Domain 4: IS Operations, Maintenance & Service Management
During an audit where scope includes server environments, an IS auditor would be ensured with which of the below BEST providing the highest degree of server access control?
A fingerprint scanner facilitating biometric access control. A fingerprint scanner facilitating biometric access control can provide the highest degree of server room access control.
An IS auditor has been asked to closely review network management as primary part of audit scope. What is the first step to be reviewed?
A graphical map of the network topology. Understanding existing network assets is the first step in planning an audit encompassing all aspects of the deployed network components including detailed documentation of the network topology and IP addressing employed at interface level as well as providing information by device, location and site. A graphical interface to the map of the network topology is therefore essential for the IS auditor to obtain a clear understanding of network management.
An IS auditor performing a telecommunications audit at a government research facility noticed that some network connections used fiber-optic cable while others used conventional unshielded twisted pair (UTP) copper cable. Which of the following is the GREATEST risk of using UTP cable?
An attacker may tap into the cable to intercept data. The characteristics of fiber-optic cable and the data transmission methods used make it difficult to physically tap into the cable, which provides enhanced security. While UTP cable can carry less bandwidth than fiber-optic cable, the concern about performance is not as significant as the security risk due to tapping. Fiber-optic cable is more fragile than UTP cable and is more difficult and time-consuming to install. UTP cable is more susceptible to crosstalk than fiber-optic cable. Crosstalk causes performance degradation and potential loss of connectivity, but is not known to cause any security issues.
At a minimum, when should the BIA be updated and the BC/DR plan be exercised (tested)?
Annually. Every organization should exercise the BC/DR plan at least once per year. Some regulations, such as Gramm-Leach-Bliley, require live recovery exercises at least once every 90 days (quarterly). The BIA should be updated at least annually or whenever a change occurs to the strategy, the organizational structure, or the business process protected by the plan.
Which level of the OSI model does a gateway operate?
Application. The gateway is an application running on layer 7. The function of gateway is to solve the problem related to the formatting of data. A computer program running on layer 7 will extract the data init's original format, and then reformat the data and transmit it to the new system.
What is the most effective control over a guest wireless ID given to the vendor staff?
Assignment of a renewable user ID which expires daily. Would ensure wireless access is not used without authorization. While it is recommended to monitor vendor activities while vendor staff are on the system, this is a detective control and thus is not as strong as a preventative control. The user ID format does not change the overall security of either connection and this is not a good answer. Controls related to the encryption of the wireless network are important, however, the access to that network is more critical issue.
A new E Commerce site has been set up in an existing organization. The CEO has asked the IS team to provide a recommendation on an encryption system is primarily for data transportation which is expected to be heavy. What is their best recommendation?
Asymmetric-key encryption. Asymmetric-key encryption or public-key encryption is typically used for the transmission of data.
Which encryption system is primarily used in private industry for transportation rather than storage?
Asymmetric-key encryption. Asymmetric-key encryption, also known as public-key encryption, is typically used for the transmission of data (electronic transportation).
Management is eventually responsible for putting in place appropriate and proper internal controls. This includes ensuring the right personnel gain physical and logical access. What method is used to ascertain the user's identity?
Authentication. This compares the user's claim to a known reference in a single search and is therefore the best method to determine the users identity.
Why should the transportation and tracking of backup media be given a high priority?
Backup media contains the organization's secrets. Backup media must be tracked because it contains the utmost secrets of any organization. Media leaving the facility must be kept in locked storage boxes at all times. Tracking is required during transit to confirm its departure time and arrival. Some regulations require the use of encrypted backup tapes to protect the standing data. Remember, encrypting data increases security. Managing encryption requires more-involved handling procedures
What ensures permanency of Wide area network (WAN) across the organization?
Built in alternate routing. Alternative routing ensures the network continues when a server looses connection, or if a link is disconnected as the message rerouting can be made automatically.
What stage is user involvement most vital in business continuity planning>?
Business Impact Analysis. Detailed information is collected during the business impact analysis and is used to define the available time windows, the most critical resources, and alternatives. This information provides an invaluable set of specifications for the strategy to fit. It would be impossible to calculate an effective strategy w/o the in depth data provided by a current business impact analysis. Without the BIA, the best you can hope for is a disaster rebuilding plan for the servers or the building. W/O the BIA, the IT recovery plan will ultimately fail to meet the organizations needs.
What is the biggest difference between disaster planning and business continuity planning?
Business continuity plans span department boundaries. Business continuity plans are focused on the processes for generating revenue. This is the biggest difference when compared to rebuilding in disaster recovery. Plans of the various departments such as IT, facilities, manufacturing, and sales may become smaller components of the final BC plan. All decisions and activities are determined by the revenue generated, not by the desires or goals of the department.
Which of the following is the best definition of minutiae?
Characteristics data. Minutiae is the collection of characteristics used in biometric data about a specific user (a user's biometric template). The process converts a high-resolution scan into a tiny count of unique characteristics.
What does Minutiae used in Biometrics mean?
Characteristics data. Minutiae is the collection of characteristics used in biometric data about a specific user as a template. The process converts a high-resolution scan into a tiny count of unique characteristics.
Who should be the actual leader of business continuity planning?
Chief executive officer (CEO). The chief executive officer (CEO) should be the actual leader of business continuity planning. The second choice is the chief operating officer (COO) as the official delegate of the CEO function. The CEO and COO have the agenda of generating revenue. They can force the cooperation of all others in the organization. The CFO is the third choice. The CIO is the worst of these choices because of the CIO's distance from revenue activities and limited scope of authority.
What is the best description of a firewall?
Circuit level. The proxy firewall is designed to execute a request on behalf of the user without granting direct access. The proxy runs on the firewall. A proxy selectively filters and relays service requests between the internal and external networks. There is no direct connection between the internal and external network other than the proxy software program.
The recurrent updating of which of the following is crucial to the continued effectiveness of a disaster recovery plan (DRP)?
