Domain 5 Security Event Management Set 1

Which of the following would MOST effectively reduce social engineering incidents? A. Security awareness training B. Increased physical security measures C. Email monitoring policy D. Intrusion detection systems

A is the correct answer. Justification A. Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. B. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the incident. C. An email monitoring policy informs users that all email in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. D. These are used to detect irregular or abnormal traffic patterns. Domain5Protection of Information Assets Sub-domain5B1Security Awareness Training and Programs Task Statement34Evaluate the information security program to determine its effectiveness and alignment with the organization's strategies and objectives.

The MOST important factor in planning a black box penetration test is: A. the documentation of the planned testing procedure. B. a realistic evaluation of the environment architecture to determine scope. C. knowledge by the management staff of the client organization. D. scheduling and deciding on the timed length of the test.

C is the correct answer. Justification A. A penetration test should be carefully planned and executed, but the most important factor is proper approvals. B. In a black box penetration test, the environment is not known to the testing organization. C. Black box penetration testing assumes no prior knowledge of the infrastructure to be tested. Testers simulate an attack from someone who is unfamiliar with the system. It is important to have management knowledge of the proceedings so that if the test is identified by the monitoring systems, the legality of the actions can be determined quickly. D. A test must be scheduled so as to minimize the risk of affecting critical operations; however, this is part of working with the management of the organization. Domain5Protection of Information Assets Sub-domain5B3Security Testing Tools and Techniques Task Statement35Perform technical security testing to identify potential threats and vulnerabilities.

An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods? A. Piggybacking B. Dumpster diving C. Shoulder surfing D. Impersonation

C is the correct answer. Justification A. This refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. B. This policy only refers to "the display of passwords," not dumpster diving (looking through an organization's trash for valuable information). C. If a password is displayed on a monitor, any person or camera nearby could look over the shoulder of the user to obtain the password. D. This refers to someone acting as an employee in an attempt to retrieve desired information. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement25Evaluate data governance policies and practices.

After installing a network, an organization implemented a vulnerability assessment tool to identify possible weaknesses. Which type of reporting poses the MOST serious risk associated with such tools? A. Differential B. False-positive C. False-negative D. Less-detail

C is the correct answer. Justification A. This reporting function provided by this tool compares scan results over a period of time. B. This type of reporting is one in which the system falsely reports a vulnerability. Controls may be in place, but are evaluated as weak, which should prompt a rechecking of the controls. C. This type of reporting on weaknesses means the control weaknesses in the network are not identified and, therefore, may not be addressed, leaving the network vulnerable to attack. D. This type of reporting would require additional tools or analysis to determine the existence and severity of vulnerabilities. Domain5Protection of Information Assets Sub-domain5B4Security Monitoring Tools and Techniques Task Statement11Evaluate IT management and monitoring of controls.

Which of the following is an example of a passive cybersecurity attack? A. Traffic analysis B. Masquerading C. Denial-of-service D. Email spoofing

A is the correct answer. Justification A. Cybersecurity threats/vulnerabilities are divided into passive and active attacks. A passive attack is one that monitors or captures network traffic but does not in any way modify, insert or delete the traffic. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. B. Because masquerading alters the data by modifying the origin, it is an active attack. C. Because a denial-of-service attack floods the network with traffic or sends malformed packets over the network, it is an active attack. D. Because email spoofing alters the email header, it is an active attack. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement35Perform technical security testing to identify potential threats and vulnerabilities.

If inadequate, which of the following would be the MOST likely contributor to a denial-of-service attack? A. Router configuration and rules B. Design of the internal network C. Updates to the router system software D. Audit testing and review techniques

A is the correct answer. Justification A. Improper router configuration and rules could lead to an exposure to denial-of-service (DoS) attacks. B. An inefficient design of the internal network may also lead to a DoS but this is not as high a risk as router misconfiguration errors. C. This has led to a DoS in the past, but this is a subset of router configuration and rules. D. This can cause a DoS if tests disable systems or applications, but this is not the most likely risk. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement34Evaluate the information security program to determine its effectiveness and alignment with the organization's strategies and objectives.

Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Administrators are implementing vendor patches to vendor-supplied software without following change control procedures. C. Operations support staff members are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

A is the correct answer. Justification A. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. B. The lack of change control is a serious risk—but if the changes are only vendor-supplied patches to vendor software then the risk is minimal. C. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data unless jobs are run in the wrong sequence. D. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement27Evaluate change, configuration, release, and patch management policies and practices.

Web and email filtering tools are valuable to an organization PRIMARILY because they: A. protect the organization from viruses and nonbusiness materials. B. maximize employee performance. C. safeguard the organization's image. D. assist the organization in preventing legal issues

A is the correct answer. Justification A. The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email. B. This could be true in some circumstances (i.e., it would need to be implemented along with an awareness program so that employee performance can be significantly improved). C. However, the primary benefit is protecting the organization from viruses and nonbusiness activity. C. This is a secondary benefit. D. Preventing legal issues is important, but not the primary reason for filtering. Domain5Protection of Information Assets Sub-domain5B3Security Testing Tools and Techniques Task Statement35Perform technical security testing to identify potential threats and vulnerabilities.

A hacker could obtain passwords without the use of computer tools or programs through the technique of: A. social engineering. B. sniffers. C. back doors. D. Trojan horses.

A is the correct answer. Justification A. This is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else's personal data. B. A sniffer is a computer tool to monitor the traffic in networks. C. These are computer programs left by hackers to exploit vulnerabilities. D. These are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement35Perform technical security testing to identify potential threats and vulnerabilities.

Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? A. Server-based antivirus software B. Enterprise-based antivirus software C. Workstation-based antivirus software D. Perimeter-based antivirus software

B is the correct answer. Justification A. An effective antivirus solution must be a combination of server-, network- and perimeter-based scanning and protection. B. An important means of controlling the spread of viruses is to deploy an enterprisewide antivirus solution that will monitor and analyze traffic at many points. This provides a layered defense model that is more likely to detect malware regardless of how it comes into the organization— through a universal serial bus (USB) or portable storage, a network, an infected download or malicious web application. C. Only checking for a virus on workstations would not be adequate because malware can infect many network devices or servers as well. D. Because malware can enter an organization through many different methods, only checking for malware at the perimeter is not enough to protect the organization. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement31Evaluate logical security controls to verify the confidentiality, integrity, and availability of information.

The PRIMARY purpose of audit trails is to: A. improve response time for users. B. establish accountability for processed transactions. C. improve the operational efficiency of the system. D. provide information to auditors who wish to track transactions.

B is the correct answer. Justification A. The objective of enabling software to provide audit trails is not to improve system efficiency because it often involves additional processing which may, in fact, reduce response time for users. B. Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system. C. Enabling audit trails involves storage and, thus, occupies disk space and may decrease operational efficiency. D. Audit trails are used to track transactions for various purposes, not just for audit. The use of audit trails for IS auditors is valid; however, it is not the primary reason. Domain5Protection of Information Assets Sub-domain5B4Security Monitoring Tools and Techniques Task Statement31Evaluate logical security controls to verify the confidentiality, integrity, and availability of information.

Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network? A. The use of diskless workstations B. Periodic checking of hard drives C. The use of current antivirus software D. Policies that result in instant dismissal if violated

B is the correct answer. Justification A. These act as a preventive control and are not totally effective in preventing users from accessing illegal software over the network. B. This would be the most effective method of identifying illegal software packages loaded onto the network. C. Antivirus software will not necessarily identify illegal software, unless the software contains a virus. D. Policies are a preventive control to lay out the rules about loading the software, but will not detect the actual occurrence. Domain5Protection of Information Assets Sub-domain5B4Security Monitoring Tools and Techniques Task Statement35Perform technical security testing to identify potential threats and vulnerabilities.

