Domain 5 (CISA Review Questions, Answers & Explanations Manual, 12th Edition | Print | English)

A5-6 Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? A. Firewalls B. Routers C. Layer 2 switches D. Virtual local area networks

A is the correct answer. A. Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls. B. Routers can filter packets based on parameters, such as source address but are not primarily a security tool. C. Based on Media Access Control addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic. D. A virtual local area network is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network. Nevertheless, they do not effectively deal with authorized versus unauthorized traffic.

AS-50 The FIRST step in data classification is to; A. establish ownership. B. perform a criticality analysis. C. define access rules. D.create a data dictionary.

A is the correct answer. Justification: A. Data classification is necessary to define access rules based on a need-to-do and need-to- know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification. B. A criticality analysis is required to determine the appropriate levels of protection of data, according to the data classification. C. Access rules are set up dependent on the data classification. D. Input for a data dictionary is prepared from the results of the data classification process.

The IS auditor is reviewing findings from a prior IS audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization implemented digital signatures 'for all email users. What should the IS auditor's response be? A. Digital signatures are not adequate to protect confidentiality. B. Digital Signature's are adequate to protect confidentiality, C. The IS auditor should gather more information about the specific implementation. D. The auditor should recommend implementation of digital water marking for secure email.

A is the correct answer. Justification: A. Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior-year's finding. B. Digital signatures do not encrypt message contents, which means that an attacker who intercepts a message can read the message because the data are in plaintext. C. Although gathering additional information is always a good step before drawing a conclusion on a finding, in this case the implemented solution simply does not provide confidentiality. D. Digital watermarking is used to protect intellectual property rights for documents rather than to protect the confidentiality of email.

The MOST important difference between hashing and encryption is that hashing: A. is irreversible. B, output is the same length as the original message. C. is concerned with integrity and security. D.is the same at the sending and receiving end.

A is the correct answer. Justification: A. Hashing works one way-by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it win not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. B. Hashing creates a fixed-length output that is usually smaller than the original message, and encryption creates an output that is usually the same length as the original message. C. Hashing is used to verify the integrity of the message and does not address security.The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. D. Encryption may use different keys or a reverse process at the sending and receiving ends to encrypt and decrypt.

AS-24 An IS auditor discovers that the configuration settings for password controls more stringent for business users than for IT developers. Which of the following is the BEST action for the IS auditor to take? A. Determine whether this is a policy violation and document it. B. Document the observation as an exception. C. Recommend that all password configuration settings be identical. D. Recommend that logs of IT developer access are reviewed periodically.

A is the correct answer. Justification: A. If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed. B. This condition would not be considered an exception if procedures are followed according to approved policies. C. There may be valid reasons for these settings to be different; therefore, the auditor would not normally recommend changes before researching company policies and procedures. D. While reviewing logs may be a good compensating control, the more important course of action would be to determine if policies are being followed.

An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following would meet this objective? A. VoIP infrastructure needs to be segregated using virtual local area networks. B. Buffers need to be introduced at the VoIP endpoints. C. Ensure that end-to-end encryption is enabled in the VolP system. D.Ensure thatemergencybackuppowerisavailable forallpartsoftheVoIPinfrastructure.

A is the correct answer. Justification: A. Segregating the Voice-over Internet Protocol (VoJP) traffic using virtual local area networks (VLANs) would best protect the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure uptime). B. The use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security method. C. Encryption is used when VolP calls use the Internet (not the local LAN) for transport because the assumption is that the physical security of the building as well as the Ethernet switch and VLA.~ security IS adequate. D. The design of the network and the proper implementation of VLANs are more critical than ensuring that all devices are protected by emergency power.

Which of the following would be the BEST access control procedure? A. The data owner holds the privilege and responsibility access and an IS administrator should then implement or update user authorization tables. B. Authorized staff implements the user authorization tables and the data owner approves them. C. The data owner and an IS manager jointly create and update the user authorization tables. D.Thedataownercreatesandupdatestheuserauthorizationtables.

A is the correct answer. Justification: A. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner. B. The owner sets the rules and conditions for access, It is best to obtain approval before implementing the tables. C. The data owner may consult with the IS manager to set out access control rules, but the responsibility for appropriate access remains with the data owner.The IT department should set up the access control tables at the direction of the owner. D. The data owner would not usually manage updates to the authorization tables.

AS-87 A Transmission Control Protocol/Internet Protocol (TCPIIP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? A. Work is completed in tunnel mode with IP security. B. A digital signature with RSA has been implemented. c. Digital certificates with RSA are being used. D.WorkisbeingcompletedinTCPservices.

A is the correct answer. Justification: A. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security. B. A digital Signature with RSA provides authentication and integrity but not confidentiality. C. Digital certificates with RSA provide authentication and integrity but do not provide encryption. D. Transmission Control Protocol services do not provide encryption and authentication.

AS-31 Which of the following is the MOST effective control for restricting access to unauthorized Internet sites in an organization? A. Routing outbound Internet traffic through a content-filtering proxy server B, Routing inbound Internet traffic through a reverse proxy server C, Implementing a firewall with appropriate access rules D. Deploying client software utilities that block inappropriate content

A is the correct answer. Justification: A. A content-filtering proxy server will effectively monitor user access to Internet sites and block access to unauthorized web sites. B. When a client web browser makes a request to an Internet site, those requests are outbound from the corporate network. A reverse proxy server is used to allow secure remote connection to a corporate site, not to control employee web access. C. A firewall exists to block unauthorized inbound and outbound network traffic, Some firewalls can be used to block or allow access to certain sites, but the term firewall is generic-there are many types of firewalls, and this is not the best answer. D. While client software utilities do exist to block inappropriate content, installing and maintaining additional softwareonalargenumberofPCsislesseffectivethancontrollingtheaccessfroma single,centralizedproxyserver.

AS-8 Which of the following is the BEST way to minimize unauthorized access to unattended end - user PC systems? A. Enforce use of a Password protected screen saver B. Implement proximity-based authentication system C. Terminate user session at predefined intervals D. Adjust power management settings so the monitor screen is blank

A is the correct answer. Justification: A. A Password protected screen saver with a proper time interval is the best measure to prevent Unauthorized access to unattended end-user systems. It is important to ensure that users lock the workstation when they step away from the machine, which is something that could be reinforced via awareness training. B. There are solutions that will lock machines when users step away from their desks, and those would be suitable here; however, those tools are a more expensive solution, which would normally include the use of smart cards and extra hardware. Therefore, the use of a 'PElSSWIltd.pl10te.o;Wd screen saver would be a better solution. C. Terminating user sessions is often done for remote login (periodic re-authentication) or after a certain amount of inactivity on a web or server session. There is more risk related to leaving the workstation unlocked; therefore, this is not the correct answer. D. Switching off the monitor would not be a solution because the monitor could simply be switched on.

AS-93 Which of the following is the BEST control over a guest wireless ID that is given to vendor staff'? A. Assignment of a renewable user ID which expires daily B. A write-once log to monitor the vendor's activities on the system C. Use of a user ID format similar to that used by employees D. Ensuring that wireless network encryption is configured properly

A is the correct answer. Justification: A. A renewable user ID which expires daily would be a good control because it would ensure that wireless access will automatically terminate daily and cannot be used Without authorization, B. While it is recommended to monitor vendor activities while vendor staff are on the system, this is a detective control and thus IS not as strong as a preventive control. C. The user ID format does not change the overall security of the wireless connection. D. Controls related to the encryption of the wireless network are important; however,the access to that network is a more critical issue.

AS-77 Which of the following is an example of a passive cybersecurity attack? A. Traffic analysis B. Masquerading C. Denial-of-service D. Email spoofing

A is the correct answer. Justification: A. Cybersecurity threats/vulnerabilities are divided into passive and active attacks. A passive attack is one that monitors or captures network traffic but does not in any way modify, insert or delete the traffic. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. B. Because masquerading alters the data by modifying the origin, it is an active attack. C. Because a denial-of-service attack floods the network with traffic or sends malformed packets over the network, it is an active attack: D. Because email spoofing alters the email header. it is an active attack.