Contact information of key personnel. In the occurrence of a disaster, it is significant to have a current and updated list of personnel who are vital to the operation of the plan.
Which of the following should an incident response team address FIRST after a major incident in an information processing facility?
Containment at the facility. The first priority is the containment of the incident at the facility so that spread of the damage is minimized. The incident team must gain control of the situation. Restoration ensures the affected systems or services are restored to a condition specified in the restore point objective (RPO). This action will be possible only after containment of the damage. Documentation of the facility should be prepared to inform management of the incident; however, damage must be contained first. Monitoring of the facility is important, although containment must take priority to avoid spread of the damage.
Responsibilities of a disaster recovery relocation team
Coordinating movement from hot site to new location or restored original location.
Which of the following is not a recommended criterion for invocation of the BC/DR plan?
Cost of activation. Cost of activating is not an acceptable criterion for invocation of the BC/DR plan. The plan should always be activated if the conditions are met. Conditions requiring invocation of the plan include estimated financial loss, duration of outage, and the inability to determine the loss or scope of impact.
In a Defense development unit, the access controls need to be extremely strong. A biometrics sensor has been proposed. Why was it proposed?
Creates new biometric template data each time it's used. Biometric sensors create a new data template every time the sensor is used. Initially, the user's unique biometric data template is saved to the database and with every subsequent use, the sensor creates a brand new data template, which is compared to the database by the template matcher. If it matches, the user is correctly authenticated.
Who is the incident commander?
First person on the scene. The first person on the scene is the incident commander, even if it's a child who calls the police, ambulance, or fire department. The person on the scene directs all efforts until relieved by a more qualified person. Anyone can be an incident commander for which no special training is required. 85.
When, and at what frequency should the media updates and announcements be made during an incident?
From the PIO at regular intervals. All media updates and announcements should be handled by the public information officer (PIO) during the event. This is necessary to prevent misinformation or confusion. Providing information at regular intervals helps promote trust and confidence.
Which of the following best describes the difference between hierarchical storage management (HSM) and storage area network (SAN) technologies?
HSM uses optical or tape jukeboxes, and SAN is a network of connected storage systems. Hierarchical storage management (HSM) provides continuous online backup functionality. It combines hard disk technology with the cheaper and slower optical or tape jukeboxes. Storage area network (SAN) is made up of several storage systems that are connected together to form a single backup network.
Due to increased level of attacks on an organization's Internet, it has asked its audit team to recommend a detection and deterrent control against Internet attacks. Which of the below would be the BEST option?
Honeypots. Honeypots are often used as a detection and deterrent control against Internet attacks. A honey pot is a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other computer systems.
During an audit, the CISA wants to use a fast method for discovering the hosts on the network and identify all available service ports. What method can be used?
Host enumeration with port scanning. Host enumeration provides a fast method for discovering all the hosts on the network. Vulnerability scanning will only identify all the available service ports on the host computers.
An IS team is debating on implementing intrusion detection and prevention systems (IDPS), but many members believe the firewall systems are adequate. What factors could lean towards implementing the IDPS?
IDPS logs and notifies the system administrator of all suspected attacks. The IDPS preserves the transaction log and alerts of any suspected attacks. The IDPS can also use statistics or signature files to determine whether an attack has occurred.
What is the back bone of the internet and is a routable protocol?
IP. Internet protocol is considered the internet backbone, being a major routable protocol TCP is typically layered on top of IP and results in reliable sessions. The NetBIOS protocol from Microsoft is not suited to routing a broadcasting technique as it is based on layer 2 technology while OSI model is used to understand the layers in network communications.
The IS team is reviewing VPN methods to transmit the payload and hide internal network addresses with encryption. Which of the below methods would they use?
IPsec tunnel. The IPsec tunnel hides the messages and prevents identification of the sender and recipient while the messages travel across the public Internet by encrypting both the payload and local network addresses.
Which of the following VPN methods will transmit data across the local network in plain text without encryption?
IPsec. IPsec uses encryption between the VPN gateways. Data transmitted from the gateway to the local computer is not encrypted.
The IS team is reviewing various VPN methods for data transmission across local networks. They want to rule out any method that uses plain text without encryption. Which method would they exclude?
IPsec. IPsec uses encryption between the VPN gateways. However, data transmitted from the gateway to the local computer is not encrypted.
The IS team is building IS control objectives for the organization. What should not be included?
IS individual system threats. IS control objectives protect the organization from loss due to IS control failures. So the team would not review the individual systems threats that are undertaken by individuals as part of risk management. They would however include Disaster recovery plan, Asset data owners and register and Business continuity plan.
The IS team has been designated to formulate a good Firewall policy for publication. What would be the FIRST step for its creation?
Identifying various network applications such as mail, web, or FTP servers. The first step to creating a proper Firewall policy would be to identify network applications such as mail, web, or FTP servers which are externally accessed.
An organization has terminated a database administrator (DBA). The organization immediately removes all of the DBA's access to all company systems. The DBA threatens the database will be deleted in two months unless he/she is paid a large sum of money. Which of the following would the former DBA MOST likely use to delete the database?
Logic bomb attack. A logic bomb is hidden code that will activate when certain conditions are met; in this example, after a certain period of time. A virus is another type of malicious code, but it does not typically operate on a time delay. A worm also is a type of malicious code that does not use a time delay, but is designed to spread as quickly as possible. A DoS attack would not delete the database, but could make the service unavailable.
The IS internal team is undertaking a review to decide what kind of key and encryption method should be used. They need a cost effective method with least overhead. Which of the given methods would they rule out?
Long asymmetric encryption key. (A. Long Advance Encryption Standard (AES) key B. Long Data Encryption Standard (DES) key C. Long symmetric encryption key). Options A, B, and C are single shared symmetric keys with less overhead and costs. Choice D is a long asymmetric encryption key or public key encryption which would increase encryption overhead and cost.
