions performed on log files should be tracked in a separate log. B. Write access to audit logs should be disabled. C. Only select personnel should have rights to view or delete audit logs. D. Backups of audit logs should be performed periodically.
You are correct, the answer is C. A. Having additional copies of log file activity would not prevent the original log files from being deleted. B. For servers and applications to operate correctly, write access cannot be disabled. C. Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted. D. Frequent backups of audit logs would not prevent the logs from being deleted.
During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result? Select an answer: A. A denial-of-service (DoS) attack B. Spoofing C. Port scanning D. A man-in-the-middle attack
You are correct, the answer is B. A. A denial-of-service (DoS) attack is designed to limit the availability of a resource and is characterized by a high number of requests that require response from the resource (usually a web site). The target spends so many resources responding to the attack requests that legitimate requests are not serviced. These attacks are most commonly launched from networks of compromised computers (botnets) and may involve attacks from multiple computers at once. B. Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources. C. Port scanning is a reconnaissance technique that is designed to gather information about a target before a more active attack. Port scanning might be used to determine the internal address of the payroll server, but would not normally create a log entry that indicated external traffic from an internal server address. D. A man-in-the-middle attack is a form of active eavesdropping where the attacker intercepts a computerized conversation between two parties and then allows the conversation to continue by relaying the appropriate data to both parties, while simultaneously monitoring the same data passing through the attacker's conduit. This type of attack would not register as an attack originating from the payroll server, but instead it might be designed to hijack an authorized connection between a workstation and the payroll server.
The PRIMARY reason for using digital signatures is to ensure data: Select an answer: A. confidentiality. B. integrity. C. availability. D. timeliness.
You are correct, the answer is B. A. A digital signature does not, in itself, address message confidentiality. B. Digital signatures provide integrity because the digital signature of a signed message (file, mail, document, etc.) changes every time a single bit of the document changes; thus, a signed document cannot be altered. A digital signature provides for message integrity, nonrepudiation and proof of origin. C. Availability is not related to digital signatures. D. A digital signature may include a time stamp that can be used to prevent replay attacks, but this is not the primary reason to use a digital signature.
Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce? Select an answer: A. Registration authority B. Certificate authority (CA) C. Certification revocation list (CRL) D. Certification practice statement
You are correct, the answer is B. A. A registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the certificate authority (CA). B. The CA maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication. C. A CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility. A certificate that is put on a CRL can no longer be trusted. D. A certification practice statement is a detailed set of rules governing the certificate authority's operations.
Which of the following cryptography options would increase overhead/cost? Select an answer: A. The encryption is symmetric rather than asymmetric. B. A long asymmetric encryption key is used. C. The hash is encrypted rather than the message. D. A secret key is used.
You are correct, the answer is B. A. An asymmetric algorithm requires more processing time than symmetric algorithms. B. Computer processing time is increased for longer asymmetric encryption keys, and the increase may be disproportionate. For example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold. C. A hash is usually shorter than the original message; therefore, a smaller overhead is required if the hash is encrypted rather than the message. D. Use of a secret key, as a symmetric encryption key, is generally small and used for the purpose of encrypting user data.
Which of the following BEST helps define disaster recovery strategies? Select an answer: A. Annual loss expectancy (ALE) and exposure factor B. Maximum tolerable downtime and data loss C. Existing server and network redundancies D. Data backup and offsite storage requirements
You are correct, the answer is B. A. Annual loss expectancy (ALE) and exposure factor are more related to risk in general. B. One of the key outcomes of the business impact analysis (BIA) is the recovery time objective (RTO) and recovery point objective (RPO)—maximum tolerable downtime and data loss—that further help in identifying the recovery strategies. C. Existing server and network redundancies are good to know, but the RTO and RPO are needed to design the right recovery strategies. D. Data backup and offsite storage requirements are an important aspect of a business continuity plan (BCP), but these alone will not help in defining the disaster recovery strategies.
An organization's IT director has approved the installation of a wireless local area network (WLAN) access point in a conference room for a team of consultants to access the Internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that: Select an answer: A. encryption is enabled on the access point. B. the conference room network is on a separate virtual local area network (VLAN). C. antivirus signatures and patch levels are current on the consultants' laptops. D. default user IDs are disabled and strong passwords are set on the corporate servers.