With the help of a security officer, granting access to data is the responsibility of: A. data owners. B. programmers. C. system analysts. D. librarians.

A is the correct answer. Justification: A. Data owners are responsible for the access to and use of data. Written authorization for users to gain accessto computerized information should be provided by the data owners. Security administration with the owners' approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access(e.g., read or update). B. Programmers will develop the access control software that will regulate the ways that users can access the data (update, read, delete, etc.), but the programmers do not have responsibility for determining who gets access to data. e. Systems analysts work with the owners and programmers to design access controls according to the rules set by the owners. D. The librarians enforce the access control procedures they have been given but do not determine who gets access. AS-50TheFIRST stepin

AS-97 The technique used to ensure security in virtual private networks is called: A. data encapsulation. B. data wrapping. C. data transformation. D. data hashing.

A is the correct answer. Justification: A. Encapsulation, or tunneling, is a technique used to encrypt the traffic payload so that it can be securely transmitted over an insecure network. B. W rapping is used where the original packet is wrapped in another packet but is not directly related to security. C. To transform or change the state of the communication would not be used for security. D. Hashing is used in virtual private networks to ensure message integrity.

During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites IS very high. The MOST effective control for reducing this exposure is: A. encryption. B. call back modems. C. message authentication. D. dedicated leased lines,

A is the correct answer. Justification: A. Encryption of data is the most secure method of protecting confidential data from exposure. B. A callback system is used to ensure that a user is only logging in from a known location. It is not effective to protect the transmitted data from interception. C. Message authentication is used to prove message integrity and source but not confidentiality. D. It is more difficult to intercept traffic traversing a dedicated leased line than it is to intercept data on a shared network, but the only way to really protect the confidentiality of data is to encrypt it.

AS-39 During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: A. periodic review of user activity logs. B.verification of userauthorization at the field level. C.review of data communication access activity logs. D.periodic review of changing data files

A is the correct answer. Justification: A. General operating system access control functions include logging user activities, events, etc. Reviewing these logs may identify users performing activities that should not have been permitted. B. Verification of user authorization at the field level is a database- andlor an application-level access control function and not applicable to an operating system. C. Review of data communication access activity logs is a network control feature D. Periodic review of changing data files is related to a change control process.

The information security policy that states "each individual must have his/her badge read at every controlled door" addresses which of the following attack methods? A. Piggybacking B. Shoulder surfing C. Dumpster diving D. Impersonation

A is the correct answer. Justification: A. Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. Ifevery employee must have their badge read at every controlled door, no unauthorized person could enter the sensitive area. B. Shoulder surfing (looking over the shoulder of a person to view sensitive information on a screen or desk) would not be prevented by the implementation of this policy. C. Dumpster diving, looking through an organization's trash for valuable information, could be done outside the company's physical perimeter; therefore, this policy would not address this attack method. D. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack.

AS-72 Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data? A. Secure Sockets Layer B. Intrusion detection system C. Public key infrastructure D. Virtual private network

A is the correct answer. Justification: A. Secure Sockets Layer (SSL) is used for many ecommerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code. R An intrusion detection system will log network activity but is not used for protecting traffic over the Internet. C. Public key infrastructure is used in conjunction with SSL or for securing communications such as ecommerce and email. Do A virtual private network (VPN) is a generic term for a communications tunnel that can provide confidentiality, integrity and authentication (reliability), A VPN can operate at different levels of the Open Systems Interconnection stack and may not always be used in conjunction with encryption. SSL can be called a type of VPN.

Which of the following would MOST effectively reduce social engineering incidents? A. Security awareness training B. Increased physical security measures C. Email monitoring policy D. Intrusion detection systems

A is the correct answer. Justification: A. Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. B. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the incident. C. An email monitoring policy informs users that all email in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. D. Intrusion detection systems are used to detect irregular or abnormal traffic patterns.

AS-52 A hacker could obtain passwords without the use of computer tools or programs through the technique of: A. social engineering. B, sniffers, C. back doors. D. Trojan horses,

A is the correct answer. Justification: A. Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else's personal data. B, A sniffer is a computer tool to monitor the traffic in networks. C. Back doors are computer programs left by hackers to exploit vulnerabilities. D. Trojan horses are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature.

Web application developers sometimes use hidden fields on web pages to save information about a client session. This technique is used, in some cases, to store session variables that enable persistence across web pages, such as maintaining the, contents of a shopping cart on a retail web site application. The MOST likely web-based attack due to this practice is A. parameter tampering. B. cross-site scripting. C. cookie poisoning. D. stealth commanding.

A is the correct answer. Justification: A. Web application developers sometimes use hidden fields to save information about a client session or to submit hidden parameters, such as the language of the end user; to the underlying application. Because hidden form fields do not display in the browser, developers may feel safe passing unvalidated data in the hidden fields (to be validated later). This practice is not safe because an attacker can intercept, modify and submit requests, which can discover information or perform functions that the web developer never intended. The malicious modification of web application parameters is known as parameter tampering. B. Cross-site scripting involves the compromise of the web page to redirect users to content on the attacker web site. The use of hidden fields has no impact on the likelihood of a cross-site scripting attack because these fields are static content that cannot ordinarily be modified to create this type of attack. Web applications use cookies to save session state information on the client machine so that the user does not need to log on every time a page is visited. C. Cookie poisoning refers to the interception and modification of session cookies to impersonate the user or steal logon credentials. The use of hidden fields has no relation to cookie poisoning. D. Stealth commanding is the hijacking of a web server by the installation of unauthorized code. While the use of hidden forms may increase the risk of server compromise, the most conunon server exploits involve vulnerabilities of the server operating system or web server.

AS-7 An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem using global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network when the CIO travels outside of the office. The IS auditor should: A. do nothing because the inherent security features of GSM technology are appropriate. B. recommend that the CIO stop using the laptop computer until encryption is enabled. C. ensure that media access control address filtering is enabled on the network so unauthorized wireless users cannot connect. D. suggest that two-factor authentication be used over the wireless link to prevent unauthorized communications.

A is the correct answer. Justification: A. The inherent security features of global system for mobile communications (GSM) technology combined with the use of a virtual private network (VPN) are appropriate. The confidentiality of the communication on the GSM radio link is ensured by the use of encryption and the use of a VPN signifies that an encrypted session is established between the laptop and the corporate network. GSM is a global standard for cellular telecommunicatiens that can be used for both voice and data. Currently deployed commercial GSM technology has multiple overlapping security features which prevent eavesdropping, session hijacking or unauthorized use of the GSM carrier network. While other wireless technologies such as 802.11 wireless local area network (LAN) technologies have been designed to allow the user to adjust or even disable security settings, GSM does not allow any devices to connect to the system unless all relevant security features are active and enabled. B. Because the chief information officer (CIO) is using a VPN it can be assumed that encryption is enabled in addition to the security features in GSM. In addition, VPNs will not allow the transfer of data for storage on the remote device (such as the ClO's laptop). C. Media access control (MAC) filtering can be used on a wireless LAN but does not apply to a GSM network device. D. Because the GSM network is being used rather than a wireless LAN, it is not possible to configure settings for two-factor authentication over the wireless link. However, two-factor authentication is recommended as it will better protect against unauthorized access than single factor authentication.

AS-71 Which of the following is an advantage of elliptic curve encryption over RSA encryption? A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Message integrity controls

A is the correct answer. Justification: A. The main advantage of elliptic curve encryption (ECC) over RSA encryption is its computation speed. This is due in part to the use of much smaller keys in the ECC algorithm than in RSA. B. Both encryption methods support digital signatures. C. Both encryption methods are used for public key encryption and distribution. D. Both ECC and RSA offer message integrity controls.

A digital signature contains a message digest to: A. show if the message has been altered after transmission. B. define the encryption algorithm. C. confirm the identity of the originator. D. enable message transmission in a digital format,

A is the correct answer. Justification: A. The message digest is calculated and included in a digital signature to prove tbat the message has not been altered. The message digest sent with the message should have the same value as the recalculation of the digest of the received message. B. The message digest does not define the algorithm; it is there to ensure integrity. C. The message digest does not confirm the identity of the user; it is there to ensure integrity. D. The message digest does not enable the transmission in digital format; it is there to ensure integrity.