Which of these is the primary output from the business impact analysis (BIA)?
Low-level blueprint of the business process. A low-level blueprint (or schematic) of the business process is the primary output from the business impact analysis (BIA). If performed correctly, the BIA will provide high-quality supporting detail for the other possible answer choices.
Event log entries related to failed local administrator logon attempts are observed by the IS auditor. Which of the following is the MOST likely cause of multiple failed login attempts?
Malicious code attacks. Malicious code and Trojans commonly attempt to log on to administrator accounts. A SYN attack is a denial-of-service (DoS) attack on a particular network service and does not log on to administrator accounts. Social engineering will help in discovering passwords, but it is separate from brute-force attacks. A buffer overflow attack will not directly result in multiple logon failures.
Computer worms infect computers and the payload or actual damage done can be significant. Which of the following best characterizes "worms"?
Malicious programs that can run independently and can propagate without the aid of a carrier program such as email. Worms are malevolent programs that can run independently and can spread without the aid of a carrier program such as email.
What is the process to activate the business continuity plan?
Management designates decision criteria and appoints authorized personnel. The purpose of planning is to establish decision criteria in advance. After the criteria are met, the plan will be activated by the appointed personnel. The alternate site invocation process allows a preauthorized manager to activate the alternate site. Invocation of the alternate site will cost money and should occur only when it is required.
Expand the term MAO?
Maximum acceptable outage. MAO is the maximum acceptable outage that can occur before critical deadlines are missed or recovery is no longer feasible because of the amount of time lapsed. May be referred to as maximum tolerable downtime (MTD).
Greatest benefit of implementing Open Source Software.
Mitigation of the risk being locked into a single provider. If an organization decides not to rely on a single provider for a software solution, they may go for an open source software strategy. There are multiple providers of OSS and while many are available free of charge, although there may be some cost related to converting to OSS. Generally, the overall TCO will be lower with OSS compared to using proprietary software. Being able to customize source code is a benefit of OSS. Although the methods of performing system upgrades are similar, the effort is not significantly lower when using OSS. It is possible that OSS may come with frequent upgrades, and it is up to the organization to decide whether the upgrades are necessary.
Which of the following is a type of data transmission often used with internet video signals?
Multi casting. Is used to transmit packets to multiple systems simultaneously and is often used with video.
What does the term multiprocessing refer?
Multiple CPU's. The computer contains multiple central processing unit's that make the computer capable of running different jobs at the same time. Multiple people on the computer refer to a multi user system.
Two most common Intrusion detection systems (IDS).
Network and Host. Intrusion detection systems are commonly implemented on the network or on a particular host to observe traffic travelling a specific communications link.
During an audit, the CISA reviews the Key Wrapping policy and is also assured by the system administrator that cryptographic key wrapping is used for operating systems, database field-level encryption, storage device-level encryption, and so on. What factor below contributes to make the environment secure through Key wrapping?
Obscuring the encryption key. For safety, all encryption keys are re-encrypted with a different algorithm using a different key. Key wrapping is intended to protect the actual encryption key from discovery or harm. The key wrapping technique is used in key storage and during key exchange.
What happens when the label processing is bypassed for Mandatory Access Controls (MAC)?
Override MAC security. A MAC system uses labels to enforce security policies. Bypassing label processing would imply that security controls are over ridden.
An organization that is performing extensive maintenance operations over the internet for its partners has commissioned an audit to provide assurance about data security. During the audit, the IS auditor requested evidence of data control and the IS team remarked that PKI technology was being used for cryptography. Why should the audit team feel reassured by PKI usage?
PKI is a combination of public-key cryptography and digital certificates. PKI uses a combination of public-key cryptography and digital certificates to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions.
What communications method charges for data transmitted, not the distance covered?
Packet Switched. Packet switched data transmissions are charged only for the data transmitted, not the distance covered. Circuit switched transmissions are charged by the distance covered.
There are various forms and types of communication protocols and methods. Which is not charged by the message size but by the number of packets sent?
Packet switching. The communication protocols and methods that transmit data via different paths by the number of packets sent and not by the size of the message or distance traversed is called packet switching.
An organization needs to implement the right type of fencing in an area where there is no foot traffic or observation capabilities and has decided to implement a Perimeter Intrusion Detection and Assessment System. Which are the characteristics of this type of fence?
Perimeter Intrusion Detection and Assessment System (PIDAS) is a type of fencing that has sensors located on the wire mesh and at the base of the fence. It is used to detect if someone attempts to cut or climb the fence. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected. PIDAS is very sensitive and can cause many false alarms.
A multi-national corporation is geographically spread across the globe. What recommendation can the IS auditor provide to ensure that all aspects of the disaster recovery plan are evaluated cost effectively?
Preparedness test. A preparedness test should be executed by each local office to examine the capability of the readiness of local operations in the event of a disaster. This test should be executed regularly on different aspects of the plan and can be a cost-effective way to progressively obtain evidence of the plan's capability.
Which disaster recovery technique is the most efficient way to determine the effectiveness of a plan?
Preparedness test. Includes simulation of the entire environment in stages, and they also help the team prepare for the actual test scenario.
What is used to create a digital signature?
Private key. The sender users their private key to encrypt a message digest (file hash). The encryption message digest becomes a digital signature that can be verified by decrypting it with the sender's public key.
What is the purpose of the Logical Link Control (LLC) layer in the OSI model?
Provides a standard interface for the network layer protocol. The data link layer has two sublayers: the Logical Link Control (LLC) and Media Access Control (MAC) layers. The LLC provides a standard interface for whatever network protocol is being used. This provides an abstraction layer so the network protocol does not need to be programmed to communicate with all of the possible MAC level protocols (Ethernet, Token Ring, WLAN, FDDI, and so on.).
What RAID level does not improve fault tolerance?