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? A. Intrusion detection systems B. Data mining techniques C. Stateful inspection firewalls D. Packet filtering routers

B is the correct answer. Justification A. These are effective in detecting network or host-based errors but not effective in measuring fraudulent transactions. B. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card. C. A firewall is an excellent tool for protecting networks and systems but not effective in detecting fraudulent transactions. D. A packet filtering router operates at a network level and cannot see a transaction. Domain5Protection of Information Assets Sub-domain5B4Security Monitoring Tools and Techniques Task Statement31Evaluate logical security controls to verify the confidentiality, integrity, and availability of information.

Which of the following results in a denial-of-service attack? A. Brute force attack B. Ping of death C. Leapfrog attack D. Negative acknowledgement attack

B is the correct answer. Justification A. This is typically a text attack that exhausts all possible key combinations used against encryption keys or passwords. B. The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. C. This is the act of telneting through one or more hosts to preclude a trace and makes use of user ID and password information obtained illicitly from one host to compromise another host. D. This is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement35Perform technical security testing to identify potential threats and vulnerabilities.

Neural networks are effective in detecting fraud because they can: A. discover new trends because they are inherently linear. B. solve problems where large and general sets of training data are not obtainable. C. address problems that require consideration of a large number of input variables. D. make assumptions about the shape of any curve relating variables to the output.

C is the correct answer. Justification A. Neural networks are inherently nonlinear. B. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable. C. Neural networks can be used to address problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends. D. Neural networks make no assumption about the shape of any curve relating variables to the output. Domain5Protection of Information Assets Sub-domain5B4Security Monitoring Tools and Techniques Task Statement39Evaluate potential opportunities and threats associated with emerging technologies, regulations, and industry practices

A benefit of quality of service is that the: A. entire network's availability and performance will be significantly improved. B. telecom carrier will provide the company with accurate service-level compliance reports. C. participating applications will have bandwidth guaranteed. D. communications link will be supported by security controls to perform secure online transactions.

C is the correct answer. Justification A. Quality of service (QoS) will not guarantee that the communication itself will be improved. While the speed of data exchange for specific applications could be faster, availability will not be improved. B. The QoS tools that many carriers are using do not provide reports of service levels; however, there are other tools that will generate service-level reports. C. The main function of QoS is to optimize network performance by assigning priority to business applications and end users through the allocation of dedicated parts of the bandwidth to specific traffic. D. Even when QoS is integrated with firewalls, virtual private networks (VPNs), encryption tools and others, the tool itself is not intended to provide security controls. Domain5Protection of Information Assets Sub-domain5B4Security Monitoring Tools and Techniques Task Statement35Perform technical security testing to identify potential threats and vulnerabilities.

An Internet-based attack using password sniffing can: A. enable one party to act as if they are another party. B. cause modification to the contents of certain transactions. C. be used to gain access to systems containing proprietary information. D. result in major problems with billing systems and transaction processing agreements.

C is the correct answer. Justification A. Spoofing attacks can be used to enable one party to act as if they are another party. B. Data modification attacks can be used to modify the contents of certain transactions. C. Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. D. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement35Perform technical security testing to identify potential threats and vulnerabilities.

To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that: A. the company policy be changed. B. passwords are periodically changed. C. an automated password management tool be used. D. security awareness training is delivered.

C is the correct answer. Justification A. The policy is appropriate and does not require change. Changing the policy would not ensure compliance. B. Having a requirement to periodically change passwords is good practice and should be in the password policy. C. The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing his/her old password for a designated period of time. D. Security awareness training would not enforce compliance. Domain5Protection of Information Assets Sub-domain5B4Security Monitoring Tools and Techniques Task Statement34Evaluate the information security program to determine its effectiveness and alignment with the organization's strategies and objectives.