AS-78 An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration? A. Chain of custody of electronic evidence B. System breach notification procedures C. Escalation procedures to external agencies D. Procedures to recover lost data

A is the correct answer. Justification: A. The preservation of evidence is the most important consideration in regard to security incident management. If data and evidence are not collected properly, valuable information could be lost and would not be admissible in a court of law should the company decide to pursue litigation. B. System breach notification is an important aspect and, in many cases, may even be required by laws and regulations; however, the security incident may not be a breach and the notification procedure might not apply. C. Escalation procedures to external agencies such as the local police or special agencies dealing in cybercrime are important. However, without proper chain of custody procedures, vital evidence may be lost and would not be admissible in a court of law should the company decide to pursue litigation. D. While having procedures in place to recover lost data is important, it is critical to ensure that evidence is protected to ensure follow-up and investigation.

AS-51 During the review of a biometrics system operation, an IS auditor should FIRST review the stage of: A. Enrollment. B. identification. C. verification D. storage.

A is the correct answer. Justification: A. The users of a biometric device must first be enrolled in the device. B. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes, C. A user applying for access will be verified against the stored enrolled value. D. The biometric stores sensitive personal information, so the storage must be secure.

An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? A. The local area network (LAN) switches are not connected to uninterruptible power supply units. B. Network cabling is disorganized and not properly labeled. C. The telephones are using the same cable used for LAN connections, D.The wiring closet also contains power lines and breaker panels

A is the correct answer. Justification: A. Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. H the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls. B. While improper cabling can create reliability issues, the more critical Issue in this case would be the lack of power protection. C. An advantage ofVoIP telephone systems is that they use the same cable types and even network switches as standard PC network connections. Therefore, this would not be a concern. D. As long as the power and telephone equipment are separated, this would not be a significant risk.

A5-65 Which of the following cryptography options would increase overhead/cost? A. The asymmetric algorithm. rather than symmetric algorithms B. A long asymmetric 'encryption key is used. . C. D. The hash is encrypted rather than the message. A secret key is used.

B is the correct answer. Justification: A. An asymmetric algorithm requires more processing time than symmetric algorithms. B. Computer processing time is increased for longer asymmetric encryption keys, and the increase may be d1~p:roportil)nl\te'F. or example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold. C. A hash is usually shorter than the original message; therefore, a smaller overhead is required if the hash is encrypted rather than the message. D. Use of a secret key, as a syrrunetnc encryption key, is generally small and used for the purpose of encrypting user data.

82. The review of router access control lists should be conducted during: A. an environmental review. B. a network security review. C. a business continuity review. D. a data integrity review.

B is the correct answer. Justification: A. Environmental reviews examine physical security such as power and physical access. They do not require a review of the router access control lists. B. Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the system, etc. C. Business continuity reviews ensure the business continuity plan is up to date, adequate to protect the organization and tested, and do not require a review of the router access control lists. D. Data integrity reviews validate data accuracy and protect from improper alterations, but do not require a review of the router access control lists.

Digital signatures require the: A. signer to have a public key and the receiver to have a private key. B. signer to have a private key and the receiver to have a public key C. signer and receiver to have a public key. D.signer and receiver to have a private key.

B is the correct answer. Justification: A. If a sender encrypts a message with a public key, it will provide confidential transmission to the receiver with the private key. B. Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is based on the sender encrypting a digest of the message with their private key and the receiver validating the message with the public key. C Asymmetric key cryptography always works with key pairs. Therefore, a message encrypted with a publickey could onlybe openedwith a privatekey. D. Ifboth the senderand receiverhavea privatekey therewould be no wayto validatethe digitalSIgnature.

AS-94 An IS auditor performing a telecommnnication access control review should be concerned PRIMARILY with the: A. maintenance of access logs of usage of various system resources. B. authorization and authentication of the user prior to granting access to system resources. C. adequate protection of stored data on servers by encryption or other means. D.accountability system andtheabilitytoidentifyanyterminalaccessingsystemresources.

B is the correct answer. Justification: A. The maintenance of access logs of usage of system resources is a detective control. A preventive control should be used first. B. The authorization and authentication of users before granting them access to system resources (networks, servers, applications, etc.) is the most significant aspect in a telecommunication access control review because it is a preventive control. Weak controls at this level can affect all other aspects of security. C. The adequate protection of data being stored on servers by encryption or other means is a method of protecting stored information and is not a network access issue. D. The accountabilitysystemand the abilityto identifyany terminalaccessingsystemresourcesdeal with controllingaccessthroughthe identificationof a terminalor deviceattemptingto connectto the ~. This is callednode authenticationand is not as good as authenticatingthe user sittingat that node.

A5-3 The PRIMARY purpose of audit trails is to: A. improve response time for users. B. establish accountability for processed transactions. C. improve the operational efficiency of the system. D. provide information to auditors who wish to track transactions.

B is the correct answer. Justification: A. The objective of enabling software to provide audit trails is not to improve system efficiency because it often involves additional processing which may, in fact, reduce response time for users. B. Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system. C. Enabling audit trails involves Storage and, thus, occupies disk space and may decrease operational efficiency. D. Audit trails are used to track transactions for various purposes, not just for audit. The use of audit trails for IS auditors is valid; however, it is not the primary reason.

AS-35 Which of the following is the MOST effective control when granting temporary access to vendors? A. Vendor access corresponds to the service level agreement B User accounts are created with expiration dates and are based on services provided. C. Administrator access is provided for a limited period. D.User ID's aredeletedwhentheworkiscompleted.

B is the correct answer. Justification: A. The service level agreement may have a provision for providing access, but this is not a control; it would merely define the need for access. B. The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (automated is best) associated with each unique ill. The use of an identity management system enforces temporary and permanent access for users, at the same time ensuring proper accounting of their activities. C. Vendors may require administrator access for a limited period during the time of service. However, it is important to ensure that the level of access granted is set according to least privilege and that access during this period is monitored. D. Deleting these user IDs after the work is completed is necessary, but if not automated, the deletion could be overlooked. The access should only be granted at the level of work required.

AS-33 An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST coacem? A. Wireless mobile devices are not password-protected. B. Default passwords are not changed when installing network devices. C. An outbound web proxy does not exist. D.Allcommunicationlinksdonotuse encryption.

B is the correct answer. Justification: A. While mobile devices that are not password protected would be a risk, it would not be as significant as unsecured network devices. B. The most significant risk in this case would be if the factory default passwords are not changed on critical network equipment. This could allow anyone to change the configurations of network equipment. C. The use of a web proxy is a good practice but may not be required depending on the enterprise. D. Encryption is a good control for data security but is not appropriate to use for all communication links due to cost and complexity.

AS-30 During an IS audit of a global organization, the IS auditor discovers that the organization uses Voice-over Internet Protocol over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure? A. Network equipment failure B. Distributed denial-of-service attack C. Premium-rate fraud (toll fraud) D. Social engineering attack

B is the correct answer. Justification: A. The use of Voice-over Internet Protocol does not introduce any unique risk with respect to equipment failure, and redundancy can be used to address network failure. B. A distributed denial-of-service (DDoS) attack would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. In a traditional voice network, a DDoS attack would only affect the data network, not voice communications. C. Toll fraud occurs when someone compromises the phone system and makes unauthorized long distance calls. While toll fraud may cost the business money, the more severe risk would be the disruption of service; D Social engineering, which involves gathering sensitive information to launch an attack, can be exercised over any kind of telephony.

AS-70 Which of the following results in a denial-of-service attack? A. Brute force attack B. Ping of death C. Leapfrog attack D. Negative acknowledgment attack

B is the correct answer. Justification: A. A brute force attack is typically a text attack that exhausts all possible key combinations used alil,aiml encryption keys or passwords. B. The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. C. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host. D. A negative acknowledgment 1S a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.