RAID 0. Raid level o can create an image of large logical drives by combing several small disk drives, but it does not increase redundancy. Raid 0 is normally used in combination with other level to improve performance and redundancy. Raid 1 (full duplication on two sets) is the highest margin of safety. Raid 5 stripes data, using less raw disk space.
What indicators are used to identify the anticipated level of recovery and loss at a given point in time?
RPO and RTO. The recovery point objective (RPO) indicates the fallback position and duration of loss that has occurred. A valid RPO example is to recover by using backup data from last night's backup tape, meaning the more recent transactions have been lost. The recovery time objective (RTO) indicates a point in time where the restored data should be available for the user.
Primary purpose of a BCP?
Reduce the risk from unexpected disruption of critical functions and operations. Is to ensure that critical functions are not interrupted or they can be resumed in the shortest possible time frame. It is not necessary for all systems to be recovered immediately. Efforts should be focused on core systems that generate revenue.
What is not an acceptable method of disposal for magnetic media?
Reformatting. Reformatting and deleting files does not remove contents from the drive; it simply marks the space occupied by the files as eligible for overwriting. A disk wiping (overwriting) should be used if the disk will be reused. Physical destruction and electrical degaussing will also remove the data.
What is not a VPN technology?
Remote authentication server. Because that is used to authenticate if the user is genuine. It does not provide the encryption necessary for a virtual private network. Secure Sockets layer, IPsec and Secure shell ARE 3 valid VPN technologies.
During a recovery procedure test, one important step is to maintain records of important events that happen during the test. What other step is just as important?
Report the events to management. When recovery procedures are carried out, the outcome of those procedures should be reported to the individuals who are responsible for this type of activity, which is usually some level of management. If the procedures worked properly, management should know it, and if problems were encountered, management should definitely be made aware of them. Members of management are the ones who are responsible overall for fixing the recovery system and will be the ones to delegate this work and provide the necessary funding and resources.
Which of the following is the best way to ensure the company's backup tapes can be restored and used at a warm site?
Retrieve the tapes from the offsite facility, and verify the equipment at the original site can read them. A warm site is a facility that will not be fully equipped with the company s main systems. The goal of using a warm site is that, if a disaster takes place, the company will bring its systems with it to the warm site. If the company cannot bring the systems with it because they are damaged, the company must purchase new systems that are exactly like the original systems. So, to properly test backups, the company needs to test them by recovering the data on its original systems at its main site.
The IS auditor who is evaluating the user IDs for emergency access has found that fire call accounts are granted without a predefined expiration date. What should the IS auditor endorse?
Review the access control privilege authorization process. The IS auditor should endorse reviewing the process of access control management to ensure that emergency system administration-level access is given on an as-needed basis and configured to a predefined expiration date.
When auditing to determine IT operational capability, what would be the best evidence of whether adequate recovery and restart procedures exist?
Reviewing operations documentation. The presence of up to date recovery and restart procedures is an excellent source of evidence. If the opportunity is available, it would be a good idea to observe the support personnel using the procedure effectively. The auditor may inquire when the last time procedure was tested or used. The lack of documentation is a control failure.
The IT team has detected that a malicious software which had revealed itself as an auto date utility has subverted the kernel, bypassed operating system security and has installed itself. Which of these does it refer?
Root kit. Root kits are malicious software designed to subvert the operating system security, installed itself and completely compromised the system.
What type of network device directs data packets transmission through the internet?
Router. Function of the router is to route data packets throughout the network by using the routing path designed by the network administrator. A router may use dynamic routing software to ease the administrator burden. Static software routes are the safest to use. Dynamic routes may be automatically updated by other network devices. Dynamic routing can pose a security risk if the source of the routing update is not known and trusted.
What is provided by the digital signature?
Sender Identity with non repudiation. Digital signatures provide an assurance of the sender's identity with non repudiation. The digital signature is created by using the senders private key to encrypt the file hash value. The recipient test the digital signature integrity by using the sender's public key to decrypt the hash file. The sender's public key is freely available and mathematically related to the private key.
Which of the following is an XML-based protocol that defines the schema of how web service communication takes place over HTTP transmissions?
Simple Object Access Protocol. SOAP is an XML-based protocol that encodes messages in a web service environment. SOAP actually defines an XML schema or a structure of how communication is will take place. The SOAP XML schema defines how objects communicate directly.
Which of the following multiplexing technologies analyzes statistics related to the typical workload of each input device and makes real-time decisions on how much time each device should be allocated for data transmission?
Statistical time-division multiplexing. Statistical time-division multiplexing (STDM) transmits several types of data simultaneously across a single transmission line. STDM technologies analyze statistics related to the typical workload of each input device and make real-time decisions on how much time each device should be allocated for data transmission.
The IT team has recommended a DMZ for the organization for internet communications. The top management wishes to understand its purpose. What would be the best explanation?
Subnet that is semi-protected and allows external access. A DMZ or demilitarized zone is also called a perimeter network and is a physical or logical sub-network that contains and exposes an organization's external-facing services to a larger and untrusted network like the Internet. The purpose of a DMZ is to complement an extra layer of security to an organization's local area network (LAN)
Which of the following definitions is the best example of an RTO?
Target time for the user to be processing again. The recovery time objective (RTO) is the deadline for when the user must be processing again. IT is expected to have completed the necessary level of technical recovery. The user is able to resume processing work unless that RTO has failed.
An IS auditor performing a datacenter review for a large company discovers the datacenter has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term power backup. Which of the following items would cause the IS auditor the GREATEST concern?
The battery room does not contain hydrogen sensors. Lead-acid batteries emit hydrogen, a highly explosive gas and therefore hydrogen detectors are a compensating control which would notify datacenter personnel of a possible gas buildup so they could take the suitable actions.
During an IS audit, the IS auditor discovers that a wireless network is used within the enterprise's headquarters. What is the FIRST thing the auditor should check?