Which of the following presents an inherent risk with no distinct identifiable preventive controls? A. Piggybacking B. Viruses C. Data diddling D. Unauthorized application shutdown

C is the correct answer. Justification A. This is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights (e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions). This could be prevented by encrypting the message. B. These are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer disks, transfer of logic over telecommunication lines or direct contact with an infected machine. Antivirus software can be used to protect the computer against viruses. C. This involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. D. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement31Evaluate logical security controls to verify the confidentiality, integrity, and availability of information.

The reliability of an application system's audit trail may be questionable if: A. user IDs are recorded in the audit trail. B. the security administrator has read-only rights to the audit file. C. date and time stamps are recorded when an action occurs. D. users can amend audit trail records when correcting system errors.

D is the correct answer. Justification A. An audit trail must record the identity of the person or process involved in the logged activity to establish accountability. B. Restricting the administrator to read-only access will protect the audit file from alteration. C. Date and time stamps should be recorded when an action occurs. These should be recorded in the logs to enable the reconstruction and correlation of events on multiple systems. D. An audit trail is not effective if the details in it can be amended. Domain5Protection of Information Assets Sub-domain5B4Security Monitoring Tools and Techniques Task Statement21Conduct periodic review of information systems and enterprise architecture.

An IS auditor reviewing digital rights management applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing C. Parsing D. Steganography

D is the correct answer. Justification A. These are the scans of a signature (not the same as a digital signature) and not related to digital rights management. B. This creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. C. This is the process of splitting up a continuous stream of characters for analytical purposes and is widely applied in the design of programming languages or in data entry editing. D. This is a technique for concealing the existence of messages or information within another message. An increasingly important steganographical technique is digital watermarking, which hides data within data (e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities). Domain5Protection of Information Assets Sub-domain5B6Evidence Collection and Forensics Task Statement39Evaluate potential opportunities and threats associated with emerging technologies, regulations, and industry practices.

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? A. Using an intrusion detection system to report incidents B. Mandating the use of passwords to access all software C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees

D is the correct answer. Justification A. This is an implementation of a security program and is not effective in establishing a security awareness program. B. This is a policy decision, not an awareness issue. C. This is not a part of an awareness program. D. Regular training is an important part of a security awareness program. Domain5Protection of Information Assets Sub-domain5B1Security Awareness Training and Programs Task Statement34Evaluate the information security program to determine its effectiveness and alignment with the organization's strategies and objectives.

Which of the following is the MOST reliably effective method for dealing with the spread of a network worm that exploits vulnerability in a protocol? A. Install the latest vendor security patches immediately. B. Block the protocol traffic in the perimeter firewall. C. Block the protocol traffic between internal network segments. D. Stop the services that the protocol uses.

D is the correct answer. Justification A. This will improve the situation only if a patch has been released that addresses the particular vulnerability in the protocol. Also, patches should not be installed prior to testing, because patching systems can create new vulnerabilities or impact performance. B. This does not stop the worm from spreading if it is introduced via portable media. C. This helps to slow the spread, but also prohibits any software that uses it from working between segments. D. This is the most effective way to prevent a worm from spreading, because it directly addresses the means of propagation at the lowest practical level. Domain5Protection of Information Assets Sub-domain5B5Incident Response Management Task Statement28Evaluate end-user computing to determine whether the processes are effectively controlled.

Electromagnetic emissions from a terminal represent a risk because they: A. could damage or erase nearby storage media. B. can disrupt processor functions. C. could have adverse health effects on personnel. D. can be detected and displayed.

D is the correct answer. Justification A. While a strong magnetic field can erase certain storage media, normally terminals are designed to limit these emissions; therefore, this is not normally a concern. B. Electromagnetic emissions should not cause disruption of central processing units. C. Most electromagnetic emissions are low level and do not pose a significant health risk. D. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents. Domain5Protection of Information Assets Sub-domain5B2Information System Attack Methods and Techniques Task Statement39Evaluate potential opportunities and threats associated with emerging technologies, regulations, and industry practices.