You are correct, the answer is B. A. Enabling encryption is a good idea to prevent unauthorized network access, but it is more important to isolate the consultants from the rest of the corporate network. B. The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network (VLAN) is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users. C. Antivirus signatures and patch levels are good practices but not as critical as preventing network access via access controls for the corporate servers. D. Protecting the organization's servers through good passwords is good practice, but it is still necessary to isolate the network being used by the consultants. If the consultants can access the rest of the network they could use password cracking tools against other corporate machines.
Which of the following is the MOST effective control when granting temporary access to vendors? Select an answer: A. Vendor access corresponds to the service level agreement (SLA). B. User accounts are created with expiration dates and are based on services provided. C. Administrator access is provided for a limited period. D. User IDs are deleted when the work is completed.
You are correct, the answer is B. A. The service level agreement (SLA) may have a provision for providing access, but this is not a control; it would merely define the need for access. B. The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (automated is best) associated with each unique ID. The use of an identity management system enforces temporary and permanent access for users, at the same time ensuring proper accounting of their activities. C. Vendors may require administrator access for a limited period during the time of service. However, it is important to ensure that the level of access granted is set according to least privilege and that access during this period is monitored. D. Deleting these user IDs after the work is completed is necessary, but if not automated, the deletion could be overlooked. The access should only be granted at the level of work required.
During an IS audit of a global organization, the IS auditor discovers that the organization uses Voice-over Internet Protocol (VoIP) over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure? Select an answer: A. Network equipment failure B. Distributed denial-of-service (DDoS) attack C. Premium-rate fraud (toll fraud) D. Social engineering attack
You are correct, the answer is B. A. The use of Voice-over Internet Protocol (VoIP) does not introduce any unique risk with respect to equipment failure, and redundancy can be used to address network failure. B. A distributed denial-of-service (DDoS) attack would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. In a traditional voice network, a DDoS attack would only affect the data network, not voice communications. C. Toll fraud occurs when someone compromises the phone system and makes unauthorized long-distance calls. While toll fraud may cost the business money, the more severe risk would be the disruption of service. D. Social engineering, which involves gathering sensitive information to launch an attack, can be exercised over any kind of telephony.
Which of the following is an example of the defense in-depth security principle? Select an answer: A. Using two firewalls to consecutively check the incoming network traffic B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic C. Having no physical signs on the outside of a computer center building D. Using two firewalls in parallel to check different types of incoming traffic
You are correct, the answer is B. A. Use of two firewalls would not represent an effective defense in-depth strategy because the same attack could circumvent both devices. By using two different products, the probability of both products having the same vulnerabilities is diminished. B. Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. C. Having no physical signs on the outside of a computer center building is a single security measure known as security by obscurity. D. Using two firewalls in parallel to check different types of incoming traffic provides redundancy but is only a single security mechanism and, therefore, no different than having a single firewall checking all traffic.
Which of the following BEST mitigates the risk arising from using reciprocal agreements as a recovery alternative? Select an answer: A. Perform disaster recovery exercises annually. B. Ensure that partnering organizations are separated geographically. C. Regularly perform a business impact analysis (BIA). D. Select a partnering organization with similar systems.
You are correct, the answer is B. A. While disaster recovery exercises are important but difficult to perform in a reciprocal agreement, the greater risk is geographic proximity. B. If the two partnering organizations are in close geographic proximity, this could lead to both organizations being subjected to the same environmental disaster, such as an earthquake. C. A business impact analysis (BIA) will help both organizations identify critical applications, but separation is a more important consideration when entering reciprocal agreements. D. Selecting a partnering organization with similar systems is a good idea, but separation is a more important consideration when entering reciprocal agreements.
Which of the following is the MOST significant function of a corporate public key infrastructure (PKI) and certificate authority (CA) employing X.509 digital certificates? Select an answer: A. It provides the public/private key set for the encryption and signature services used by email and file space. B. It binds a digital certificate and its public key to an individual subscriber's identity. C. It provides the authoritative source for employee identity and personal details. D. It provides the authoritative authentication source for object access.
You are correct, the answer is B. A. While some email applications depend on public key infrastructure (PKI)-issued certificates for nonrepudiation, the purpose of PKI is to provide authentication of the individual and link an individual with their private key. The certificate authority (CA) does not ordinarily create the user's private key. B. PKI is primarily used to gain assurance that protected data or services originated from a legitimate source. The process to ensure the validity of the subscriber identity by linking to the digital certificate/public key is strict and rigorous. C. Personal details are not stored in or provided by components in the PKI. D. Authentication services within operating systems and applications may be built on PKI-issued certificates, but PKI does not provide authentication services for object access.