The configuration settings. To check for the current network layout and connectivity and then based on this, decide whether the security requirements are adequate. The signal strength outside of the building would not be of concern if proper encryption and security settings are in effect.
What is true concerning the roles of data owner, data user, and data custodian?
The data owner specifics controls, is responsible for acceptable use and appoints the data custodian. The data users will comply with acceptable use and report violations. The data custodian will protect information and ensure its availability. The custodian will also provide support to the users.
A CISA is reviewing the firewall security of an org that provides extranet connectivity to its supply chain customers. What is of primary concern?
The firewall is placed on top of the commercial operating system with all installation options. Implementing firewalls with installation options over commercial operating systems makes it vulnerable and undermines the security of the firewall. Usage of SSL for firewall administration is essential because changes in user and supply chain partner's role and profiles cold be dynamic.
An organization has a combination of access points that cannot be upgraded to stronger security and newer access points having advanced wireless security and has decided to replace the non-upgradeable access points even though expensive. Which of the below would BEST justify this choice?
The organization's security would be as strong as its weakest vulnerabilities. The old access points should be rejected and replaced with products having strong security; as they are prone to security weaknesses that could be taken advantage of by attackers and make the entire network weak based on their own vulnerabilities.
Recovery point objective is based on what?
The point in time prior to the outage at which data will be recovered. A typically RPO is to fall back to the last set of good backup tapes. Unfortunately, any work since the last backup would be lost, including work in progress. High availability systems and remote electronic vaulting of data files can shorten the recovery time.
A typical PKI infrastructure would have which of the following transactions?
The sender would need to first obtain the receiver s public key, which could be from the receiver or a public directory. The sender needs to protect the symmetric session key as it is being sent, so she encrypts it with the receiver s public key. The receiver decrypts the session key with his private key.
Which encryption key is not need by the recipient to decrypt a message when using a public key infrastructure (KPI)?
The senders private key. It's never used by the recipient. Only 3 of the 4 keys are ever used on each end to encrypt and decrypt messages. Private keys remain absolutely secret. The PKI algorithm is designed to allow the public key to unlock (decrypt) files that were encrypted using the sender's private key.
What factors signal if the business continuity plan needs to be updated?
Time and market conditions, Personnel changes, Significant changes in business objectives or direction. The plan should be reviewed quarterly and updated at least annually. Updates should occur after each test, changes in personnel, or changes in business direction. Plans are often updated for changes in key customers and products.
What is the best method for testing the effectiveness of specific recovery procedures?
Time the procedure's execution and compare it to the RTO. The best method from the options provided is to compare the elapsed time to execute the procedure against their stated recovery time objective (RTO). Participant opinions are important for buy-in; however, some opinions may be too optimistic or too pessimistic. Observing the procedure being executed will help determine its odds of being successfully completed. What really matters is that recovery occurs within its specific time window since other processes are depending on it.
Which of the following best describes why classless interdomain routing (CIDR) was created?
To allow an address class size to meet an organization's need. A Class B address range is usually too large for most companies, and a class C address range is too small, so CIDR provides the flexibility to increase or decrease the class sizes as necessary. CIDR is the method to specify more flexible IP address classes.
What is the best example of why plan testing is important?
To find and correct problems. Plans are tested to train the staff in carrying out their work. The intention is to find problems and correct any mistakes. A secondary benefit is to demonstrate improvement in the response and recovery efforts.
Name one of the purposes of creating the business continuity plan.
To minimize decisions needed during a crisis. The plan minimizes decisions needed during the crisis. Possible options would have been researched and decisions made in advance by management. The recovery staff is expected to follow the directions contained in the plan.
Which mode of the IPsec encrypts both the network IP address and the data payload?
Tunnel. The sending and receiving network address is hidden inside a data packet that displays the sending and receiving address of an ISP. For example, our corporate sender and receiver would be hidden inside a data transmission across the AT&T network. The data transmission would show only the AT&T network address of our border routers. The purpose of tunnel mode is to hide the existence of the transmission.
IPsec mode that hides network address?
Tunnel. Will hide the network address and route the packet by using the address of the ISP.
Which of the following methods of testing BC/DR plans is not acceptable?
Unannounced. Unannounced testing is not acceptable because of the potential to create additional harm. Some people are not able to deal with the extra stress or may exercise the wrong response and create a real emergency.
What is caused by the line grabbing method?
Unauthorized data access. Line grabbing enables eavesdropping and allows unauthorized data access.
Instead of managing and maintaining different types of security products and solutions, the IT manager wants to purchase a product that combines many technologies into one appliance. This must comprise of a centralized control, a streamlined maintenance, and a reduction in stove pipe security solutions. Which of the following would best fit the needs?
Unified threat management. The list of security solutions for companies include, and is not limited to, firewalls, antimalware, anti-spam, IDS\IPS, content filtering, data leak prevention, VPN capabilities, continuous monitoring, and reporting. Unified Threat Management (UTM) appliance products have been developed that provide all (or many) of these functionalities into a single network appliance. The goals of UTM are simplicity, streamlined installation and maintenance, centralized control, and the ability to understand a network s security from a holistic point of view. 65.
An org wants to connect all their workstations across all departments. What is the best choice?
Unshielded Twisted Pair. The UTP is usually used in an area prone to electronic noise where it would be more resistant. Coaxial cables are defunct for connection work stations. Currently fiber optics are commonly used to connect servers.
Terminal emulation software
Used for configuring a server or network device through a serial port. Provides a command line screen to access a serial port and is often used to configure network devices. The command line offers the highest level of access when compared to menus and restricted user interfaces. The command line allows the use of special command arguments that can changed the system behavior.
To ensure controls are in place and used by the designated personnel, authentication is a must. Two factor authentication is commonly used by organizations. What is this type of authentication?
User ID and unique characteristic. Two factor authentication typically implies the user must provide both a password and a unique characteristic such as an ID card or a physical biometric feature.