A5-28 During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result? A. A denial-of-service attack B. Spoofing C. Port scanning D. A man-in-the-middle attack

B is the correct answer. Justification: A. A denial-of-service attack is designed to limit the availability of a resource and is characterized by a high number of requests that require response from the resource (usually a web site). The target spends so many resources responding to the attack requests that legitimate requests are not serviced. These attacks are most commonly launched from networks of compromised computers (hotnets) and may involve attacks from multiple computers at once. B. Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources. C. Port scanning is a reconnaissance technique that is designed to gather information about a target before a more active attack. Port scanning might be used to determine the internal address of the payroll server but would not normally create a log entry that indicated external traffic from an internal server address. D. A man-in-the-middle attack is a form of active eavesdropping where the attacker intercepts a computerized conversation between two parties and then allows the conversation to continue by relaying the appropriate data to both parties, while simultaneously monitoring the same data passing through the attacker's conduit. This type of attack would not register as an attack originating from the payroll server, but instead it might be designed to hijack an authorized connection between a workstation and the payroll server.

A5-76 The PRIMARY reason for using digital signatures is to ensure data: A. confidentiality B. integrity. C. availability. D. correctness.

B is the correct answer. Justification: A. A digital signature does not, in itself, address message confidentiality. B. Digital signatures provide integrity because the digital signature of a signed message (file, mail, document-eta) changes every time a single bit of the document changes; thus, a signed document cannot be altered. A digital signature provides for message integrity, nonrepudiation and proof of origin. C. Availability is not related to digital signatures. D. In general, correctness is not related to digital signatures ..A digital signature guarantee data integrity, however cannot ensure correctness of signed data.

An IS auditor reviewing a network log discovers that an employee ran elevated commands on their PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack? A. A race condition B. A privilege escalation C. A buffer overflow D. An impersonation

B is the correct answer. Justification: A. A race condition exploit involves the timing of two events and an action that causes one event to happen later than expected. The scenario given is not an example of a race condition exploit. B. A privilege escalation is a type of attack where higher-level system authority is obtained by various methods. In this example, the task scheduler service runs with administrator permissions, and a security flaw allows programs launched by the scheduler to run at the same permission level. C. Buffer overflows involve applications of actions that take advantage of a defect in the wayan application or system uses memory. By overloading the memory storage mechanism, the system will perform in unexpected ways. The scenario given is not an example of a buffer overflow exploi.t. D. Impersonation attacks involve an error in the identification of a privileged user. The scenario given is not an example of this exploit.

A5-86 Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to ecommerce? A. Registration authority B. Certificate authority C. Certification revocation list D. Certification practice statement

B is the correct answer. Justification: A. A registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the certificate authority (CA). B. The CA maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication. C. A CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility A certificate that is put on a CRL can no longer be trusted. D.A certification practice statement is a detailed set of rules governing the certificate authority's operations

AS-13 A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achieve this requirement? A. Mandatory B. Role-based C. Discretionary D. Single sign-on

B is the correct answer. Justification: A. An access control system based on mandatory access control would be expensive, and difficult to implement and maintain in a large complex organization. B. Role-based access control limits access according to job roles and responsibilities and would be the best method to allow only authorized users to view reports on a need-to-know basis. C. Discretionary access control (DAC) is where the owner of the resources decides who should have access to that resource. Most access control systems are an implementation of DAC. This answer is not specific enough for this scenario. D. Single sign-on is an access control technology used to manage access to multiple systems, networks and applications. This answer is not specific enough for this question.

AS-74 Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected ·corporate network? A. Server-based antivirus software B. Enterprise-based antivirus software C. Work station based antivirus software D. Perimerer-based antivirus software

B is the correct answer. Justification: A. An effective antivirus solution must be a combination of server-, network- and perimeter-based scanning and protection. B. An important means of controlling the spread of viruses is to deploy an enterprisewide antivirus solution that will monitor and analyze traffic at many points. This provides a layered defense model that is more likely to detect malware regardless of how it comes into the organization through a universal serial bus (USB) or portable storage, a network, an infected download or malicious web application. C. Only checking for a virus on workstations would not be adequate because malware can infect many network devices or servers as well. D. Because malware can enter an organization through many different methods, only checking for malware at the perimeter is not enough to protect the organization.

AS-91 An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the following choices would be the HIGHEST risk? A. Expired digital certificates B. Self-signed digital certificates C. Using the same digital certificate for multiple web sites D. Using 56-bit digital certificates

B is the correct answer. Justification: A. An expired certificate leads to blocked access to the web site leading to unwanted downtime. However, there is no loss of data. Therefore, the comparative risk is lower. B. Self-signed digital certificates are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack. C. Using the same digital certificate is not a significant risk. Wildcard digital certificates may be used for multiple sub domain web sites. D. 56-bit digital certificates may be needed to connect with older versions of operating systems (OSs) or browsers. While they have a lower strength than 128-bit or 256-bit digital certificates, the comparative risk of a self-signed certificate is higher.

A5-4 Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? A. Intrusion detection systems B. Data mining techniques C. Stateful inspection firewalls D. Packet filtering routers

B is the correct answer. Justification: A. An intrusion detection system is effective in detecting network or host-based errors but not effective in measuring fraudulent transactions. B. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card. C. A firewall is an excellent tool for protecting networks and systems but not effective in detecting fraudulent transactions. D. A packet filtering router operates at a network level and cannot see a transaction.

AS-34 An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? A. Data retention, backup and recovery B. Return or destruction of information C. Network and intrusion detection D. A patch management process

B is the correct answer. Justification: A. Data retention, backup and recovery are important controls; however, they do not guarantee data privacy. B. When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract. C. Network and intrusion detection are helpful when securing the data, but on their own, they do not guarantee data privacy stored at a third-party provider. D. A patch management process helps secure servers and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.

AS-1O An organization's IT director has approved the installation of a wireless local area network access point in a conference room for a team of consultants to access the Internet with their laptop computers "The BEST control to protect the corporate servers from unauthorized access is to ensure that: A. encryption is enabled on the access point. B. the conference room network is on a separate virtual local area network (VLAN). C, antivirus signatures and patch levels are current on the consultants' laptops. D, default user IDs are disabled and strong passwords are set on the corporate servers.

B is the correct answer. Justification: A. Enabling encryption is a good idea to prevent unauthorized network access, but it is more important to isolate the consultants from the rest of the corporate network. B. The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users. C. Antivirus signatures and patch levels are good practices but not as critical as preventing network access via access controls for the corporate servers. D. Protecting the organization's servers through good passwords is good practice, but it IS still necessary to isolate the network being used by the consultants. If the consultants can access the rest of the network, they could use password cracking tools against other corporate machines.

42. During an IS risk assessment of a health care organization regarding protected health care information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor? A. The organization does not encrypt all of its outgoing email messages. B. Staff have to type "[PHI]" in the subject field of email messages to be encrypted. C. An individual's computer screen saver function is disabled. D. Server configuration requires the user to change the password annually.

B is the correct answer. Justification: A. Encrypting all outgoing email is expensive and is not common business practice, B. There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health care infonnation (PHI) to protect sensitive information C. Disabling the screen saver function increases the risk that sensitive data can be exposed to other employees; however, the risk is not as great as exposing the data to unauthorized individuals outside the organization. D. While changing the password annually is a concern, the risk is not as great as exposing the data to unauthorized individuals outside the organization.

A5-16 Which of the following is an effective preventive control to ensure that a database administrator (DBA) complies with the custodianship of the enterprise's data? A. Exception reports B. Segregation of duties C. Review of access logs and activities D. Management supervision

B is the correct answer. Justification: A. Exception reports are detective controls used to indicate when the activities of the database administrator (DBA) were performed without &.utbDd1.ation. B. Adequate segregation of duties (SoD) is a preventative control-that can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task. C. Reviews of access logs are used to detect the activities performed by the DBA. D. Management supervision of DBA activities is used to detect which DBA activities were not authorized.

A5-43 Which of the following is the responsibility of information asset owners? A. Implementation of infcrDlarioll securlty within applications B. Assignment of criticality levels to data C. Implementation of access rules to data and programs D. Provision of physical and logical security for data

B is the correct answer. Justification: A. Implementation of information security within an application is the responsibility of the data custodians based on the requirements set by the data owner. B. It is the responsibility of owners to define the criticality (and sensitivity)levelsof information assets. C. Implementation of access rules is a responsibility of data custodians based on the requirements set by the data owner. D. Provision of physical and logical security for data is the responsibility of the security administrator.