Neural networks are effective in detecting fraud because they can: Select an answer: A. discover new trends because they are inherently linear. B. solve problems where large and general sets of training data are not obtainable. C. attack problems that require consideration of a large number of input variables. D. make assumptions about the shape of any curve relating variables to the output.
You are correct, the answer is C. A. Neural networks are inherently nonlinear. B. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable. C. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends. D. Neural networks make no assumption about the shape of any curve relating variables to the output.
Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain evidence about the plan's effectiveness? Select an answer: A. Paper test B. Posttest C. Preparedness test D. Walk-through
You are correct, the answer is C. A. A paper test is a walk-through of the plan, involving major players, who attempt to determine what might happen in a particular type of service disruption in the plan's execution. A paper test usually precedes the preparedness test. B. A posttest is actually a test phase and is comprised of a group of activities such as returning all resources to their proper place, disconnecting equipment, returning personnel and deleting all company data from third-party systems. C. A preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan's effectiveness. It also provides a means to improve the plan in increments. D. A walk-through is a test involving a simulated disaster situation that tests the preparedness and understanding of management and staff rather than the actual resources.
Which control is the BEST way to ensure that the data in a file have not been changed during transmission? Select an answer: A. Reasonableness check B. Parity bits C. Hash values D. Check digits
You are correct, the answer is C. A. A reasonableness check is used to ensure that input data is within expected values, not to ensure integrity of data transmission. B. Parity bits are a weak form of data integrity checks used to detect errors in transmission, but they are not as good as using a hash. C. Hash values are calculated on the file and are very sensitive to any changes in the data values in the file. D. Check digits are used to detect an error in an account number—usually related to a transposition or transcribing error.
Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target? Select an answer: A. Blind testing B. Targeted testing C. Double-blind testing D. External testing
You are correct, the answer is C. A. Blind testing is also known as black-box testing. This refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted. B. Targeted testing is also known as white-box testing. This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point. C. Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are "blind" to the test. This is the best scenario for testing response capability because the target will react as if the attack were real. D. External testing refers to a test where an external penetration tester launches attacks on the target's network perimeter from outside the target network (typically from the Internet).
An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure? Select an answer: A. Data Encryption Standard (DES) B. Message digest 5 (MD5) C. Advanced Encryption Standard (AES) D. Secure Shell (SSH)
You are correct, the answer is C. A. Data Encryption Standard (DES) is susceptible to brute force attacks and has been broken publicly; therefore, it does not provide assurance that data encrypted using DES will be protected from unauthorized disclosure. B. Message digest 5 (MD5) is an algorithm used to generate a one-way hash of data (a fixed-length value) to test and verify data integrity. MD5 does not encrypt data but puts data through a mathematical process that cannot be reversed. As a result, MD5 could not be used to encrypt data on a universal serial bus (USB) drive. C. Advanced Encryption Standard (AES) provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data. D. Secure Shell (SSH) is a protocol that is used to establish a secure, encrypted, command-line shell session, typically for remote logon. Although SSH encrypts data transmitted during a session, SSH cannot encrypt data at rest, including data on USB drives. As a result, SSH is not appropriate for this scenario.
Which of the following is the BEST reason for integrating the testing of noncritical systems in disaster recovery plans (DRPs) with business continuity plans (BCPs)? Select an answer: A. To ensure that DRPs are aligned to the business impact analysis (BIA). B. Infrastructure recovery personnel can be assisted by business subject matter experts. C. BCPs may assume the existence of capabilities that are not in DRPs. D. To provide business executives with knowledge of disaster recovery capabilities.
You are correct, the answer is C. A. Disaster recovery plans (DRPs) should be aligned with the business impact analysis (BIA); however, this has no impact on integrating the testing of noncritical systems in DRPs with business continuity plans (BCPs). B. Infrastructure personnel will be focused on restoring the various platforms that make up the infrastructure, and it is not necessary for business subject matter experts to be involved. C. BCPs may assume the existence of capabilities that are not part of the DRPs, such as allowing employees to work from home during the disaster; however, IT may not have made sufficient provisions for these capabilities (e.g., they cannot support a large number of employees working from home). While the noncritical systems are important, it is possible that they are not part of the DRPs. For example, an organization may use an online system that does not interface with the internal systems. If the business function using the system is a critical process, the system should be tested, and it may not be part of the DRP. Therefore, DRP and BCP testing should be integrated. D. While business executives may be interested in the benefits of disaster recovery, testing is not the best way to accomplish this task.