An IS auditor reviewing the operating system integrity of a server would primarily
Verify that user programs do not invoke privileged programs and services. If user level programs affect privileged programs or services, then changes to system parameters and operating system integrity issues may ensue. Privilege escalation attack happen when an unapproved user is able to achieve actions.
The network administrator of a large retail company has Ethernet-based distributed networks throughout the northwest region of the United States and would like to move to an Ethernet-based multipoint communication architecture that can run over their service provider's IP/MPLS network. Which of the following would be the best solution for these requirements?
Virtual Private LAN Services. Virtual Private LAN Services (VPLS) is a multipoint layer 2 virtual private network that connects two or more customer devices using Ethernet bridging techniques. In other words, VPLS emulates a LAN over a managed IP/MPLS network. VPLS is a way to provide Ethernet-based multipoint-to-multipoint communication over IP/MPLS networks.
To facilitate a remote internet user secure access into the network, what creates an encrypted communication tunnel across the internet?
Virtual Private Network. It encrypts the user's communication, provides confidentiality and integrity of communications and ensures safe communication across the internet.
An onsite offshore development organization requires large amounts of frequent data communication, some of which is sensitive. Which of the following methods would be most appropriate to ensure confidentiality in data communications?
Virtual private network (VPN). The virtual private network (VPN) would ensure data confidentiality.
Which of the following best fits the description that requires some assembly and can be operational within days?
Warm site. A warm site is a building preconfigured with utility services and may hold some equipment. Hardware will usually need to be shipped in and assembled. Telephone circuits will need to be switched over to the warm site and data loaded from backup tapes. Recovery time is measured in days.
Which of the below is BEST suited for secure communications within a small group?
Web of trust. Web of trust is a key distribution method suitable for communication in a small group as it guarantees reasonably good privacy (PGP) and distributes the public keys of users within a group. Other choices are for larger groups.
When can a warm site be used for recovery?
When the downtime is acceptable to the business without breaching any legal requirements. The warm site is acceptable to the business when the downtime is acceptable without breaching any legal requirements. Making a profit is not the reason for using a warm site.
How often should a business continuity plan be tested?
Whenever there are significant changes in the organization and annually.
An IS auditor performing a access control review should be concerned MAINLY with the:
authorization and authentication of the user prior to granting access to system resources. The authorization and authentication of users is the most major aspect in access control review as it is a preventive control. Weak controls at this level can affect all other features.
To arrange for protection for media backup stored at an offsite location, the storage site should be:
protected from unauthorized access. The offsite storage site should always be secure against unauthorized access and have at the minimum, the same security requirements as the primary site.
An advantage of using unshielded twisted-pair (UTP) cable for data communication over other copper-based cables is that UTP cable:
reduces crosstalk between pairs. The use of UTP in copper will reduce the likelihood of crosstalk. While the twisted nature of the media will reduce sensitivity to electromagnetic disturbances, an unshielded copper wire does not provide adequate protection against wiretapping. Attenuation sets in if copper twisted-pair cable is used for longer than 100 meters, necessitating the use of a repeater. The tools and techniques to install UTP are not simpler or easier than other copper-based cables.
What should the IS auditor initially identify while reviewing the configuration of network devices?
the importance of the network device in the topology. The IS auditor must understand the importance and role of the network device within the organization's network topology and then, the best practice for using the same should be reviewed to ensure there are no variances within the configuration
A perpetrator who wants to gain access and gather information on encrypted data transmitted over the network would use __________.
traffic analysis. Traffic analysis is a passive attack when messages are encrypted whereby an intruder determines the nature of the traffic flow between defined hosts. By analyzing session length, frequency and message length, the intruder is able to assess the type of communication being undertaken.
An IS auditor is reviewing an MNC in the mission critical business. He finds repeated failures in the network operations. Which topology is most appropriate to avoid this?
A mesh network topology with packet forwarding enabled at each host. A mesh network topology provides a point-to-point link between each network host. If each host is configured to route and forward communication, this topology provides the greatest redundancy in routes, and the greatest network fault tolerance. Star networks are one of the most common computer networks, and consists of one central switch, a hub or computer, which acts as a conduit to transmit messages. A bus network is an arrangement in which each node is connected to a main cable or link called the bus. A ring network is a network topology in which each node connects to two other nodes, forming a single continuous pathway for signals through each node in a ring. Data travels from node to node, with each node along the way handling every packet.
The IT team has decided to implement a virtual private network. What purpose does it serve?
A virtual private network (VPN) helps to secure access between the organization and its partners when communicating over an otherwise unsecured channel such as the Internet. A virtual private network (VPN) helps to secure access between an organization and its partners when communicating over an otherwise unsecured channel such as the Internet and thereby reduces risk.
While copying files from an USB, a user hosted a virus into the network. Which of the following would MOST effectively detect the existence of the virus?
A virus monitor on the user's personal computer. The most effective way to DETECT a virus would be through real-time antivirus monitoring at the user's desktop which would detect the virus before it was transferred to the system/network. All others are controls intended to prevent a computer virus from infecting the system.
Which of the following should be considered when setting your business continuity strategy?
All the above. A. Recovery time objectives B. Alternate sites available C. Testing time available at alternate sites. The strategy will be selected based on information obtained during the risk assessment and business impact analysis. All options should be considered when selecting the business continuity strategy.
Why is it important to have a clearly defined incident-handling process in place?
All the above. A. To avoid dealing with a computer and network threat in an ad hoc, reactive, and confusing manner B. In order to provide a quick reaction to a threat so that a company can return to normal operations as soon as possible C. In order to provide a uniform approach with certain expectations of the results. A clearly defined incident-handling process can be more cost-effective, enable recovery to happen more quickly, and provide a uniform approach with certain expectations of the results. Incident handling should be closely related to disaster recovery planning and should be part of the company s disaster recovery plan.