73 Which of the following preventive controls BEST helps secure a web application? A. Password masking· B. Developer training C. Use of encryption D. Vulnerability testing

B is the correct answer. Justification: A. Password masking is a necessary preventive control but is not the best way to secure an application. B. Of the given choices, teaching developers to write secure code is the best way to secure a web application. C. Encryption will protect data but is not sufficient to secure an application because other flaws in coding could compromise the application and data. Ensuring that applications are designed in a secure way is the best way to secure an application. This is accomplished by ensuring that developers are adequately educated on secure coding practices. D. Vulnerability testing can help to ensure the security of web applications; however, the best preventive control is developer education because building secure applications from the start is more effective.

AS-48 Security administration procedures require read-only access to: A. access control tables. B. security log files .. C. logging options. D. user profiles.

B is the correct answer. Justification: A. Security administration procedures require write access to access control tables to manage and update the privileges according to authorized business requirements. B. Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities. C. Logging options require write access to allow the administrator to update the way the transactions and user activities are monitored, captured, stored, processed and reported. D. The security administrator is often responsible for user-facing issues such as managing user roles, profiles and settings. This requires the administrator to have more than read-only access.

An IS auditor suspects an incident is occurring while an audit is being performed on a fmancial system. What should the IS auditor do FIRST? A. Request that the system be shut down to preserve evidence. B. Report the incident to management. C. Ask for immediate suspension of the suspect accounts. D. Investigate the source and nature of the incident.

B is the correct answer. Justification: A. The IS auditor should follow the incident response process of the organization. The auditor is not authorized to shut the system down. B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor's role to respond to incidents during an audit. C. The IS auditor is not authorized to lead the investigation or to suspend user accounts. The auditor should report the incident to management. D. Management is responsible to set up and follow an incident management plan; that is not the responsibility of the IS auditor.

AS-41 When reviewing an organization's logical access security to its remote systems, which of the following would be of GREATEST concern to an IS auditor? A. Passwords are shared. B. Unencrypted passwords are used. C. Redundant logon IDs exist. D. Third-party users possess administrator access.

B is the correct answer. Justification: A. The passwords should not be shared, but this is less important than ensuring that the password files are encrypted. B. When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered. C. Checking for the redundancy of logon IDs is essential but is less important than ensuring that the passwords are encrypted. D. There may be business requirements such as the use of contractors that requires them to have system access, so this may not be a concern.

Which of the following is an example of the defense in-depth security principle? A. Using two firewalls to consecutively check the incoming network traffic B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic C. Lack of physical signs on the outside of a computer center building D. Using two firewalls in parallel to check different types of incoming traffic

B is the correct answer. Justification: A. Use of two firewalls would not represent an effective defense in-depth strategy because the same attack could circumvent both devices. By using two different products, the probability of both products having the same vulnerabilities is diminished. B. Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. C. Having no physical signs on the outside of a computer center building is a single security measure known as security by obscurity. D. Usingtwo firewallsin parallelto checkdifferenttypes of incomingtraffic providesredundancybut is only a singlesecuritymechanismand,therefore,no differentthan having a singlefirewallchecking all traffic.

AS-84 Which of the following is the MOST significant function of a corporate public key infrastructure and certificate authority employing X.509 digital certificates? A. It provides the public/private key set for the encryption and signature services used by email and file space. B. It binds a digital certificate and its public key to an individual subscriber's identity. C. It provides the authoritative source for employee identity and personal details. D. It provides the authoritative authentication source for object access.

B is the correct answer. Justification: A. While some email applications depend on public key infrastructure (pKI)-issued certificates for nonrepudiation, the purpose ofPKI is to provide authentication of the individual and link an individual with their private key. The certificate authority (CA) does not ordinarily create the user's private key. B. PKI is primarily used to gain assurance that protected data or services originated from a legitimate source. The process to ensure the validity of the subscriber identity by linking to the digital certificate/public key is strict and rigorous. C. Personal details are not stored in or provided by components in the PKI. D. Authentication services within operating systems and applications may be built on PKI-issued certificates, but PKI does not provide authentication services for object access.

An organization allows for the use of universal serial bus drives to transfer operational data between offices. Which of the following is the GREATEST risk associated with the use of these devices? A. Files are not backed up B. Theft of the devices C. Use of the devices for personal purposes D. Introduction of malware into the network

B is the correct answer. Justification: A. While this is a risk, theft of an unencrypted device is a greater risk. B. Because universal serial bus (USB) drives tend to be small, they are susceptible to theft or loss. This represents the greatest risk to the organization. C. Use of USB drives for personal purposes is a violation of company policy; however, this is not the greatest risk. D. Good general IT controls will include the scanning of USB drives for malware once they are inserted in a computer. The risk of malware in an otherwise robust environment is not as great as the risk of loss or theft.

AS-2 Which control is the BEST way to ensure that the data in a file have not been changed during transmission? A. Reasonableness check B. Parity bits C. Hash values D. Check digits

C is the correct answer. Justification: A. A reasonableness check is used to ensure that input data is within expected values, not to ensure integrity of data transmission. Data can be changed and still pass a reasonableness test. B. Parity bits are a weak form of data integrity checks used to detect errors in transmission, but they are not as good as using a hash. C. Hash values are calculated on the file and are very sensitive to any changes in the data values in the file. Thus, they are the best way to ensure that data has not changed. D. Check digits are used to detect an error in a numeric field such as an account number and is usually related to a transposition or transcribing error.

The MOST important factor in planning a black box penetration test is: A. the documentation of the planned testing procedure. B. a realistic evaluation of the environment architecture to determine scope. C. knowledge by the management staff of the client organization. D-schedulingand decidingonthetimedlengthofthetest.

C is the correct answer. Justification: A. A penetration test should be carefully planned and executed, but the most important factor is proper approvals. B. In a black box penetration test, the environment is not known to the testing organization. C. Black box penetration testing assumes no prior knowledge of the infrastructure to be tested. Testers simulate an attack from someone who is unfamiliar with the system. Itis important to have management knowledge of the proceedings so that if the test is identified by the monitoring systems, the legality of the actions can be determined quickly. D. A test must be scheduled so as to minimize the risk of affecting critical operations; however, this is part of working with the management of the organization.

AS-IS An organization discovers that the computer of the chief financial officer has been infected with malware that includes a keystroke logger and a rootkit. The FIRST action to take would be to: A. Contact the appropriate law enforcement authorities to begin an investigation. B. Immediately ensure that no additional data are compromised. C. Disconnect the PC from the network. D.Updatetheantivirussignatureonthepctoensurethatthemalwareorvirusisdetectedandremoved.

C is the correct answer. Justification: A. Although contacting law enforcement may be needed, the first step would be to halt data flow by disconnecting the computer from the network. B. The first step is to disconnect the computer from the network thus ensuring that no additional data are compromised. and then, using proper forensic techniques, capture the information stored in temporary files, network connection information, programs loaded into memory and other information on the machine. C. The most important task is to prevent further data compromise and preserve evidence by disconnecting the computer from the network. D. Preserve the machine in a forensically sound condition and do not make any changes to it except to disconnect it from the network. Otherwise evidence would be destroyed by powering off the PC or updating the software on the PC. Information stored in temporary files, network connection information, programs loaded into memory, and other information may be lost.

An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to: A. maintain impartiality while evaluating the transaction. B. ensure that the independence of an IS auditor is maintained. C. assure that the integrity of the evidence is maintained. D. assess all relevant evidence for the transaction.

C is the correct answer. Justification: A. Although it is important for an IS auditor to be impartial, in this case it is more critical that the evidence be preserved. B. Although it is important for an IS auditor to maintain independence, in this case it is more critical that the evidence be preserved. C. The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law. D, While it is also Important to assess all relevant evidence, it is more important to maintain the chain of custody, which ensures the integrity of evidence.