To address an organization's disaster recovery requirements, backup intervals should not exceed the: Select an answer: A. service level objective (SLO). B. recovery time objective (RTO). C. recovery point objective (RPO). D. maximum acceptable outage (MAO).
You are correct, the answer is C. A. Organizations will try to set service level objectives (SLOs) to meet established business targets. The resulting time for the service level agreement (SLA) relates to recovery of services, not to recovery of data. B. Recovery time objective (RTO) defines the time period after the disaster in which normal business functionality needs to be restored. C. Recovery point objective (RPO) defines the point in time to which data must be restored after a disaster to resume processing transactions. Backups should be performed in a way that the latest backup is no older than this maximum time frame. If the backups are not done frequently enough, then too many data are likely to be lost. D. Maximum acceptable outage (MAO) is the maximum amount of system downtime that is tolerable. It can be used as a synonym for maximum tolerable period of disruption (MTPD) or maximum allowable downtime (MTD). However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization's survival.
Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them? Select an answer: A. Overwriting the tapes B. Initializing the tape labels C. Degaussing the tapes D. Erasing the tapes
You are correct, the answer is C. A. Overwriting the tapes is a good practice, but if the tapes have contained sensitive information then it is necessary to degauss them. B. Initializing the tape labels would not remove the data on the tape and could lead to compromise of the data on the tape. C. The best way to handle obsolete magnetic tapes is to degauss them. Degaussing is the application of a coercive magnetic force to the tape media. This action leaves a very low residue of magnetic induction, essentially erasing the data completely from the tapes. D. Erasing the tapes will make the data unreadable except for sophisticated attacks; therefore, tapes containing sensitive data should be degaussed.
An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers? Select an answer: A. Ensure that ports 80 and 443 are blocked at the firewall. B. Inspect file and access permissions on all servers to ensure that all files have read-only access. C. Perform a web application security review. D. Make sure that only the IP addresses of existing customers are allowed through the firewall.
You are correct, the answer is C. A. Port 80 must be open for a web application to work and port 443 for a Secured Hypertext Transmission Protocol (HTTPS) to operate. B. For customer orders to be placed, some data must be saved to the server. No customer orders could be placed on a read-only server. C. Performing a web application security review is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers. D. Restricting IP addresses might be appropriate for some types of web applications but is not the best solution because a new customer could not place an order until the firewall rules were changed to allow the customer to connect.
A certificate authority (CA) can delegate the processes of: Select an answer: A. revocation and suspension of a subscriber's certificate. B. generation and distribution of the CA public key. C. establishing a link between the requesting entity and its public key. D. issuing and distributing subscriber certificates.
You are correct, the answer is C. A. Revocation and suspension of the subscriber certificate are functions of the subscriber certificate life cycle management, which the certificate authority (CA) must perform. B. Generation and distribution of the CA public key is a part of the CA key life cycle management process and, as such, cannot be delegated. C. Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. D. Issuance and distribution of the subscriber certificate are functions of the subscriber certificate life cycle management, which the CA must perform.
To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that: Select an answer: A. the company policy be changed. B. passwords are periodically changed. C. an automated password management tool be used. D. security awareness training is delivered.
You are correct, the answer is C. A. The policy is appropriate and does not require change. Changing the policy would not ensure compliance. B. Having a requirement to periodically change passwords is good practice and should be in the password policy. C. The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing his/her old password for a designated period of time. D. Security awareness training would not enforce compliance.
The MAIN purpose for periodically testing offsite disaster recovery facilities is to: Select an answer: A. protect the integrity of the data in the database. B. eliminate the need to develop detailed contingency plans. C. ensure the continued compatibility of the contingency facilities. D. ensure that program and system documentation remains current.
You are correct, the answer is C. A. The testing of an offsite facility does nothing to protect the integrity of the database. It may test the validity of backups, but does not protect their integrity. B. Testing an offsite location validates the value of the contingency plans and is not used to eliminate detailed plans. C. The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities so that assurance can be gained that the contingency plans would work in an actual disaster. D. Program and system documentation should be reviewed continuously for currency. A test of an offsite facility may ensure that the documentation for that site is current, but this is not the purpose of testing an offsite facility.
Which of the following types of transmission media provide the BEST security against unauthorized access? Select an answer: A. Copper wire B. Twisted pair C. Fiber-optic cables D. Coaxial cables
You are correct, the answer is C. A. Twisted pair, coaxial and copper wire traffic can be monitored with inexpensive equipment. B. It is relatively easy to monitor traffic on twisted pair cabling. C. Fiber-optic cables have proven to be more secure and more difficult to tap than the other media. D. Coaxial cable can be monitored with relative ease.