Internet Protocol Security (IPSec) is actually a suite of protocols. Each protocol within the suite provides different functionality. Which of the following is not a function or characteristic of IPSec?
Link Layer protection. IPSec is a protocol used to provide VPNs that use strong encryption and authentication functionality. It can work in two different modes: tunnel mode (payload and headers are protected) or transport mode (payload protection only). IPSec works at the network layer, not the data link layer.
A security manager for a credit card processing organization uses internal DNS servers, which are placed within the LAN, and external DNS servers, which are placed in the DMZ. The company also relies upon DNS servers provided by their service provider. He has found out that attackers have been able to manipulate several DNS server caches, which point employee traffic to malicious websites. Which of the following best describes the solution this company should implement?
DNSSEC. (DNS security, which is part of the many current implementations of DNS server software) works within a PKI and uses digital signatures, which allows DNS servers to validate the origin of a message to ensure that it is not spoofed and potentially malicious. If DNSSEC were enabled on server A, then server A would, upon receiving a response, validate the digital signature on the message before accepting the information to make sure the response is from an authorized DNS server. So even if an attacker sent a message to a DNS server, the DNS server would discard it because the message would not contain a valid digital signature. DNSSEC allows DNS servers to send and receive only authenticated and authorized messages b/w themselves and thwarts the attackers goal of poisoning a DNS cache table.
What are examples on "always on" communication line services?
DSL T-1 Leased lines Primary rate ISDN Frame Relay ATM *Standard telephone circuits are turned off when off in use.
What requires special handling during data back up?
Database files. Special backup procedures must be followed to ensure data integrity of database files which could be open. Typically, users must exit out of the database prior to backup. Otherwise, files are copied to a shadow database or second system where backups are executed without conflict.
During an audit, an IS auditor is informed by the IT team that security has been provided through a Firewall and DMZ to protect the host from an outside attack. Upon examination, the auditor finds the ports the firewall allows connect to services such WWW, SMTP, NetBIOS, and SQL. What would be the primary concern of the auditor?
Deficiency on application layer security and unpatched server software. Unpatched server software, poorly written application, and script code indicates vulnerabilities within the application. In a pure seven-layer model, defense against this at the lower levels as the controls at lower layers would only be able to address their respective layer of protocol, and not issues that occur above.
A company that relies heavily on one specific operating system which is used in the employee workstations and is embedded within devices that support the automated production line software. It is discovered the operating system has a vulnerability that could allow an attacker to force applications to not release memory segments after execution. Which of the following best describes the type of threat this vulnerability introduces?
Denial of service. Attackers have identified programming errors in operating systems that allow them to starve the system of its own memory. This means the attackers exploit a software vulnerability that ensures that processes do not properly release their memory resources. Memory is continually committed and not released, and the system is depleted of this resource until it can no longer function. This is an example of a denial-of-service attack.
Passive attacks
Designed to collect data without being detected. Passive attacks include eavesdropping to collect data by listening to the communication b/w network devices. The results of passive attacks are used to launch an active attack.
A security manager who needs to develop a solution to allow his company's mobile devices to be authenticated in a standardized and centralized manner using digital certificates. The applications these mobile clients use require a TCP connection. Which of the following is the best solution to implement?
Diameter using EAP. Diameter is a protocol that has been developed to build upon the functionality of RADIUS and to overcome many of its limitations. Diameter is a AAA protocol that provides the same type of functionality as RADIUS and TACACS+ and also provides more flexibility and capabilities, including working with EAP. RADIUS uses UDP, and cannot effectively deal well with remote access, IP mobility, and policy control.
News media attention should be
Directed to a single designated spokesperson. All inquiries and statements should be from the designated public information officer (PIO), the spokesperson for the organization. The PIO uses predefined scripts to deliver messages that have been vetted to ensure a positive image for the organization.
What is the fundamental difference between disaster recovery and business continuity?
Disaster recovery is focused on rebuilding; business continuity deals with revenue to continue in the market. Business continuity is intended to ensure that critical processes are restored in a timely manner and that revenue is not interrupted. With revenue, the organization will acquire the money necessary to survive
What priority would the BC/DR planner at a manufacturing company place upon warranty repair services for clients during a recovery?
Discretionary process. Providing warranty repair services is discretionary and would be discontinued during recovery. Core processes, such as sales, generate direct revenue. Supporting processes such as invoicing also help the core process bring in money. Everything else may be discontinued or shut down during recovery.
An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern?
Disk space utilization data is not kept current. Not knowing how much disk space is in use and therefore how much is needed at the disaster recovery site could create major issues in the case of a disaster. While it is not a best practice for security administrators to share accounts that do not expire, the greater risk in this scenario would be running out of disk space. Physical security controls are important and this would be a concern, but the more important concern would be running out of disk space. The particular physical characteristic of the disaster recovery site may call for different controls that may appear to be less robust than the main site; however, such a risk could be addressed through policy and procedures or by adding additional personnel if needed. As long as the servers at the hot site are capable of running the programs that are required in a disaster recovery situation, the precise capabilities of the servers at the hot site is not a major risk. It is necessary to ensure that software configuration and settings match the servers at the main site, but it is not unusual for newer and more powerful servers to exist at the main site for everyday production use while the standby servers are less powerful.
Employees in the company have received several e-mail messages from unknown sources that try and entice her to click a specific link using a "Click Here" approach. Which of the following best describes the most likely taking place in this situation?
Embedded hyperlink is obfuscated. HTML documents and e-mails allow users to attach or embed hyperlinks in any given text, such as the Click Here links you commonly see in e-mail messages or webpages. Attackers misuse hyperlinks to deceive unsuspecting users into clicking rogue links. The most common approach is known as URL hiding.
Members that stay behind at the recovery site to monitor recovery operations are
Emergency management team members.
An IS auditor reviews the logs of a remotely managed server backup for 24 hours and finds a case where logging on a server has failed with the result that backup restarts cannot be established. What should the IS auditor do?