AS-22 A human resources company offers wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST addresses the situation? A. The password for the wireless network is changed on a weekly basis. B. A stateful inspection firewall is used between the public wireless and company networks. C. The public wireless network is physically segregated from the company network. D. An intrusion detection system is deployed within the wireless network.

C is the correct answer. Justification: A. Changing the password for the wireless network does not secure against unauthorized access to the company network, especially because a guest could gain access to the wireless local area network at any time prior to the weekly password change interval. B. A stateful inspection firewall will screen all packets from the wireless network into the company network; however, the configuration of the firewall would need to be audited and firewall compromises, although unlikely, are possible. C. Keeping the wireless network physically separate from the company network is the best way to secure the company network from intrusion. D. An intrusion detection system will detect intrusions but will not prevent unauthorized individuals from accessing the network.

AS-37 An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor? A. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network. B. Biometric scanners are not installed in restricted areas. C. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunneL D.Biometricsystem riskanalysiswaslastconducted threeyearsago.

C is the correct answer. Justification: A. Generally, virtual private network software provides a secure tunnel so that remote administration functions can be performed. This is not a concern. B. Biometric scanners are best located in restricted areas to prevent tampering, but video surveillance is an acceptable mitigating control. The greatest concern is lack of a securely encrypted tunnel between the scanners and the access control system. C. Data transmitted between the biometric scanners and the access control system should use a securely encrypted tunnel to protect the confidentially of the biometric data. D. The biometric risk analysis should be reperformed periodically, but an analysis performed three years ago is not necessarily a cause for concern.

AS-14 Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization? A. Actions performed on log files should be tracked in a separate log. B. Write access to audit logs should be disabled. C. Only select personnel should have rights to view or delete audit logs. D. Back ups of audit logs should be performed periodically.

C is the correct answer. Justification: A. Having additional copies of log file activity would not prevent the original log files from being deleted B. For servers and applications to operate correctly, write access cannot be disabled. C. Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted. D. Frequent backups of audit logs would not prevent the logs from being deleted.

AS-68 When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with: A. analysis. B. evaluation. C. preservation. D. disclosure.

C is the correct answer. Justification: A. Analysis is important but not the primary concern related to evidence in a forensic investigation. B. Evaluation is important but not the primary concern related to evidence in a forensic investigation. C. Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when investigating. Failure to properly preserve the evidence could jeopardize the admissibility of the evidence in legal proceedings. D.DisclosureisimportantbutnotofprimaryconcerntotheISauditorinaforensic

A5-75 Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network implementation? Computers on the network that are located: A. on the enterprise's internal network. B. at the backup site. C. in employees' homes. D.attheenterprise'sremoteoffices.

C is the correct answer. Justification: A. On an enterprise's internal network, there should be security policies and controls in place to detect and halt an outside attack that uses an internal machine as a staging platform. B. Computers at the backup site are subject to the corporate security policy and, therefore, are not high risk computers. C. One risk of a virtual private network implementation is the chance of allowing high-risk computers onto the enterprise's network. All machines that are allowed onto the virtual network should be subject to the same security policy. Home computers are least subject to the corporate security policies and, therefore, are high-risk computers. Once a computer is hacked and "owned," any network that trusts that computer is at risk. Implementation and adherence to corporate security policy is easier when all computers on the network are on the enterprise's campus. D. Computers on the network that are at the enterprise's remote offices, perhaps with different IS and security employees who have different ideas about security, are riskier than computers in the main office or backup site, but obviously less risky than home computers.

AS-25 An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers? - A. Ensure that ports 80 and 443 are blocked at the firewall. B. Inspect file and access permissions on all servers to ensure that all files have read-only access. C. Perform a web application security review. D. Make sure that only the IP addresses of existing customers are allowed through the firewall.

C is the correct answer. Justification: A. Port 80 must be open for a web application to work and port 443 for a Secured Hypertext Transmission Protocol to operate. B. For customer orders to be placed, some data must be saved to the server. No customer orders could be placed on a read-only server. C. Performing a web application security review is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers. D. Restricting IP addresses might be appropriate for some types of web applications but is not the best solution because a new customer could not place an order until the firewall rules were changed to allow the customer to connect.

AS-99 An Internet-based attack using password sniffing can: A. enable one party to act as if they are another party. B. cause modification to the contents of certain transactions. C. be used to gain access to systems containing proprietary information. D.resultinmajorproblemswithbillingsystemsandtransactionprocessingagreements.

C is the correct answer. Justification: A. Spoofing attacks can be used to enable one party to act as if they are another party. B. Data modification attacks can be used to modify the contents of certain transactions. C. Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. D. Repudiation of transactions can cause major probJew with billing systems and transaction processing agreements.

AS-60 To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that: A. the company policy be changed. B. passwords are periodically changed. C. an automated password management tool be used. D.securityawarenesstrainingisdelivered.

C is the correct answer. Justification: A. The policy is appropriate and does not require change. Changing the policy would not ensure compliance. B. Having a requirement to periodically change passwords is good practice and should be in the password policy. C. The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing his/her old password for a designated period of time. D. Security awareness training would not enforce compliance.

AS-96 When using public key encryption to secure data being transmitted across a network: A. both the key used to encrypt and decrypt the data are public. B. the key used to encrypt is private, but the key used to decrypt the data is public. C. the key used to encrypt is public, but the key used to decrypt the data is private. D.boththe keyusedtoencryptand decryptthe dataareprivate.

C is the correct answer. Justification: A. The public and private keys always work as a pair-if a public key is used to encrypt a message, the corresponding private key MUST be used to decrypt the message. B. If the message is encrypted with a private key, that will provide proof of origm but not message security or confidentiality. C. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it. D.Usingtwoprivatekeyswouldnotbepossible withasymmetricencryption.

A5-21 To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review: A. the IT infrastructure. B. organizational policies, standards and procedures. C. legal and regulatory requirements. D. adherence to organizational policies, standards and procedures.

C is the correct answer. Justification: A. To comply with requirements, the IS auditor must first know what the requirements are. They can vary from one jurisdiction to another. The IT infrastructure is related to the implementation of the requirements. B. The policies of the organization are subject to the legal requirements and should be checked for compliance after the legal requirements are reviewed. C. To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures. D. Checking for compliance is only done after the IS auditor is assured that the policies, standards and procedures are aligned with the legal requirements.

AS-27 Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target? A. Blind testing B. Targeted testing C. Double-blind testing D. External testing

C is the correct answer. Justification: A. Blind testing is also known as black-box testing. This refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted. B. Targeted testing is also known as white-box testing. This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point. C. Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning--both parties are "blind" to the test. This is the best scenario for testing response capability because the target win react as if the attack were real. D. External testing refers to a test where an external penetration tester launches attacks on the target's network perimeter from outside the target network (typically from the Internet).

AS-90 During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? A. Dumping the memory content to a file B. Generating disk images of the compromised system C. Rebooting the system D. Removing the system from the network

C is the correct answer. Justification: A. Copying the memory contents is a normal forensics procedure where possible. Done carefully, it will not corrupt the evidence. B. Proper forensics procedures require creating two copies of the images of the system for analysis. Hash values ensure that the copies are accurate. C. Rebooting the system may result in a change in the system state and the loss of files and important evidence stored in memory. D. When investigating a system, it is recommended to disconnect it from the network to minimize external infection or access.

An IS auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algoritlun be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclesnre? A. Data Encryption Standard B. Message digest 5 C. Advanced Encryption Standard D. Secure Shell

C is the correct answer. Justification: A. Data Encryption Standard (DES) is susceptible to brute force attacks and has been broken publicly; therefore, it does not provide assurance that data encrypted using DES will be protected from unauthorized disclosure. B. Message digest 5 (MD5) is an algorithm used to generate a one-way hash of data (a fixed- length value) to test and verify data integrity. MD5 does not encrypt data but puts data through a mathematical process that cannot be reversed. As a result, MD5 could not be used to encrypt data on a universal serial bus (USB) drive. C. Advanced Encryption Standard (AES) provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data. D. Secure Shell (SSH) is a protocol that is used to establish a secure, encrypted, command-line shell session, typically for remote logon. Although SSH encrypts data transmitted during a session, SSH cannot encrypt data at rest, including data on USB drives. As a result, SSH is not appropriate for this scenario.