An organization discovers that the PC of the chief financial officer (CFO) has been infected with malware that is a keystroke logger and a rootkit. The FIRST action to take would be to: Select an answer: A. contact the appropriate law enforcement authorities to begin an investigation. B. immediately ensure that no additional data are compromised. C. disconnect the PC from the network. D. update the antivirus signature on the PC to ensure that the malware or virus is detected and removed.
You are correct, the answer is C. A. While contacting law enforcement may be needed, the first step would be to halt data flow by disconnecting the PC from the network. B. The first step is to disconnect the machine from the network, and then, using proper forensic techniques, capture the information stored in temporary files, network connection information, programs loaded into memory and other information on the machine. C. The most important task is to prevent further data compromise and preserve evidence. By disconnecting the PC from the network, the risk of further data compromise is mitigated. D. Preserve the machine in a forensically sound condition and do not make any changes to it except to disconnect it from the network. Otherwise evidence would be destroyed by powering off the PC or updating the software on the PC. Information stored in temporary files, network connection information, programs loaded into memory, and other information may be lost.
Which of the following is the MOST reasonable option for recovering a noncritical system? Select an answer: A. Warm site B. Mobile site C. Hot site D. Cold site
You are correct, the answer is D. A. A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations that should be recovered in a moderate amount of time. B. A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any location, depending upon the need. The need for a mobile site depends upon the scale of operations. C. A hot site is contracted for a shorter time period at a higher cost, and it is better suited for recovery of vital and critical applications. D. Generally, a cold site is contracted for a longer period at a lower cost. Because it requires more time to make a cold site operational, it is generally used for noncritical applications.
The reliability of an application system's audit trail may be questionable if: Select an answer: A. user IDs are recorded in the audit trail. B. the security administrator has read-only rights to the audit file. C. date and time stamps are recorded when an action occurs. D. users can amend audit trail records when correcting system errors.
You are correct, the answer is D. A. An audit trail must record the identity of the person or process involved in the logged activity to establish accountability. B. Restricting the administrator to read-only access will protect the audit file from alteration. C. Data and time stamps should be recorded in the logs to enable the reconstruction and correlation of events on multiple systems. D. An audit trail is not effective if the details in it can be amended.
The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured? Select an answer: A. Database administrators are restricted from access to HR data. B. Database logs are encrypted. C. Database stored procedures are encrypted. D. Database initialization parameters are appropriate.
You are correct, the answer is D. A. Database administrators would have access to all data on the server, but there is no practical control to prevent that; therefore, this would not be a concern. B. Database audit logs normally would not contain any confidential data; therefore, encrypting the log files is not required. C. If a stored procedure contains a security sensitive function such as encrypting data, it can be a requirement to encrypt the stored procedure. However, this is less critical than ensuring initialization parameters are correct. D. When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle Database Management System), which contains many settings. The system initialization parameters address many "global" database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters.
The implementation of which of the following would MOST effectively prevent unauthorized access to a system administration account on a web server? Select an answer: A. Host intrusion detection software installed on a server B. Password expiration and lockout policy C. Password complexity rules D. Two-factor authentication
You are correct, the answer is D. A. Host intrusion detection software will assist in the detection of unauthorized system access, but does not prevent such access. B. While controls regarding password expiration and lockout from failed login attempts are important, two-factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials. Password-only based authentication may not provide adequate security. C. While controls regarding password complexity are important, two-factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials. D. Two-factor authentication requires a user to utilize a password in combination with another identification factor that is not easily stolen or guessed by an attacker. Types of two-factor authentication include electronic access tokens that show one-time passwords on their display panels or biometric authentication systems.
During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the: Select an answer: A. event error log generated at the disaster recovery site. B. disaster recovery test plan. C. disaster recovery plan (DRP). D. configurations and alignment of the primary and disaster recovery sites.
You are correct, the answer is D. A. If the issue cannot be clarified, the IS auditor should then review the event error log. B. The disaster recovery test plan would not identify any issues related to system performance unless the test was poorly designed and inefficient, but that would come after checking the configuration. C. Reviewing the disaster recovery plan (DRP) would be unlikely to provide any information about system performance issues. D. Because the configuration of the system is the most probable cause, the IS auditor should review that first.