Expand the sample of logs reviewed. The IS auditor needs to gather sufficient and appropriate audit evidence for the prospective problem and conclude whether this is an isolated incident or a systematic control failure.
What is the principal reason to use a hot site?
Expensive and configured for use. The hot site is expensive, however it offers a better chance for recovery because it is already configured for use.
In terms of optimum management, the most ideal type of metric or measurement for IT services is
External. External measurements report how the customer would review the delivery of IT services. Performance and service metrics report on the external view of system availability, capacity management, turnaround time to resolves problems and so on. Metrics should review the IT requirements of end users, not only internal metrics.
An org has a large number of suppliers wants to have an online update of the material supply. It wishes to provide limited network access to it's suppliers. What should the org use?
Extranet. When limited access to corporate systems and networks are required, an extranet can be used which separates the internal systems from access. An intranet refers to the internal network.
An acceptable suppression medium for use in a fire control system?
FM-200. Halon gas is now banned b/c of its damaging effects to the earths ozone. Special exceptions exist for the use of halon in aircraft to distinguish fires during flight. Acceptable replacements for halon gas in computer rooms include FM-200 and NAF-S-3.
An IS auditor finds that an enterprise does not restrict the use, nor have a policy addressing the use, of universal serial bus (USB) storage devices. Which of the following would be MOST important for the IS auditor to recommend?
Implementing security software to prevent the use of USB ports for data transfer. The best method to prevent the use of portable media is through a hardware or software solution. Since the enterprise does not have a policy to address the use of portable drives, it is possible that management did not consider the risks associated with their use. Because of the portable nature of these drives, they are prone to being misplaced or lost. Option B is not correct because, while a policy would address use, it is not a strong enough method to prevent use. If there were an indication that management accepts the risks, then this would be the correct answer. Management should first understand the risks associated with the drives, and a decision should be made as to how risks will be controlled. Option C is not correct because a VPN solution does not address the use of portable media. A VPN is used for a secure method of remote access to a private network. Option D is not correct because it is not practical to disable all USB ports because they may be used for a mouse, local printer or other legitimate device.
The IS team finds they have incurred large expenses purchase of tapes due to daily backup of files. Which form of data backup can be substituted for the archive bit to copy only the files that have changed since the last backup?
Incremental. An incremental backup will read the archive bit to copy only those files that have changed since the last backup. The archive bit is a type of electronic flag to indicate which files have changed and should be in the next backup. A differential backup will copy every file that changed since the full backup was run.
What is the form of data backup that uses archive bit to copy only the files that have changed since the last back up?
Incremental. The archive bit is a type of electronic flag to indicate which files have changed and should be in the next backup. An archive bit value of 0 means no backup. A value of 1 is back up required. An incremental backup will reach the archive bit to copy only those files that have changed since the last back up (archive bit value 1), regardless of whether the back up was a full back up or an incremental back up. The incremental backup utility will reset the archive bit to 0 so that another incremental backup will not copy the same file. A differential back up will copy every file that changed since the full back up was run (bit value 1), never changing the archive bit (bit value remains 1). This makes the backup run longer each time and provides more copies of data on the backup tape. More is better in case a restore tape fails to work.
Older initials for IPF represent what?
Information processing facility. Synonym for data center.
Layer of the OSI model network routing occurs.
Layer 3. All network routing occurs in OSI layer 3. Layer 3 provides network addressing and uses static or dynamic routing protocols to forward packets to their intended destination. Network firewalls are implement at OSI layer 3.
What minimizes the risk of communication failures in an e-commerce environment?
Leased asynchronous transfer mode lines. They avoid using public and shared infrastructures from the carrier or the internet service provider with numerous communication failures.
ABC Inc. offers a number of services through its web site. During one day, senior executives of ABC Inc. were surprised to discover that sensitive data on their servers were being leaked to unauthorized individuals on the Internet. Post-incident investigations revealed that ABC Inc.'s key servers were infected with a Trojan. The incident occurred after deployment of a newly acquired module from a software vendor, which was tested on test servers in accordance with functional specifications. The incident had gone unnoticed for a period of about four weeks. A potential cause of the leak may have been malware embedded in the new module. Which of the following operational controls should have detected the incident sooner?
Intrusion detection system (IDS). An IDS should detect network behavior anomalies, which may have led to earlier detection. Vulnerability scanning identifies software vulnerabilities, but it does not detect malware. Reviewing the firewall rule-set is an important activity, but it won't help detect a data leak. While access control monitoring may help determine access to various information assets, malware may bypass the established access control process and would thus not be detected.
MAC Address
Is manufactured or burned into network equipment and is totally unique. The 48 bit MAC address is a serial number manufactured into network equipment. It's purpose is to ensure the machine is unique on the network. It is possible to override the MAC address by setting a locally defined MAC address. Locally defined addresses are used to facilitate parts replacement in higher security environments that use MAC address as part of the security settings.
The IT team has reviewed various options for confidentiality and finally agreed the SSL network protocol would be most appropriate. Why is this true?
It provides symmetric encryption such as Data Encryption Standard, or DES.
Governance needs to be measurable and derive metrics to understand degree of success and possible improvements. What metric is commonly used as a historical score?
KPI. Generated as a historical score using quantifiable measurements and indicate performance typically over time periods such as every quarter in a year.
Principle issue regarding symmetric key encryption.
Key Distribution. The difficulty of distributing a shared secret key without exposing it to an outsider. Symmetric key systems use the exact same key at both ends. A compromise of the key will compromise data in the entire encryption system.
The audit team has been informed by the Operations team that encryption keys have been provided for sensitive data. However, the auditors are still concerned about the keys being susceptible to attack. Before recording the observation, what should the auditors check for prevention of such attacks?
Key wrapping. Key wrapping is used to protect encryption keys from disclosure. Otherwise, encryption keys would be susceptible to the same attacks as data.