A5-89 The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called: A. data integrity B. authentication. C. nonrepudiation. D. replay protection.

C is the correct answer. Justification: A. Data integrity refers to changes in the plaintext message that would result in the recipient failing to compute the same message hash. B. Because only the claimed sender has the private key used to create the digital signature, authentication ensures that the message has been sent by the claimed sender. C. Integrity, authentication, non repudiation and replay protection are all features of a digital signature. Non repudiation ensures that the claimed sender cannot later deny generating and sending the message. D. Replay protection is a method that a recipient can use to check that the message was not intercepted and re-sent (replayed),

AS-56 While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's NEXT step? A. Observe the response mechanism. B. Clear the virus from the network. C. Inform appropriate personnel immediately. D. Ensure deletion of the virus.

C is the correct answer. Justification: A. Observing the response mechanism should be done after informing appropriate personnel. This will enable an IS auditor to examine the actual workability and effectiveness of the response system. B. The IS auditor is neither authorized nor capable in most cases of removing the virus from the network. C. The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. D. An IS auditor should not make changes to the system being audited; ensuring the deletion of the virus is a management responsibility.

Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a disposal? A Overwriting the tapes B. Initializing the tape labels C. Degaussing the tapes D. Erasing the tapes

C is the correct answer. Justification: A. Overwriting the tapes is a good practice, but if the tapes have contained sensitive information then it is necessary to degauss them. B. Initializing the tape labels would not remove the data on the tape and could lead to compromise of the data on the tape. C. The best way to handle obsolete magnetic tapes is to degauss them. Degaussing is the application of a coercive magnetic force to the tape media. This action leaves a very low residue of magnetic induction, essentially erasing the data completely from the tapes. D. Erasing the tapes will make the data unreadable except for sophisticated attacks; therefore, tapes containing sensitive data should be degaussed.

Which of the following presents an inherent risk with no distinct identifiable preventive controls? A. Piggybacking B. Viruses C Data diddling D. Unauthorized application shutdown

C is the correct answer. Justification: A. Piggybacking is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights (e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions). This could be prevented by encrypting the message. B. Viruses are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer disks, transfer of logic over telooo!tl..rm,tltication.linoers direct contact with an infected machine. Antivirus software can be used to protect the computer against viruses. C. Data diddling involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. D. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper accesscontrols.

AS-59 An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods? A. Piggybacking B. Dumpster diving C. Shoulder surfing D. Impersonation

C is the correct answer. Justification: A. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. . B. This policy only refers to "the display of passwords," not dumpster diving (looking through an organization's trash for valuable information). C. H a password is displayed on a monitor, any person or camera nearby could look over the shoulder 'of the user to obtain the password. D. Impersonation refers to someone acting as an employee in an attempt to retrieve desired information.

A5-5 Which of the following BEST ensures the integrity of a server's operating system? A. Protecting the server in a secure location B. Setting a boot password C. Hardening the server configuration D. Implementing activity logging

C is the correct answer. Justification: A. Protecting the server in a secure location is a good practice, but it does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS). B. Setting a boot password is a good practice but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. D. Activity logging has two weaknesses in this scenario-it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.

M-69 A certificate authority (CA) can delegate the processes of: A. revocation and suspension of a subscriber's certificate. B. generation and distribution of the CA public key. C. establishing a link between the requesting entity and its public key. D. issuing and distributing subscriber certificates.

C is the correct answer. Justification: A. Revocation and suspension of the subscriber certificate are functions of the subscriber certificate life cycle management, which the certificate authority (CA) must perform. B. Generation and distribution of the CA public key is a part of the CA key life cycle management process and, as such, cannot be delegated. C. Establishing a link between the requesting entity and its public key is a function of a registration authority. This mayor may not be performed by a CA; therefore, this function can be delegated. D. Issuance and distribution of the subscriber certificate are functions of the subscriber certificate life cycle management, which the CA must perform.

A5-23 When reviewing the implementation of a local area network, an IS auditor should FIRST review the: A. node list. B. acceptance test report. C. network diagram. D. users list.

C is the correct answer. Justification: A. Verification of nodes from the node list would follow the review of the network diagram. B. The review of the acceptance test report would follow the verification of nodes from the node list. C. To properly review a local area network implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure. D The users list would be reviewed after the acceptance test report.

AS-32 An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? A. System unavailability B. Exposure to malware C. Unauthorized access D. System integrity

C is the correct answer. Justification: A. While untested common gateway interfaces (eGIs) can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. B. Untested CGI scripts do not inherently lead to malware exposures. C. Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. D. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.

AS-36 During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that: A. an unauthorized user may use the ID to gain access. B. user access management is time consuming. C. passwords are easily guessed. D.useraccountabilitymaynotbeestablished.

D is the correct answer. JUstification: A. The ability of unauthorized users to use a shared 10 is more likely than of an individual ID-but the misuse of another person's ID is always a risk. B. Using shared IDs would not pose an increased risk due to work effort required for managing access. C. Shared user IDs do not necessarily have easily guessed passwords. D. The use of a user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is impossible to hold anyone accountable.

AS-53 The reliability of an application system's audit trail may be questionable if: A. user IDs are recorded in the audit trail. B.. the secunty administrator has read-only rights to the audit file. C. date and time stamps are recorded when an action occurs, D.users canamendaudittrailrecordswhencorrectingsystemerrors.

D is the correct answer. Justification: A. An audit trail must record the identity of the person or process involved in the logged activity to establish accountability. ' B. Restricting the administrator to read-only access will protect the audit file from alteration. C. Data and time stamps should be recorded in the logs to enable the reconstruction and correlation of events on multiple systems. D. An audit trail is not effective if the details in it can be amended.

A5-79 An accuracy measure for a biometric system is: A. system response time. B. registration time. C. input file size. D.false-acceptancerate.

D is the correct answer. Justification: A. An important consideration in the implementation of biometrics is the time required to process a user. If the system is too slow then it will impact productivity and lead to frustration. However,this is not an accuracy measure. R The registration time is a measure of the effort taken to enroll a user in the system. This is not an accuracy measure. C. The file size to retain biometric information varies depending on the type of biometric solution selected. This is not an accuracy measure. D. Three main accuracy measures are used for a biometric solution: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate.

AS-l1 The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability; all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured? A. Database administrators are restricted from access to HR data. B. Database logs are encrypted. C. Database stored procedures are encrypted. D.Databaseinitializationparametersareappropriate.

D is the correct answer. Justification: A. Database administrators would have access to all data on the server, but there is no practical control to prevent that; therefore, this would not be a concern. B. Database audit logs normally would not contain any confidential data; therefore, encrypting the log files is not required. C. If a stored procedure contains a security sensitive function such as encrypting data, it can be a requirement to encrypt the stored procedure. However, this is less critical than ensuring initialization parameters are correct. D. When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle Database Management System), which contains many settings. The system initialization parameters address many "global" database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters.

AS-38 When auditing a role-based access control system, the IS auditor noticed that some IT security employees have system administrator privileges on some servers, which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make? A. Ensure that these employees are adequately supervised. B. Ensure that backups of the transaction logs are retained. C. Implement controls to detect the changes. -, D. WritetransactionlogsinrealtimetoWrite Onceand ReadMany DRIVES.

D is the correct answer. Justification: A. IT security, employees cannot be supervised in the traditional sense unless the supervisor were to monitor each keystroke entered on a workstation, which is obviously not a realistic option. B. Retaining backups of the transaction logs does not prevent the files from unauthorized modification prior to backup. C. The log files themselves are the main evidence that an unauthorized change was made, which is a sufficient detective controL Protecting the log files from modification requires preventive cOiltrols such as securely writing the logs. D. Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. It is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution.

The implementation of access controls FIRST requires: A. a classification of IS resources. B. the labeling of IS resources. C. the creation of an access ~ontrollist. D.an inventory of IS resources.

D is the correct answer. Justification: A. The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. B. Labeling resources cannot be done without first determining the resources' classifications. C. The access control list would not be done without a meaningful classification of resources. D. The first step in implementing access controls is an inventory of IS resources, which is the basis for establishing ownership and classification.

AS-92 Which of the following controls would BEST detect intrusion? A. User IDs and user privileges are granted through authorized procedures. B. Automatic logoff is used when a workstation is inactive for a particular period of time. C. Automatic logoff of the system occurs after a specified number of unsuccessful attempts. D.Unsuccessfullogonattemptsaremonitoredbythesecurityadministrator

D is the correct answer. Justification: A. User IDs and the granting of user privileges define a policy. This is a type of administrative or managerial control that may prevent intrusion but would not detect it. B. Automatic logoff is a method of preventing access through unattended or inactive terminals but is not a detective control. C. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting it. D.Intrusion isdetectedbytheactivemonitoring andreviewofunsuccessfullogonattempts.

AS-17 An employee has received a digital photo frame as an gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that: A. the photo frame storage media could he used to steal corporate data. B. the drivers for the photo frame may be incompatible and crash the user's PC. C. the employee may bring inappropriate photographs into the office. D. the photo frame could be infected with malware.

D is the correct answer. Justification: A. Although any storage device could be used to steal data, the damage caused by malware could be widespread and severe for the enterprise, which is the more significant risk. B. Although device drivers may be incompatible and crash the user's PC, the damage caused by malware could be widespread and severe for the enterprise. C. Although inappropriate content could result, the damage caused by malware could be widespread and severe for the enterprise. D. Any storage device can be a vehicle for infecting other computers with mal ware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs.

Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems? A. Proxy server B. Firewall installation C. Demilitarized zone D. Virtualprivatenetwork

D is the correct answer. Justification: A. A proxy server is a type of firewall installation used as an intermediary to filter and control traffic between internal and external parties. B. While firewall installations are the primary line of defense, they would need to have encryption and a virtual private network (VPN) to secure remote access traffic. C. A demilitarized zone (DMZ) is an isolated network used to permit outsiders to access certain corporate information in a semi-trusted environment. The DMZ may host a web server or other external facing services. Traffic to a DMZ is not usually encrypted unless it is terminating on a VPN located in the DMZ. D.Thebestwaytosecureremoteaccessisthrough theuseofencrypted VPNs.Thiswouldallow remoteusersasecureconnectiontothemain

A5-83 Which of the following components is responsible for the collection of data in an intrusion detection system? A. Analyzer B. Administration console C. User interface D. Sensor

D is the correct answer. Justification: A. Analyzers receive input from sensors and determine the presence of and type of intrusive activity. B. An administration console is the management interface component of an mtrusion detection system (IDS). C. A user interface allows the administrators to interact with the IDS. D. Sensors are responsible for collecting data. Sensors may be attached to a network, server or other location and may gather data from many points for later analysis.

AS-61 An IS auditor reviewing digital rights management applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing C. Parsing D. Steganography

D is the correct answer. Justification: A. Digitalized signatures are the scans of a signature (not the same as a digital signature) and not related to digital rights management. B.. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. C. Parsing is the process of splitting up a continuous stream of characters for analytical purposes and is widely applied in the design of programming languages or in data entry editing, D. Steganography is a technique for concealing the existence of messages or information within another message. An increasingly important steganographical technique is digital watermarking, which hides data within data (e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities).

AS-8O An IS auditor evaluating logical access controls should FIRST; A. document the cotrols applied to the potential access paths to the system. B. test controls over the access paths to determine if they are functional. C. evaluate the security enviromnent in relation townttenpoliciesandpractices. D. obtain an understanding of the security risk to information processing.

D is the correct answer. Justification: A. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness of the controls and is based on the risk to the system that necessitates the controls. B. The third step is to test the access paths-to determine if the controls are functioning. C. It is only after the risk is determined and the controls documented that the IS auditor can evaluate the security environmentto assess its adequacy through review of the written policies, observation of practices and comparison of them to appropriate security good practices. D. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk.

AS-IS A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern? A. Most employees use laptops. B. A packet filtering firewall is used. C. The IP address space is smaller than the number of PCs. D. Access to a network port is not restricted.

D is the correct answer. Justification: A. Dynamic Host Configuration Protocol provides convenience (an advantage) to the laptop users. B. The existence of a firewall can be a security measure and would not normally be of concern. C. A limited number of IP addresses can be addressed through network address translation or by increasing the number of IP addresses assigned to a particular subnet. D. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.

A5-45 An IS auditor is reviewing an organization to ensure that evidence related to a data breach case is preserved. Which of the following choices would be of MOST concern to the IS auditor? A. End users are not aware of incident reporting procedures. B. Log servers are not on a separate network. C. Backups are not performed consistently. D. There is no chain of custody policy.

D is the correct answer. Justification: A. End users should be made aware of incident reporting procedures, but this is not likely to affect data integrity related to the breach. The IS auditor would be more concerned that the organization's policy exists and provides for proper evidence handling. B. Having log servers segregated on a separate network might be a good idea because ensunng the integrity of log server data is important. However, it is more critical to ensure that the chain of custody policy is in place. C. While not having valid backups would be a concern, the more important concern would be a lack of a chain of custody policy. Data breach evidence is not normally retrieved from backups. D. Organizations should have a policy in place that directs employees to follow certain procedures when collecting evidence that may be used in a court of law. Chain of custody involves documentation of how digital evidence is acquired, processed, handled, stored and protected, and who handled the evidence and why. If there is no policy in place, it is unlikely that employees will ensure that the chain of custody is maintained during any data breach investigation.

AS-9 The implementation of which of the following would MOST effectively prevent unauthorized access to a system administration account on a web server? A. Host intrusion detection software installed on the server B. Password expiration and lockout policy C. Password complexity rules D. Two-factor authentication

D is the correct answer. Justification: A. Host intrusion detection software will assist in the detection of unauthorized system access but does not prevent such access. B. While controls regarding password expiration and lockout from failed login attempts are iroporuml, two-factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials. Password-onlybased authentication may not provide adequate security. C. While controls regarding password complexity are important, two-factor authentication methods or techniques would most effectivelyreduce the risk of stolen or compromised credentials. D. Two-factor authentication requires a user to use a password in combination with another identification factor that is not easily stolen or guessed by an attacker. Types of two-factor authentication include electronic access tokens that show one-time passwords on their display panels or biometric authentication systems.

AS-46 An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to: A. recommend that mandatory access control be implemented. B. report this as a finding to upper management C. report this to the data owners to determine whether it is an exception. D. not report this issue because discretionary access controls are in place.

D is the correct answer. Justification: A. Recommending mandatory access control is not correct because it is more appropriate for data owners to have discretionary access controls (DAC) in a low-risk application. B. The use of DAC may not be an exception and, until confirmed, should not be reported as an issue. C. While an IS auditor may consult with data owners regarding whether this access is allowed normall the IS auditor should not rely on the auditee to determine whether this is an issue. D. DAC allows data owners to modify access, which is a normal procedure and is a charactersitic ofDAC.

Which of the following line media would provide the BEST security for a telecommunication network? A. Broadband network digital transmission B. Baseband network C. Dialup D. Dedicated lines

D is the correct answer. Justification: A. The secure use of broadband communications is subject to whether the network is shared with other users, the data are encrypted and the risk of network interruption. B. A baseband network is one that is usually shared with many other users and requires encryption of traffic but still may allow some traffic analysis by an attacker. C. A dial-up line is fairly secure because it is a private connection, but it is too slow to be considered for most commercial applications today. D. Dedicated lines are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.

AS-47 Electromagnetic emissions from a terminal represent a risk because they: A. could damage or erase nearby storage media. B. can disrupt processor functions. C. could have adverse health effects on personnel, D. can be detected and displayed.

D is the correct answer. Justification: A. While a strong magnetic field can erase certain storage media, normaUy terminals are designed to limit these emissions; therefore, this is not normally a concern. B. Electromagnetic emissions should not cause disruption of central processing units. C. Most electromagnetic emissions are low level and do not pose a significant health risk. D. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents.