Domain 5: Protection of Information Assets

WORM media

'Write Once Read Many' a data storage device in which information, once written, cannot be modified. This write protection affords the assurance that the data cannot be tampered with once it is written to the device

Hashing algorithm

Code that creates a unique index from given items of key data. used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest.

check-sum based antispam filter

The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish—known as hashbusters—into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race between the developers of the checksum software and the developers of the spam-generating software.

Lock-in Clause Cloud Service contract

The vendor lock-in problem in cloud computing is the situation where customers are dependent (i.e. locked-in) on a single cloud provider technology implementation and cannot easily move in the future to a different vendor without substantial costs, legal constraints, or technical incompatibilities

Trojan Horse Virus

These are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature. hides inside other software, usually as an attachment or a downloadable file ex: downloading an attachment from an email b/c you believe it isn't suspicious

Application filtering gateway

These are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not just at a packet level. This would be the best solution to protect an application

Routers

These can filter packets based on parameters, such as source address but are not primarily a security tool.

Echo check

These detect line errors by retransmitting data to the sending device for comparison with the original transmission.

environmental review

These examine physical security such as power and physical access

Packet filtering router

This examines the header of every packet or data traveling between the Internet and the corporate network. This is a low-level control.

Race Condition

This exploit involves the timing of two events and an action that causes one event to happen later than expected.

Circuit-level gateway

This firewall, such as a Socket Secure server, will protect users by acting as a proxy but is not the best defense for a network.

data loss protection

This is an automated preventive tool that can block sensitive information from leaving the network, while at the same time logging the offenders. This is a better choice than relying on training and awareness because it works equally well when there is intent to steal data.

Honeypot

Vulnerable computer that is set up to entice an intruder to break into it allows organization to collect information on the hacker's strategy

data wrapping

While companies have been monetising data in different ways, they are now sharing their data packaged as products to customers and partners. This mode of data monetisation is data wrapping and is being explored as one of the key ways to achieve monetisation.

sniffers

a computer tool to monitor traffic of networks When data is transmitted across networks, if the data packets are not encrypted, the data within the network packet can be read using a sniffer.

man-in-the-middle attack

a hacker placing himself between a client and a host to intercept communications between them common in bank fraud

VPN (Virtual Private Network)

a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network

peer-to-peer computing

a process in which people share the resources of their computer with computers owned by other people

session key

a single-use symmetric key used for encrypting all messages in one communication session it's a temporary key that is only used once, during one stretch of time, for encrypting and decrypting data; future conversations between the two parties would be encrypted with different session keys. like a password that has to be reset each time they log in

Certification Authority (CA)

a trusted organization or company that issues digital certificates used to create digital signatures and public-private key pairs

Baseband Network

A baseband network is one that is usually shared with many other users and requires encryption of traffic but still may allow some traffic analysis by an attacker.

Block sum check

A block sum check is a form of parity checking and has a low level of reliability

proxy server

A computer system (or an application program) that intercepts internal user requests and then processes that request on behalf of the user.

dial up

A dial-up line is fairly secure because it is a private connection, but it is too slow to be considered for most commercial applications today.

Stateful Inspection Firewall

A firewall that examines the state of a connection as well as simple address, port, and protocol rules to determine how to process a packet.

Black box penetration testing

A form of penetration testing where the tester is not given any system credentials. Used to simulate an external cyber attack Testers simulate an attack from someone who is unfamiliar with the system.

Shielded Twisted Pair (STP)

A twisted pair cable that has an aluminum shield inside the plastic jacket that surrounds the pairs of wires. traffic can be monitored with inexpensive equipment (not secure)

social engineering attack

A type of attack where the goal is to obtain sensitive data, including user names and passwords, from network users through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else's personal data.

A company determined that its web site was compromised, and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident? a. A host-based intrusion prevention system b. A network-based intrusion detection system c. A firewall d. Operating system patching

a. A host-based intrusion prevention system the question asks about the serving HOSTING the application This prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator.

Which of the following groups would create MOST concern to an IS auditor if they havefull access to the production database? a. Application developers b. System administrators c. Business users d. Information security team

a. Application developers This bears the highest risk. Due to their focus on delivery of changes, they tend to bypass quality assurance controls installing deficient changes into production environment.

Which of the following would be BEST prevented by a raised floor in the computer machine room? a. Damage of wires around computers and servers b. A power failure from static electricity c. Shocks from earthquakes d. Water flood damage

a. Damage of wires around computers and servers water could be coming from above from a pipe leak and this would not protect the computers

An IS auditor is reviewing system access and discovers an excessive number of users with privileged access. The IS auditor discusses the situation with the system administrator, who states that some personnel in other departments need privileged access and management has approved the access. Which of the following would be the BEST course of action for the IS auditor? a. Determine whether compensating controls are in place. b. Document the issue in the audit report. c. Recommend an update to the procedures. d. Discuss the issue with senior management.

a. Determine whether compensating controls are in place.

An IS auditor discovers that the configuration settings for password controls are more stringent for business users than for IT developers. Which of the following is the BEST action for the IS auditor to take? a. Determine whether this is a policy violation and document it. b. Document the observation as an exception. c. Recommend that all password configuration settings be identical. d. Recommend that logs of IT developer access are reviewed periodically.

a. Determine whether this is a policy violation and document it. If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed.

An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor? a. Developers have the ability to create or de-provision servers. b. Developers could gain elevated access to production servers. c. Developers can affect the performance of production servers with their applications. d. Developers could install unapproved applications to any servers.

a. Developers have the ability to create or de-provision servers. Virtualization offers the ability to create or destroy virtual machines (VMs) through the administrative interface with administrative access. While a developer would be unlikely to de-provision a production server, the administrative console would grant him/her the ability to do this, which would be a significant risk. b/d - When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest OS to access the server; therefore, the concern that unauthorized software could be installed is not valid.

The IS auditor is reviewing findings from a prior IT audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor's response be? a. Digital signatures are not adequate to protect confidentiality. b. Digital signatures are adequate to protect confidentiality. c. The IS auditor should gather more information about the specific implementation. d. The IS auditor should recommend implementation of digital watermarking for secure email.

a. Digital signatures are not adequate to protect confidentiality. Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior-year's finding. c - Although gathering additional information is always a good step before drawing a conclusion on a finding, in this case the implemented solution simply does not provide confidentiality.

When installing an intrusion detection system, which of the following is MOST important? a. Properly locating it in the network architecture b. Preventing denial-of-service attacks c. Identifying messages that need to be quarantined d. Minimizing the rejection errors

a. Properly locating it in the network architecture Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected.

Which of the following methods BEST mitigates the risk of disclosing confidential information through the use of social networking sites? a. Providing security awareness training b. Requiring a signed acceptable use policy c. Monitoring the use of social media d. Prohibiting the use of social media through network controls

a. Providing security awareness training This is the best method to mitigate the risk of disclosing confidential information on social networking sites. It is important to remember that users may access these services through other means such as mobile phones and home computers; therefore, awareness training is most critical.

The IS management of a multinational company is considering upgrading its existing virtual private network to support Voice-over Internet Protocol communication via tunneling. Which of the following considerations should be PRIMARILY addressed? a. Reliability and quality of service b. Means of authentication c. Privacy of voice transmissions d. Confidentiality of data transmissions

a. Reliability and quality of service These are the primary considerations to be addressed. Voice communications require consistent levels of service, which may be provided through QoS and class of service controls.

The use of residual biometric information to gain unauthorized access is an example of which of the following attacks? a. Replay b. Brute force c. Cryptographic d. Mimic

a. Replay key word: residual

If inadequate, which of the following would be the MOST likely contributor to a denial-of-service attack? a. Router configuration and rules b. Design of the internal network c. Updates to the router system software d. Audit testing and review techniques

a. Router configuration and rules Improper router configuration and rules could lead to an exposure to denial-of-service (DoS) attacks.

Which of the following is the MOST effective control for restricting access to unauthorized Internet sites in an organization? a. Routing outbound Internet traffic through a content-filtering proxy server b. Routing inbound Internet traffic through a reverse proxy server c. Implementing a firewall with appropriate access rules d. Deploying client software utilities that block inappropriate content

a. Routing outbound Internet traffic through a content-filtering proxy server A content-filtering proxy server will effectively monitor user access to Internet sites and block access to unauthorized web sites.

Which of the following would MOST effectively reduce social engineering incidents? a. Security awareness training b. Increased physical security measures c. Email monitoring policy d. Intrusion detection systems

a. Security awareness training Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents.

A digital signature contains a message digest to: a. show if the message has been altered after transmission. b. define the encryption algorithm. c. confirm the identity of the originator. d. enable message transmission in a digital format.

a. show if the message has been altered after transmission. The message digest is calculated and included in a digital signature to prove that the message has not been altered. The message digest sent with the message should have the same value as the recalculation of the digest of the received message. Key: question is about message digest not digital signature

A hacker could obtain passwords without the use of computer tools or programs through the technique of: a. social engineering b. sniffers c. back doors d. trojan horse

a. social engineering the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding their or someone else's personal data. (only technique not using a computer)

A hacker could obtain passwords without the use of computer tools or programs through the technique of: a. social engineering. b. sniffers. c. back doors. d. Trojan horses.

a. social engineering.

To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet for which the sender of a packet: a. specifies the route that a packet should take through the network (the source routing field is enabled). b. puts multiple destination hosts (the destination field has a broadcast address in the destination field). c. indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on). d. allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled).

a. specifies the route that a packet should take through the network (the source routing field is enabled). Internet Protocol (IP) spoofing takes advantage of the source-routing option in the IP. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing.

The Secure Sockets Layer protocol ensures the confidentiality of a message by using: a. symmetric encryption. b. message authentication codes. c. hash function. d. digital signature certificates.

a. symmetric encryption.

Which of the following would be the BEST access control procedure? a. The data owner formally authorizes access and an administrator implements the user authorization tables. b. Authorized staff implements the user authorization tables and the data owner approves them. c. The data owner and an IS manager jointly create and update the user authorization tables. d. The data owner creates and updates the user authorization tables.

a. the data owner formally authorizes access and an administrator implements the user authorization tables The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner.

A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that: a. the users may not remember to manually encrypt the data before transmission. b. the site credentials were sent to the financial services company via email. c. personnel at the consulting firm may obtain access to sensitive data. d. the use of a shared user ID to the FTP site does not allow for user accountability.

a. the users may not remember to manually encrypt the data before transmission.

Which of the following controls would be MOST effective in reducing the risk of loss due to fraudulent online payment requests? a. transaction monitoring b. Protecting web sessions using Secure Sockets Layer c. Enforcing password complexity for authentication d. Inputting validation checks on web forms

a. transaction monitoring An unauthorized user could potentially enter false transactions. By monitoring transactions, the payment processor could identify potentially fraudulent transactions based on the typical usage patterns, monetary amounts, physical location of purchases, and other data that are part of the transaction process. Ex; think about the bank if you make a strange purchase they may ask you about it b/c the monitor your usual behaviors

Which of the following cryptography options would increase overhead/cost? a. The encryption is symmetric rather than asymmetric. b. A long asymmetric encryption key is used. c. The hash is encrypted rather than the message. d. A secret key is used.

b. A long asymmetric encryption key is used. Computer processing time is increased for longer asymmetric encryption keys, and the increase may be disproportionate. For example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold.

An IS auditor reviewing a network log discovers that an employee ran elevated commands on their PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack? a. A race condition b. A privilege escalation c. A buffer overflow d. An impersonation

b. A privilege escalation This is a type of attack where higher-level system authority is obtained by various methods. In this example, the task scheduler service runs with administrator permissions, and a security flaw allows programs launched by the scheduler to run at the same permission level.

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? a. Intrusion detection systems b. Data mining techniques c. Stateful inspection firewalls d. Packet filtering routers

b. Data mining techniques Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.

An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST concern? a. Wireless mobile devices are not password-protected. b. Default passwords are not changed when installing network devices. c. An outbound web proxy does not exist. d. All communication links do not use encryption.

b. Default passwords are not changed when installing network devices. The most significant risk in this case would be if the factory default passwords are not changed on critical network equipment. This could allow anyone to change the configurations of network equipment.

Which of the following preventive controls BEST helps secure a web application? a. Password masking b. Developer training c. Use of encryption d. Vulnerability testing

b. Developer training Of the given choices, teaching developers to write secure code is the best way to secure a web application.

When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk? a. There is no registration authority for reporting key compromises. b. The certificate revocation list is not current. c. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures. d. Subscribers report key compromises to the certificate authority.

b. The certificate revocation list is not current. If the certificate revocation list is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities.

The GREATEST benefit of having well-defined data classification policies and procedures is: a. a more accurate inventory of information assets. b. a decreased cost of controls. c. a reduced risk of inappropriate system access. d. an improved regulatory compliance.

b. a decreased cost of controls. An important benefit of a well-defined data classification process would be to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, costlier than is required based on the data classification.

During an IS audit of a global organization, the IS auditor discovers that the organization uses Voice-over Internet Protocol over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure? a. Network equipment failure b. Distributed denial-of-service attack c. Premium-rate fraud (toll fraud) d. Social engineering attack

b. Distributed denial-of-service attack This would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. In a traditional voice network, a DDoS attack would only affect the data network, not voice communications.

Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? a. Server-based antivirus software b. Enterprise-based antivirus software c. Workstation-based antivirus software d. Perimeter-based antivirus software

b. Enterprise-based antivirus software An important means of controlling the spread of viruses is to deploy an enterprisewide antivirus solution that will monitor and analyze traffic at many points. This provides a layered defense model that is more likely to detect malware regardless of how it comes into the organization— through a universal serial bus (USB) or portable storage, a network, an infected download or malicious web application.

A data center has a badge-entry system. Which of the following is MOST important to protect the computing assets in the center? a. Badge readers are installed in locations where tampering would be noticed. b. The computer that controls the badge system is backed up frequently. c. A process for promptly deactivating lost or stolen badges is followed. d. All badge entry attempts are logged, whether or not they succeed.

c. A process for promptly deactivating lost or stolen badges is followed. The biggest risk is from unauthorized individuals who can enter the data center, whether they are employees or not. Thus, having and following a process of deactivating lost or stolen badges is important.

A company is planning to install a network-based intrusion detection system to protect the web site that it hosts. Where should the device be installed? a. On the local network b. Outside the firewall c. In the demilitarized zone d. On the server that hosts the web site

c. In the demilitarized zone Network-based intrusion detection systems (IDSs) detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the DMZ. An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to act.

While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's NEXT step? a. Observe the response mechanism. b. Clear the virus from the network. c. Inform appropriate personnel immediately. d. Ensure deletion of the virus.

c. Inform appropriate personnel immediately. The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response.

Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program? a. Review the security training program. b. Ask the security administrator. c. Interview a sample of employees. d. Review the security reminders to employees.

c. Interview a sample of employees. This is the best way to determine the effectiveness of a security awareness and training program because overall awareness must be determined, and effective security is dependent on people. Reviewing the security training program would not be the ultimate indicator of the effectiveness of the awareness training.

An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers? a. Ensure that ports 80 and 443 are blocked at the firewall. b. Inspect file and access permissions on all servers to ensure that all files have read-only access. c. Perform a web application security review. d. Make sure that only the IP addresses of existing customers are allowed through the firewall.

c. Perform a web application security review. This is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers.

An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? a. The tools used to conduct the test b. Certifications held by the IS auditor c. Permission from the data owner of the server d. An intrusion detection system is enabled

c. Permission from the data owner of the server The data owner should be informed of the risk associated with a penetration test, the timing of the test, what types of tests are to be conducted and other relevant details.

An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? a. The tools used to conduct the test b. Certifications held by the IS auditor c. Permission from the data owner of the server d. An intrusion detection system is enabled

c. Permission from the data owner of the server he data owner should be informed of the risk associated with a penetration test, the timing of the test, what types of tests are to be conducted and other relevant details.

Electromagnetic emissions from a terminal represent a risk because they: a. could damage or erase nearby storage media. b. can disrupt processor functions. c. could have adverse health effects on personnel. d. can be detected and displayed.

d. can be detected and displayed. Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized persons access to data. TEMPEST is a term referring to the investigation and study of compromising emanations of unintentional intelligence-bearing signals that, if intercepted and analyzed, may reveal their contents.

In transport mode, the use of the Encapsulating Security Payload protocol is advantageous over the authentication header protocol because it provides: a. connectionless integrity. b. data origin authentication. c. antireplay service. d. confidentiality.

d. confidentiality. Only the Encapsulating Security Payload (ESP) protocol provides confidentiality via encryption. **encapsulating it you are hiding things

A human resources company offers wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST addresses the situation? a. The password for the wireless network is changed on a weekly basis. b. A stateful inspection firewall is used between the public wireless and company networks. c. The public wireless network is physically segregated from the company network. d. An intrusion detection system is deployed within the wireless network.

c. The public wireless network is physically segregated from the company network.

Which of the following is the MOST reliable method to ensure identity of sender for messages transferred across Internet? a. Digital signatures b. Asymmetric cryptography c. Digital certificates d. Message authentication code

c. digital certificates These are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository.

An organization discovers that the computer of the chief financial officer has been infected with malware that includes a keystroke logger and a rootkit. The FIRST action to take would be to: a. contact the appropriate law enforcement authorities to begin an investigation. b. immediately ensure that no additional data are compromised. c. disconnect the PC from the network. d. update the antivirus signature on the PC to ensure that the malware or virus is detected and removed.

c. disconnect the PC from the network. The most important task is to prevent further data compromise and preserve evidence by disconnecting the computer from the network.

Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data? a. Inheritance b. Dynamic warehousing c. Encapsulation d. Polymorphism

c. encapsulation This is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed.

Confidentiality of the data transmitted in a wireless local area network is BEST protected if the session is: a. restricted to predefined media access control addresses. b. encrypted using static keys. c. encrypted using dynamic keys. d. initiated from devices that have encrypted storage.

c. encrypted using dynamic keys. When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted.

The BEST overall quantitative measure of the performance of biometric control devices is: a. false-rejection rate. b. false-acceptance rate. c. equal-error rate. d. estimated-error rate.

c. equal-error rate. This is a combination of a low false-rejection rate (FRR) and a low false-acceptance rate (FAR). EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics control device.

A certificate authority (CA) can delegate the processes of: a. revocation and suspension of a subscriber's certificate. b. generation and distribution of the CA public key. c. establishing a link between the requesting entity and its public key. d. issuing and distributing subscriber certificates.

c. establishing a link between the requesting entity and its public key.

Which of the following types of transmission media provide the BEST security against unauthorized access? a. Copper wire b. Shielded twisted pair c. Fiber-optic cables d. Coaxial cables

c. fiber-optic cables Fiber-optic cables have proven to be more secure and more difficult to tap than the other media. think commercials always saying how great fiber optics is

Which control is the BEST way to ensure that the data in a file have not been changed during transmission? a. Reasonableness check b. Parity bits c. Hash values d. Check digits

c. hash values These are calculated on the file and are very sensitive to any changes in the data values in the file. Thus, they are the best way to ensure that data has not changed.

Which of the following provides the MOST relevant information for proactively strengthening security settings? a. Bastion host b. Intrusion detection system c. Honeypot d. Intrusion prevention system

c. honey pot The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies, and the resources required to address such attacks. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods.

An IS auditor reviewing the authentication controls of an organization should be MOST concerned if: a. user accounts are not locked out after five failed attempts. b. passwords can be reused by employees within a defined time frame. c. system administrators use shared login credentials. d. password expiration is not automated.

c. system administrators use shared login credentials. The use of shared login credentials makes accountability impossible. This is especially a risk with privileged accounts.

When reviewing the configuration of network devices, an IS auditor should FIRST identify: a. the good practices for the type of network devices deployed. b. whether components of the network are missing. c. the importance of the network devices in the topology. d. whether subcomponents of the network are being used appropriately.

c. the importance of the network devices in the topology. need to first understand how the network is wired to communicate before knowing if anything is missing or best practices are being used

When using public key encryption to secure data being transmitted across a network: a. both the key used to encrypt and decrypt the data are public. b. the key used to encrypt is private, but the key used to decrypt the data is public. c. the key used to encrypt is public, but the key used to decrypt the data is private. d. both the key used to encrypt and decrypt the data are private.

c. the key used to encrypt is public but they key used to decrypt the data is private think about the private key as a password to the data

Java applets and Active X controls are distributed programs that execute in the background of a client web browser. This practice is considered reasonable when: a. a firewall exists. b. a secure web connection is used. c. the source of the executable file is certain. d. the host web site is part of the organization.

c. the source of the executable is certain Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere.

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over a network would MOST likely use: a. eavesdropping. b. spoofing. c. traffic analysis. d. masquerading.

c. traffic analysis. In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted, and eavesdropping would not yield any meaningful results.

Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious? a. Sensitive data might be read by operators. b. Data might be amended without authorization. c. Unauthorized report copies might be printed. d. Output might be lost in the event of system failure.

c. unauthorized report copies might be printed Spooling for offline printing may enable additional copies to be printed unless adequate safeguards exist as compensating controls.

During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that: a. an unauthorized user may use the ID to gain access. b. user access management is time consuming. c. user accountability is not established. d. passwords are easily guessed.

c. user accountability is not established. might not be able to trace actions back to a single user

The use of digital signatures: a. requires the use of a one-time password generator. b. provides encryption to a message. c. validates the source of a message. d. ensures message confidentiality.

c. validates the source of a message. what does a signature on a letter do?

An IS auditor is reviewing an organization to ensure that evidence related to a data breach case is preserved. Which of the following choices would be of MOST concern to the IS auditor? a. End users are not aware of incident reporting procedures. b. Log servers are not on a separate network. c. Backups are not performed consistently. d. There is no chain of custody policy.

d - chain of custody Organizations should have a policy in place that directs employees to follow certain procedures when collecting evidence that may be used in a court of law.

The role of the certificate authority (CA) as a third party is to: a. provide secured communication and networking services based on certificates. b. host a repository of certificates with the corresponding public and secret keys issued by that CA. c. act as a trusted intermediary between two communication partners. d. confirm the identity of the entity owning a certificate issued by that CA.

d. confirm the identity of the entity owning a certificate issued by that CA. The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued.

The PRIMARY purpose of installing data leak prevention software is to: a. restrict user access to confidential files stored on servers. b. detect attempts to destroy sensitive data in an internal network. c. block external systems from accessing internal resources. d. control confidential documents leaving the internal network.

d. control confidential documents leaving the internal network. A server running a DLP software application uses predefined criteria to check whether any confidential documents or data are leaving the internal network.

Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions? a. Parity check b. Echo check c. Block sum check d. Cyclic redundancy check

d. cyclic redundancy check CRC can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and double-bit errors.

An IS auditor has found that employees are emailing sensitive company information to public web-based email domains. Which of the following is the BEST remediation option for the IS auditor to recommend? a. Encrypted mail accounts b. Training and awareness c. Activity monitoring d. Data loss prevention

d. data loss protection This is an automated preventive tool that can block sensitive information from leaving the network, while at the same time logging the offenders. This is a better choice than relying on training and awareness because it works equally well when there is intent to steal data.

Which of the following line media would provide the BEST security for a telecommunication network? a. Broadband network digital transmission b. Baseband network c. Dial-up d. Dedicated lines

d. dedicated lines key word - security these are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.

An IS auditor is reviewing an organization's controls related to email encryption. The company's policy states that all sent email must be encrypted to protect the confidentiality of the message because the organization shares nonpublic information through email. In a public key infrastructure implementation properly configured to provide confidentiality. email is: a. encrypted with the sender's private key and decrypted with the sender's public key. b. encrypted with the recipient's private key and decrypted with the sender's private key. c. encrypted with the sender's private key and decrypted with the recipient's private key. d. encrypted with the recipient's public key and decrypted with the recipient's private key.

d. encrypted with the recipient's public key and decrypted with the recipient's private key. Encrypting a message with the recipient's public key and decrypting it with the recipient's private key ensures message confidentiality, because only the intended recipient has the correct private key to decrypt the message.

An accuracy measure for a biometric system is: a. system response time. b. registration time. c. input file size. d. false-acceptance rate.

d. false-acceptance rate Three main accuracy measures are used for a biometric solution: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate.

There is a concern that the risk of unauthorized access may increase after implementing a single sign-on process. To prevent unauthorized access, the MOST important action is to: a. monitor failed authentication attempts. b. review log files regularly. c. deactivate unused accounts promptly. d. mandate a strong password policy.

d. mandate a strong password policy. Strong passwords are important in any environment but take on special importance in an SSO environment, where a user enters a password only one time and thereafter has general access throughout the environment. Of the options given, only a strong password policy offers broad preventative effects. think what do we test

Which of the following is the MAIN reason an organization should have an incident response plan? The plan helps to: a. ensure prompt communication of adverse events to relevant management. b. contain costs related to maintaining disaster recovery plan capabilities. c. ensure that customers are promptly notified of issues such as security breaches. d. minimize the duration and impact of system outages and security incidents.

d. minimize the duration and impact of system outages and security incidents. An incident response plan helps minimize the impact of an incident because it provides a controlled response to incidents. The phases of the plan include planning, detection, evaluation, containment, eradication, escalation, response, recovery, reporting, postincident review and a review of lessons learned.

An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to: a. recommend that mandatory access control (MAC) be implemented. b. report this as a finding to upper management. c. report this to the data owners to determine whether it is an exception. d. not report this issue because discretionary access controls are in place.

d. not report this issue because discretionary access controls are in place. Discretionary access control (DAC) allows data owners to modify access, which is a normal procedure and is a characteristic of DAC.

The implementation of which of the following would MOST effectively prevent unauthorized access to a system administration account on a web server? a. Host intrusion detection software installed on a server b. Password expiration and lockout policy c. Password complexity rules d. Two-factor authentication

d. two-factor authentication This requires a user to use a password in combination with another identification factor that is not easily stolen or guessed by an attacker. Types of two-factor authentication include electronic access tokens that show one-time passwords on their display panels or biometric authentication systems.

A cyclic redundancy check is commonly used to determine the: a. accuracy of data input. b. integrity of a downloaded program. c. adequacy of encryption. d. validity of data transfer.

d. validity of data transfer. The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a cyclic redundancy check.

Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems? a. Proxy server b. Firewall installation c. Demilitarized zone d. Virtual private network

d. vpn The best way to secure remote access is through the use of encrypted VPNs. This would allow remote users a secure connection to the main systems. While firewall installations are the primary line of defense, they would need to have encryption and a VPN to secure remote access traffic.

IS management recently replaced its existing wired local area network with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? a. Port scanning b. Back door c. Man-in-the-middle d. War driving

d. war driving wifi think war driving This attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside.

Web cache server

designed to improve the speed of retrieving the most common or recently visited web pages. ex: helpdesk telling you to clear your cache to help things go faster

message digest

designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message.

Which of the following BEST ensures the integrity of a server's operating system? a. protecting the server in a secure location b. setting a boot password c. hardening the server configuration d. implementing activity logging

hardening the server configuration This means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.

Dynamic Host Configuration Protocol

is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway. benefits: reliable, reduced network administration

Certificate Authority (CA)

is a company or organization that acts to validate the identities of entities (such as websites, email addresses, companies, or individual persons) and bind them to cryptographic keys through the issuance of electronic documents known as digital certificates. A digital certificate provides: -authentication - encryption -integrity

pharming attack

is a form of online fraud involving malicious code and fraudulent websites. Cybercriminals install malicious code on your computer or server. The code automatically directs you to bogus websites without your knowledge or consent by exploiting vulnerabilities of the Domain Name System (DNS) server. The goal is to get you to provide personal information, like payment card data or passwords, on the false websites. Cybercriminals could then use your personal information to commit financial fraud and identity theft.

key logging attack

is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored.

shoulder surfing

looking over the shoulder of a person to view sensitive information on a screen or desk, would not be prevented by the implementation of this policy.

passive attack

one that monitors or captures network traffic but does not in any way modify, insert or delete the traffic. Examples of passive attacks include network analysis, eavesdropping and traffic analysis.

Voice over Internet Protocol (VoIP)

phone calls transferred in digital packets over the Internet rather than on circuit-switched telephone wires ex; skype, zoom

Rootkit

program that hides in a computer and allows someone from a remote location to take full control of the computer

network topology

the layout of the computers and devices in a communications network

brute force attack

the password cracker tries every possible combination of characters can't circumvent two factor authentication

hash totals

the use of has totals is an effective method to reliably detect errors in data processing a hash total would detect errors in data processing

hardening

to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS

coaxil cable

traffic can be monitored with inexpensive equipment (not secure)

copper wire

traffic can be monitored with inexpensive equipment (not secure)

Parity check

A process used to detect errors in memory or data communication. it has a reliability of approximately 50 percent. In higher transmission rates, this limitation is significant.

Message Digest

A small representation of a larger message. Message digests are used to ensure the authentication and integrity of information, not the confidentiality.

certification practice statement

A statement of the practices that a Certification Authority employs in issuing, suspending, revoking, and renewing certificates and providing access to them, in accordance with specific requirements (i.e., requirements specified in this Certificate Policy, or requirements specified in a contract for services).

bastion host

A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall.

Replay Attack

A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network.

brute force attack

An attack on passwords or encryption that tries every possible password or encryption key. a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found

Which fire suppression gas is safe for human life?

As per CRM, FM-200 & Argonite gases are safe for human life. However, it must be noted that Argonite, though environment friendly & non-toxic, people have suffocated by breathing argon by mistake. CO2 & Halon gases are not safe for human life.

Active Attack

Attack where the attacker does interact with processing or communication activities. ex: masquerading, denial of service, email spoofing

biometric information

are physical or behavioral human characteristics to that can be used to digitally identify a person to grant access to systems, devices or data. EX: Fingerprint Scanner, facial recognition, voice, digital signature

Penetration Testing

Professional hacking to access data and computing power without being granted access; professional pen-testers are hired to identify and repair vulnerabilities and only work once, given written permission to obtain ungranted access.

Applets

Small programs written in Java, which are downloaded as needed and executed within a Web page or browser.

Which of the following is a form of two-factor user authentication? a. A smart card and personal identification number b. A unique user ID and complex, non-dictionary password c. An iris scan and a fingerprint scan d. A magnetic strip card and a proximity badge

a. A smart card and personal identification number A smart card is something that a user has, while a personal identification number paired with the card is something the user knows. This is an example of two-factor authentication.

Which of the following is the MOST important action in recovering from a cyberattack? a. Activating an incident response team b. Hiring cyberforensic investigators c. Executing a business continuity plan d. Preserving evidence

a. Activating an incident response team Hopefully the incident response team and procedures were set up prior to the cyberattack. The first step is to activate the team, contain the incident and keep the business operational.

Which of the following situations would increase the likelihood of fraud? a. Application programmers are implementing changes to production programs. b. Administrators are implementing vendor patches to vendor-supplied software without following change control procedures. c. Operations support staff members are implementing changes to batch schedules. d. Database administrators are implementing changes to data structures.

a. Application programmers are implementing changes to production programs. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. think what we test

Which of the following is the BEST control over a guest wireless ID that is given to vendor staff? a. Assignment of a renewable user ID which expires daily b. A write-once log to monitor the vendor's activities on the system c. Use of a user ID format similar to that used by employees d. Ensuring that wireless network encryption is configured properly

a. Assignment of a renewable user ID which expires daily A renewable user ID which expires daily would be a good control because it would ensure that wireless access will automatically terminate daily and cannot be used without authorization.

In what capacity would an IS auditor MOST likely see a hash function applied? a. Authentication b. Identification c. Authorization d. Encryption

a. Authentication The purpose of a hash function is to produce a "fingerprint" of data that can be used to ensure integrity and authentication. A hash of a password also provides for authentication of a user or process attempting to access resources.

Which of the following would BEST ensure continuity of a wide area network across the organization? a. Built-in alternative routing b. Complete full system backup daily c. A repair contract with a service provider d. A duplicate machine alongside each server

a. Built-in alternative routing Alternative routing would ensure that the network would continue if a communication device fails or if a link is severed because message rerouting could be automatic.

An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration? a. Chain of custody of electronic evidence b. System breach notification procedures c. Escalation procedures to external agencies d. Procedures to recover lost data

a. Chain of custody of electronic evidence The preservation of evidence is the most important consideration in regard to security incident management. If data and evidence are not collected properly, valuable information could be lost and would not be admissible in a court of law should the company decide to pursue litigation. Think: legal requirements come first

Which of the following is the MOST important security consideration to an organization that wants to move a business application to external cloud service (PaaS) provided by a vendor? a. Classification and categories of data process by the application. b. Cost of hosting the application internally versus externally. c. A reputation of a vendor on the market and feedbacks from clients. d. Drop of application performance due to use of shared services.

a. Classification and categories of data process by the application Types of data and its sensitivity is a primary consideration, as there might be legal obligations related to data hosting and its level of protection (e.g., personal information, banking information, health information, etc.).

Which of the following is an advantage of elliptic curve encryption over RSA encryption? a. Computation speed b. Ability to support digital signatures c. Simpler key distribution d. Message integrity controls

a. Computation speed The main advantage of elliptic curve encryption (ECC) over RSA encryption is its computation speed. This is due in part to the use of much smaller keys in the ECC algorithm than in RSA. **Think elliptical = speed

Which of the following BEST encrypts data on mobile devices? a. Elliptical curve cryptography b. Data encryption standard c. Advanced encryption standard d. The Blowfish algorithm

a. Elliptical curve cryptography requires limited bandwidth resources and is suitable for encrypting mobile devices.

Which of the following is MOST indicative of the effectiveness of an information security awareness program? a. Employees report more information regarding security incidents. b. All employees have signed the information security policy. c. Most employees have attended an awareness session. d. Information security responsibilities have been included in job descriptions.

a. Employees report more information regarding security incidents. they are understood and applied Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. The reporting of incidents implies that employees are acting as a consequence of the awareness program.

Which of the following is the BEST way to minimize unauthorized access to unattended end-user PC systems? a. Enforce use of a password-protected screen saver b. Implement proximity-based authentication system c. Terminate user session at predefined intervals d. Adjust power management settings so the monitor screen is blank

a. Enforce use of a password-protected screen saver A password-protected screen saver with a proper time interval is the best measure to prevent unauthorized access to unattended end-user systems. It is important to ensure that users lock the workstation when they step away from the machine, which is something that could be reinforced via awareness training.

An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important? a. False-acceptance rate b. Equal-error rate c. False-rejection rate d. False-identification rate

a. False-acceptance rate in a HIGHLY secure environment FAR is more important than ERR This is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptances is more important that the impact on the false reject rate.

Which one of the following can be used to provide automated assurance that proper data files are being used during processing? a. File header record b. Version usage c. Parity checking d. File security controls

a. File header record This provides assurance that proper data files are being used, and it allows for automatic checking.

Which of the following would be an indicator of the effectiveness of a computer security incident response team? a. Financial impact per security incident b. Number of security vulnerabilities that were patched c. Percentage of business applications that are being protected d. Number of successful penetration tests

a. Financial impact per security incident The most important indicator is the financial impact per security incident. It may not be possible to prevent incidents entirely, but the team should be able to limit the cost of incidents through a combination of effective prevention, detection and response

Which of the following specifically addresses how to detect cyberattacks against an organization's IT systems and how to recover from an attack? a. An incident response plan b. An IT contingency plan c. A business continuity plan d. A continuity of operations plan

a. Incident response plan cyber attack is an incident

What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? a. Malicious code could be spread across the network. b. The VPN logon could be spoofed. c. Traffic could be sniffed and decrypted. d. The VPN gateway could be compromised.

a. Malicious code could be spread across the network. Virtual private network (VPN) is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means that the firewall cannot adequately examine the traffic.

Which of the following features of a public key infrastructure is MOST closely associated with proving that an online transaction was authorized by a specific customer? a. Nonrepudiation b. Encryption c. Authentication d. Integrity

a. Nonrepudiation This, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message.

An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation? a. Physically secure wireless access points to prevent tampering. b. Use service set identifiers that clearly identify the organization. c. Encrypt traffic using the Wired Equivalent Privacy mechanism. d. Implement the Simple Network Management Protocol to allow active monitoring.

a. Physically secure wireless access points to prevent tampering. Physically securing access points such as wireless routers, as well as preventing theft, addresses the risk of malicious parties tampering with device settings. If access points can be physically reached, it is often a simple matter to restore weak default passwords and encryption keys, or to totally remove authentication and encryption from the network.

Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? a. Power line conditioners b. Surge protective devices c. Alternative power supplies d. Interruptible power supplies

a. Power line conditioners These are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. **alternative power - These are intended for power failures that last for longer periods and are normally coupled with other devices such as an uninterruptible power supply to compensate for the power loss until the alternate power supply becomes available.

An IS auditor is evaluating a virtual machine (VM)-based architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production? a. Server configuration has been hardened appropriately. b. Allocated physical resources are available. c. System administrators are trained to use the VM architecture. d. The VM server is included in the disaster recovery plan.

a. Server configuration has been hardened appropriately. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture.

Which of the following intrusion detection systems will MOST likely generate false alarms resulting from normal network activity? a. Statistical-based b. Signature-based c. Neural network d. Host-based

a. Statistical-based **statistically will generate false alarms A statistical-based intrusion detection system (IDS) relies on a definition of known and expected behavior of systems. Because normal network activity may, at times, include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious.

An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? a. The local area network (LAN) switches are not connected to uninterruptible power supply units. b. Network cabling is disorganized and not properly labeled. c. The telephones are using the same cable used for LAN connections. d. The wiring closet also contains power lines and breaker panels.

a. The local area network (LAN) switches are not connected to uninterruptible power supply units. Voice-over Internet Protocol (VoIP) telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. If the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls.

The FIRST step in data classification is to: Select an answer: A. establish ownership. B. perform a criticality analysis. C. define access rules. D. create a data dictionary.

a. establish ownership Data classification is necessary to define access rules based on a need-to-do and need-to- know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification.

Which of the following is an example of a passive cybersecurity attack? a. Traffic analysis b. Masquerading c. Denial-of-service d. Email spoofing

a. Traffic analysis A passive attack is one that monitors or captures network traffic but does not in any way modify, insert or delete the traffic. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. key word: passive

What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks? a. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. b. The contingency plan for the organization cannot effectively test controlled access practices. c. Access cards, keys and pads can be easily duplicated allowing easy compromise of the control. d. Removing access for those who are no longer authorized is complex.

a. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. piggybacking/tailgating - people are always the biggest issue at an org, people are polite and hold the door etc

An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following offers the STRONGEST security? a. Use of a point-to-point leased line b. Use of a firewall rule to allow only the Internet Protocol address of the remote site c. Use of two-factor authentication d. Use of a nonstandard port for Telnet

a. Use of a point-to-point leased line A leased line will effectively extend the local area network of the headquarters to the remote site, and the mainframe Telnet connection would travel over the private line, which would be less of a security risk when using an insecure protocol such as Telnet.

Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? a. Virtual Private Network b. Dedicated line C. Leased Line D. Integrated services digital network

a. VPN The most secure method is a virtual private network, using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet. EX; most clients have vpn regardless of size

Which of the following is the MOST effective control over visitor access to a data center? a. Visitors are escorted. b. Visitor badges are required. c. Visitors sign in. d. Visitors are spot-checked by operators.

a. Visitors are escorted. Escorting visitors will provide the best assurance that visitors have permission to access defined areas within the data processing facility.

An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following would meet this objective? a. VoIP infrastructure needs to be segregated using virtual local area networks. b. Buffers need to be introduced at the VoIP endpoints. c. Ensure that end-to-end encryption is enabled in the VoIP system. d. Ensure that emergency backup power is available for all parts of the VoIP infrastructure.

a. VoIP infrastructure needs to be segregated using virtual local area networks. this would best protect the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure uptime).

An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? a. An application-level gateway b. A remote access server c. A proxy server d. Port scanning

a. an application-level gateway This is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection model, but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol, File Transfer Protocol, Simple Network Management Protocol, etc.).

A review of wide area network (WAN) usage discovers that traffic on one communication line between sites, synchronously linking the master and standby database, peaks at 96 percent of the line capacity. An IS auditor should conclude that: a. analysis is required to determine if a pattern emerges that results in a service loss for a short period of time. b. WAN capacity is adequate for the maximum traffic demands because saturation has not been reached. c. the line should immediately be replaced by one with a larger capacity to provide approximately 85 percent saturation. d. users should be instructed to reduce their traffic demands or distribute them across all service hours to flatten bandwidth consumption.

a. analysis is required to determine if a pattern emerges that results in a service loss for a short period of time. **always start with analysis/research into issue** The peak at 96 percent could be the result of a one-off incident (e.g., a user downloading a large amount of data); therefore, analysis to establish whether this is a regular pattern and what causes this behavior should be carried out before expenditure on a larger line capacity is recommended.

The PRIMARY goal of a web site certificate is: a. authentication of the web site that will be surfed. b. authentication of the user who surfs through that site. c. preventing surfing of the web site by hackers. d. the same purpose as that of a digital certificate.

a. authentication of the web site that will be surfed.

The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when: a. connecting points are available in the facility to connect laptops to the network. b. users take precautions to keep their passwords confidential. c. terminals with password protection are located in insecure locations. d. terminals are located within the facility in small clusters under the supervision of an administrator.

a. connecting points are available in the facility to connect laptops to the network. Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access.

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed? a. field definition

a. field definition referential integrity in a relational database refers to consistency between coupled tables Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate key) and a foreign key. For referential integrity to hold, any field in a table that is declared a foreign key should contain only values from a parent table's primary key or a candidate key.

An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic? a. Corruption of the Address Resolution Protocol cache in Ethernet switches b. Use of a default administrator password on the analog phone switch c. Deploying virtual local area networks without enabling encryption d. End users having access to software tools such as packet sniffer applications

a. corruption of the address resolution protocol cache in ethernet switches **SAYS CORRUPTION others dont say it happened On an Ethernet switch there is a data table known as the ARP cache, which stores mappings between media access control and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply "flood" the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol (VoIP) traffic.

The technique used to ensure security in virtual private networks is called: a. data encapsulation. b. data wrapping. c. data transformation. d. data hashing.

a. data encapsulation Encapsulation, or tunneling, is a technique used to encrypt the traffic payload so that it can be securely transmitted over an insecure network.

With the help of a security officer, granting access to data is the responsibility of: a. data owners. b. programmers. c. system analysts. d. librarians.

a. data owners These individuals are responsible for the access to and use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners' approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update).

An IS auditor performing detailed network assessments and access control reviews should FIRST: a. determine the points of entry into the network. b. evaluate users' access authorization. c. assess users' identification and authorization. d. evaluate the domain-controlling server configuration.

a. determine the points of entry into the network. In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry, accordingly, for appropriate controls.

An organization can ensure that the recipients of emails from its employees can authenticate the identity of the sender by: a. digitally signing all email messages. b. encrypting all email messages. c. compressing all email messages. d. password protecting all email messages.

a. digitally signing all email messages.

An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem using global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network when the CIO travels outside of the office. The IS auditor should: a. do nothing because the inherent security features of GSM technology are appropriate. b. recommend that the CIO stop using the laptop computer until encryption is enabled. c. ensure that media access control address filtering is enabled on the network so unauthorized wireless users cannot connect. d. suggest that two-factor authentication be used over the wireless link to prevent unauthorized communications.

a. do nothing because the inherent security features of GSM technology are appropriate. The inherent security features of global system for mobile communications (GSM) technology combined with the use of a virtual private network (VPN) are appropriate. The confidentiality of the communication on the GSM radio link is ensured by the use of encryption and the use of a VPN signifies that an encrypted session is established between the laptop and the corporate network. GSM is a global standard for cellular telecommunications that can be used for both voice and data. Currently deployed commercial GSM technology has multiple overlapping security features which prevent eavesdropping, session hijacking or unauthorized use of the GSM carrier network. While other wireless technologies such as 802.11 wireless local area network (LAN) technologies have been designed to allow the user to adjust or even disable security settings, GSM does not allow any devices to connect to the system unless all relevant security features are active and enabled

During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: a. encryption. b. callback modems. c. message authentication. d. dedicated leased lines.

a. encryption Encryption of data is the most secure method of protecting confidential data from exposure.

During the review of a biometrics system operation, an IS auditor should FIRST review the stage of: a. enrollment. b. identification. c. verification. d. storage.

a. enrollment The users of a biometric device must first be enrolled in the device. Identification - The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes. Verification - A user applying for access will be verified against the stored enrolled value. storage - The biometric stores sensitive personal information, so the storage must be secure.

From a control perspective, the PRIMARY objective of classifying information assets is to: a. establish guidelines for the level of access controls that should be assigned. b. ensure access controls are assigned to all information assets. c. assist management and auditors in risk assessment. d. identify which assets need to be insured against losses.

a. establish guidelines for the level of access controls that should be assigned. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.

The MOST serious challenge in the operation of an intrusion detection system is: a. filtering false positive alerts. b. learning vendor specific protocols. c. updating vendor-specific protocols. d. blocking eligible connections.

a. filtering false positive alerts. Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive.

Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? a. Firewalls b. Routers c. Layer 2 switches d. Virtual local area networks

a. firewalls Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls.

The FIRST step in a successful attack to a system is: a. gathering information. b. gaining access. c. denying services. d. evading detection.

a. gathering information. reconnaissance -Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and the potential vulnerabilities that can be exploited in the attack.

When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the: a. hardware is protected against power surges. b. integrity is maintained if the main power is interrupted. c. immediate power will be available if the main power is lost. d. hardware is protected against long-term power fluctuations.

a. hardware is protected against power surges. A voltage regulator protects against short-term power fluctuations.

The MOST important difference between hashing and encryption is that hashing: a. is irreversible. b. output is the same length as the original message. c. is concerned with integrity and security. d. is the same at the sending and receiving end.

a. hashing is irreversible Hashing works one way—by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption.

Validated digital signatures in an email software application will: a. help detect spam. b. provide confidentiality. c. add to the workload of gateway servers. d. significantly reduce available bandwidth.

a. help detect spam. Validated electronic signatures are based on qualified certificates that are created by a certificate authority, with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority after a proof of identity has been passed. Using strong signatures in email traffic, nonrepudiation can be assured, and a sender can be tracked. The recipient can configure his/her email server or client to automatically delete emails from specific senders.

Which of the following functions is performed by a virtual private network? a. Hiding information from sniffers on the net b. Enforcing security policies c. Detecting misuse or mistakes d. Regulating access

a. hiding information from sniffers on the net A virtual private network (VPN) hides information from sniffers on the Internet using tunneling. It works based on encapsulation and encryption of sensitive traffic. A VPN is not used to regulate access. A user may have to log in to use a VPN, but that is not the purpose of the VPN. Domain

The risk of dumpster diving is BEST mitigated by: a. implementing security awareness training. b. placing shred bins in copy rooms. c. developing a media disposal policy. d. placing shredders in individual offices.

a. implementing security awareness training. wet resources always biggest issue Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective.

An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that: a. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity. b. access cards are not labeled with the organization's name and address to facilitate easy return of a lost card. c. card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards. d. the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure.

a. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity. Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name without proof (e.g., identity card, driver's license).

The BEST filter rule for protecting a network from being used as an amplifier in a denial-of-service attack is to deny all: a. outgoing traffic with source addresses external to the network. b. incoming traffic with discernible spoofed IP source addresses. c. incoming traffic that includes options set in the Internet Protocol. d. incoming traffic whose destination address belongs to critical hosts.

a. outgoing traffic with source addresses external to the network. Outgoing traffic with an Internet Protocol (IP) source address different than the internal IP range in the network is invalid. In most of the cases, it signals a denial-of-service attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the infected machine from participating in the attack.

A characteristic of User Datagram Protocol in network communications is: a. packets may arrive out of order. b. increased communication latency. c. incompatibility with packet broadcast. d. error correction may slow down processing.

a. packets may arrive out of order. User Datagram Protocol (UDP) uses a simple transmission model without implicit handshaking routines for providing reliability, ordering or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated or get dropped.

Web application developers sometimes use hidden fields on web pages to save information about a client session. This technique is used, in some cases, to store session variables that enable persistence across web pages, such as maintaining the contents of a shopping cart on a retail web site application. The MOST likely web-based attack due to this practice is: a. parameter tampering. b. cross-site scripting. c. cookie poisoning. d. stealth commanding.

a. parameter tampering. Web application developers sometimes use hidden fields to save information about a client session or to submit hidden parameters, such as the language of the end user, to the underlying application. Because hidden form fields do not display in the browser, developers may feel safe passing unvalidated data in the hidden fields (to be validated later). This practice is not safe because an attacker can intercept, modify and submit requests, which can discover information or perform functions that the web developer never intended. The malicious modification of web application parameters is known as parameter tampering.

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: a. periodic review of user activity logs. b. verification of user authorization at the field level. c. review of data communication access activity logs. d. periodic review of changing data files.

a. periodic review of user activity logs. General operating system access control functions include logging user activities, events, etc. Reviewing these logs may identify users performing activities that should not have been permitted.

The information security policy that states "each individual must have his/her badge read at every controlled door" addresses which of the following attack methods? a. Piggybacking b. Shoulder surfing c. Dumpster diving d. Impersonation

a. piggybacking This refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. If every employee must have their badge read at every controlled door, no unauthorized person could enter the sensitive area.

The purpose of a mantrap controlling access to a computer facility is PRIMARILY to: a. prevent piggybacking. b. prevent toxic gases from entering the data center. c. starve a fire of oxygen. d. prevent rapid movement in or out of the facility.

a. prevent piggybacking. think of a turnstile to get into an office - stops unauthorized people getting in

Web and email filtering tools are valuable to an organization PRIMARILY because they: a. protect the organization from viruses and nonbusiness materials. b. maximize employee performance. c. safeguard the organization's image. d. assist the organization in preventing legal issues

a. protect the organization from viruses and nonbusiness materials. The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email.

An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice: a. reduces the risk of unauthorized access to the network. b. is not suitable for small networks. c. automatically provides an IP address to anyone. d. increases the risk associated with Wireless Encryption Protocol.

a. reduces the risk of unauthorized access to the network. Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used, and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access.

Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy? a. Review the parameter settings. b. Interview the firewall administrator. c. Review the actual procedures. d. Review the device's log file for recent attacks.

a. review the parameter settings A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation.

Which of the following types of firewalls would BEST protect a network from an Internet attack? a. Screened subnet firewall b. Application filtering gateway c. Packet filtering router d. Circuit-level gateway

a. screened subnet firewall This would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network.

Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data? a. Secure Sockets Layer b. Intrusion detection system c. Public key infrastructure d. Virtual private network

a. secure sockets layer This is used for many e-commerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code. public key infrastructure is used in conjunction with SSL or for securing communications such as e-commerce and email.

The reason a certification and accreditation process is performed on critical systems is to ensure that: a. security compliance has been technically evaluated. b. data have been encrypted and are ready to be stored. c. the systems have been tested to run on different platforms. d. the systems have followed the phases of a waterfall model.

a. security compliance has been technically evaluated. Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration.

Email message authenticity and confidentiality is BEST achieved by signing the message using the: a. sender's private key and encrypting the message using the receiver's public key. b. sender's public key and encrypting the message using the receiver's private key. c. receiver's private key and encrypting the message using the sender's public key. d. receiver's public key and encrypting the message using the sender's private key.

a. sender's private key and encrypting the message using the receiver's public key want senders private key to prove it came from that person By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. Encrypting with the receiver's public key provides confidentiality.

An IS auditor is performing a review of a network. Users report that the network is slow and web pages periodically time out. The IS auditor confirms the users' feedback and reports the findings to the network manager. The most appropriate action for the network management team should be to FIRST: a. use a protocol analyzer to perform network analysis and review error logs of local area network equipment. b. take steps to increase the bandwidth of the connection to the Internet. c. create a baseline using a protocol analyzer and implement quality of service to ensure that critical business applications work as intended. d. implement virtual local area networks to segment the network and ensure performance.

a. use a protocol analyzer to perform network analysis and review error logs of local area network equipment. must first identify if there is a problem to think of a solution

A company has decided to implement an electronic signature scheme based on a public key infrastructure. The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is: a. use of the user's electronic signature by another person if the password is compromised. b. forgery by using another user's private key to sign a message with an electronic signature. c. impersonation of a user by substitution of the user's public key with another person's public key. d. forgery by substitution of another person's private key on the computer.

a. use of the user's electronic signature by another person if the password is compromised. The user's digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk.

The computer security incident response team of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may: a. use this information to launch attacks. b. forward the security alert. c. implement individual solutions. d. fail to understand the threat.

a. use this information to launch attacks. An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat.

In a public key infrastructure, a registration authority: a. verifies information supplied by the subject requesting a certificate. b. issues the certificate after the required attributes are verified and the keys are generated. c. digitally signs a message to achieve nonrepudiation of the signed message. d. registers signed messages to protect them from future repudiation.

a. verifies information supplied by the subject requesting a certificate. first step is to register with RA so they can do a background check and confirm who you are

When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation? a. Wiring and schematic diagram b. Users' lists and responsibilities c. Application lists and their details d. Backup and recovery procedures

a. wiring and schematic diagram This is necessary to carry out a network audit. The IS auditor needs to know what equipment, configuration and addressing is used on the network to perform an audit of the network setup.

A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? a. Work is completed in tunnel mode with IP security. b. A digital signature with RSA has been implemented. c. Digital certificates with RSA are being used. d. Work is being completed in TCP services.

a. work is completed in tunnel mode with IP Security Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is known as IP Security.

Equal Error Rate (EER)

an indicator of Biometric Performance, an ERR(Equal Error Rate) is a point where FAR (False Acceptance Rate) and FRR (False Rejection Rate) intersects. A device with lower EER is regarded to be more accurate

Which of the following provides the GREATEST assurance for database password encryption? a. Secure hash algorithm-256 b. Advanced encryption standard c. Secure Shell d. Triple data encryption standard

b. Advanced encryption standard This is a secure encryption algorithm that is appropriate for encrypting passwords.

When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor? a. Hard disks are overwritten several times at the sector level but are not reformatted before leaving the organization. b. All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization. c. Hard disks are rendered unreadable by hole-punching through the platters at specific positions before leaving the organization. d. The transport of hard disks is escorted by internal security staff to a nearby metal recycling company, where the hard disks are registered and then shredded.

b. All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization. Deleting and formatting only marks the sectors that contained files as being free. Publicly available tools are sufficient for someone to reconstruct data from hard drives prepared this way. ** all other answers make impossible to reuse

A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data? a. Introduce a secondary authentication method such as card swipe. b. Apply role-based permissions within the application system. c. Have users input the ID and password for each database transaction. d. Set an expiration period for the database password embedded in the program.

b. Apply role-based permissions within the application system. This is a normal process to allow the application to communicate with the database. Therefore, the best control is to control access to the application and procedures to ensure that access to data is granted based on a user's role.

Which of the following is the responsibility of information asset owners? a. Implementation of information security within applications b. Assignment of criticality levels to data c. Implementation of access rules to data and programs d. Provision of physical and logical security for data

b. Assignment of criticality levels to data think about the data owner question - they know the most about the information so they know what's most critical

Which of the following is the GREATEST concern associated with the use of peer-to-peer computing? a. Virus infection b. Data leakage c. Network performance issues d. Unauthorized software usage

b. Data leakage Peer-to-peer computing can share the contents of a user hard drive over the Internet. The risk that sensitive data could be shared with others is the greatest concern.

An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers—one filled with carbon dioxide (CO2), the other filled with halon. Which of the following should be given the HIGHEST priority in the IS auditor's report? a. The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer. b. Both fire suppression systems present a risk of suffocation when used in a closed room. c. The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires involving solid combustibles (paper). d. The documentation binders should be removed from the equipment room to reduce potential risk.

b. Both fire suppression systems present a risk of suffocation when used in a closed room. key - it mentions now windows, human life Protecting people's lives should always be of highest priority in fire suppression activities. Carbon dioxide (CO2) and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards. In many countries, installing or refilling halon fire suppression systems is not allowed.

Which of the following public key infrastructure (PKI) elements describes procedure for disabling a compromised private key? a. Certificate revocation list b. Certification practice statement c. Certificate policy d. PKI disclosure statement

b. Certification practice statement This is the how-to document used in policy-based public key infrastructure (PKI).

Which of the following antispam filtering methods has the LOWEST possibility of false-positive alerts? a. Rule-based b. Check-sum based c. Heuristic filtering d. Statistic-based

b. Check-sum based The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish—known as hashbusters—into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race between the developers of the checksum software and the developers of the spam-generating software. rule based would trigger each time a specific word is used

Which of the following BEST limits the impact of server failures in a distributed environment? a. Redundant pathways b. Clustering c. Dial backup lines d. Standby power

b. Clustering This allows two or more servers to work as a unit so that when one of them fails, the other takes over.

While auditing an internally developed web application, an IS auditor determines that all business users share a common access profile. Which of the following is the MOST relevant recommendation to prevent the risk of unauthorized data modification? a. Enable detailed logging of user actions. b. Customize user access profiles per job responsibility. c. Enforce strong password policy for all accounts. d. Implement regular access rights review.

b. Customize user access profiles per job responsibility. The strongest control is a preventive control that is automated through the system. Developing additional access profiles would ensure that the system restricts users to privileges defined by their job responsibilities and that an audit trail exists for those user actions.

Two-factor authentication can be circumvented through which of the following attacks? a. brute force b. key logging c. man in the middle d. denial of service

c - man in the middle b/c the password goes through the man in the middle and then the code u have to enter also goes through the man in the middle

An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol technology. Which of the following is the GREATEST concern? a. Voice communication uses the same equipment that is used for data communication. b. Ethernet switches are not protected by uninterrupted power supply units. c. Voice communication is not encrypted on the local network. d. The team that supports the data network also is responsible for the telephone system.

b. Ethernet switches are not protected by uninterrupted power supply units. Ethernet switches are not protected by uninterrupted power supply units is correct. Voice-over Internet Protocol (VoIP) telephone systems use the local area network (LAN) infrastructure of a company for communication, typically using Ethernet connectivity to connect individual phones to the system. Most companies have a backup power supply for the main servers and systems, but typically do not have uninterrupted power supply units for the LAN switches. In the case of even a brief power outage, not having backup power on all network devices makes it impossible to send or receive phone calls, which is a concern, particularly in a call center.

Which of the following would MOST effectively enhance the security of a challenge-response based authentication system? a. Selecting a more robust algorithm to generate challenge strings b. Implementing measures to prevent session hijacking attacks c. Increasing the frequency of associated password changes d. Increasing the length of authentication strings

b. Implementing measures to prevent session hijacking attacks Challenge response-based authentication is prone to session hijacking or man-in-the-middle attacks. Security management should be aware of this and engage in risk assessment and control design such as periodic authentication when they employ this technology. think challenge hijackings or challenge the man in the middle

An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? a. An implicit deny rule as the last rule in the rule base b. Installation on an operating system configured with default settings. c. Rules permitting or denying access to systems or networks. d. Configuration as a virtual private network endpoint.

b. Installation on an operating system configured with default settings.

Which of the following is the MOST significant function of a corporate public key infrastructure and certificate authority employing X.509 digital certificates? a. It provides the public/private key set for the encryption and signature services used by email and file space. b. It binds a digital certificate and its public key to an individual subscriber's identity. c. It provides the authoritative source for employee identity and personal details. d. It provides the authoritative authentication source for object access.

b. It binds a digital certificate and its public key to an individual subscriber's identity. Public key infrastructure (PKI) is primarily used to gain assurance that protected data or services originated from a legitimate source. The process to ensure the validity of the subscriber identity by linking to the digital certificate/public key is strict and rigorous.

Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program? a. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. b. Job descriptions contain clear statements of accountability for information security. c. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. d. No actual incidents have occurred that have caused a loss or a public embarrassment.

b. Job descriptions contain clear statements of accountability for information security. The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security. Funding is important but having funding does not ensure that the security program is effective or adequate.

When reviewing an intrusion detection system, an IS auditor should be MOST concerned about which of the following? a. High number of false-positive alarms b. Low coverage of network traffic c. Network performance downgrade d. Default detection settings

b. Low coverage of network traffic The cybersecurity attacks might not be timely identified if only small portion of network traffic is analyzed.

Which of the following BEST describes the role of a directory server in a public key infrastructure? a. Encrypts the information transmitted over the network b. Makes other users' certificates available to applications c. Facilitates the implementation of a password policy d. Stores certificate revocation lists

b. Makes other users' certificates available to applications think of a directory has a list of people and their information

Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network? a. The use of diskless workstations b. Periodic checking of hard drives c. The use of current antivirus software d. Policies that result in instant dismissal if violated

b. Periodic checking of hard drives This would be the most effective method of identifying illegal software packages loaded onto the network. Antivirus software will not necessarily identify illegal software, unless the software contains a virus.

An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? a. Spoofing b. Phishing c. Buffer overflow d. Denial-of-service

b. Phishing

Which of the following results in a denial-of-service attack? a. Brute force attack b. Ping of death c. Leapfrog attack d. Negative acknowledgement attack

b. Ping of death The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service.

An organization is reviewing its contract with a cloud computing provider. For which of the following reasons would the organization want to remove a lock-in clause from the cloud service contract? a. Availability b. Portability c. Agility d. Scalability

b. Portability When drawing up a contract with a cloud service provider, the ideal practice is to remove the customer lock-in clause. It may be important for the client to secure portability of their system assets (i.e., the right to transfer from one vendor to another).

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? a. Data retention, backup and recovery b. Return or destruction of information c. Network and intrusion detection d. A patch management process

b. Return or destruction of information When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract.

A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achieve this requirement? a. Mandatory b. Role-based c. Discretionary d. Single sign-on

b. Role-based Role-based access control limits access according to job roles and responsibilities and would be the best method to allow only authorized users to view reports on a need-to-know basis. ***An access control system based on mandatory access control would be expensive, and difficult to implement and maintain in a large complex organization.

After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over Internet Protocol technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application? a. Fine-grained access control b. Role-based access control c. Access control lists d. Network/service access control

b. Role-based access control Authorization in this case can best be addressed by RBAC technology. RBAC controls access according to job roles or functions. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation.

Which of the following is an effective preventive control to ensure that a database administrator complies with the custodianship of the enterprise's data? a. Exception reports b. Segregation of duties c. Review of access logs and activities d. Management supervision

b. Segregation of duties Adequate segregation of duties (SoD) is a preventative control that can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task.

An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the following choices would be the HIGHEST risk? a. Expired digital certificates b. Self-signed digital certificates c. Using the same digital certificate for multiple web sites d. Using 56-bit digital certificates

b. Self-signed digital certificates These are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack. the entire point of a digital certificate is for the CA to confirm your identity, by self signed can't prove who u are

Over the long term, which of the following has the greatest potential to improve the security incident response process? a. A walk-through review of incident response procedures b. Simulation exercises performed by incident response team c. Ongoing security training for users d. Documenting responses to an incident

b. Simulation exercises performed by incident response team people learn best by doing Simulation exercises to find the gaps and shortcomings in the actual incident response processes will help improve the process over time.

During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result? a. A denial-of-service attack b. Spoofing c. Port scanning d. A man-in-the-middle attack

b. Spoofing This is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources.

During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor? a. The organization does not encrypt all of its outgoing email messages. b. Staff have to type "[PHI]" in the subject field of email messages to be encrypted. c. An individual's computer screen saver function is disabled. d. Server configuration requires the user to change the password annually.

b. Staff have to type "[PHI]" in the subject field of email messages to be encrypted. There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health care information (PHI) to protect sensitive information.

A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment? a. Reviewing logs frequently b. Testing and validating the rules c. Training a local administrator at the new location d. Sharing firewall administrative duties

b. Testing and validating the rules A mistake in the rule set can render a firewall ineffective or insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment.

Which of the following findings would be of GREATEST concern to an IS auditor during a review of logical access to an application? a. Some developers have update access to production data. b. The file storing the application ID password is in cleartext in the production code. c. The change control team has knowledge of the application ID password. d. The application does not enforce the use of strong passwords.

b. The file storing the application ID password is in cleartext in the production code. compromise of the application ID password can result in untraceable, unauthorized changes to production data; storing the password in cleartext poses the greatest risk. While the production code may be protected from update access, it is viewable by development teams.

An organization has established a guest network for visitor access. Which of the following should be of GREATEST concern to an IS auditor? a. A login screen is not displayed for guest users. b. The guest network is not segregated from the production network. c. Guest users who are logged in are not isolated from each other. d. A single factor authentication technique is used to grant access.

b. The guest network is not segregated from the production network. The implication of this is that guests have access to the organization's network. Allowing untrusted users to connect to the organization's network could introduce malware and potentially allow these individuals inappropriate access to systems and information.

An IS auditor finds that conference rooms have active network ports. Which of the following would prevent this discovery from causing concern? a. The corporate network is using an intrusion prevention system. b. This part of the network is isolated from the corporate network. c. A single sign-on has been implemented in the corporate network. d. Antivirus software is in place to protect the corporate network.

b. This part of the network is isolated from the corporate network. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated.

Which of the following choices BEST helps information owners to properly classify data? a. Understanding of technical controls that protect data b. Training on organizational policies and standards c. Use of an automated data leak prevention tool d. Understanding which people need to access the data

b. Training on organizational policies and standards While implementing data classification, it is most essential that organizational policies and standards, including the data classification schema, are understood by the owner or custodian of the data so they can be properly classified.

When reviewing an organization's logical access security to its remote systems, which of the following would be of GREATEST concern to an IS auditor? a. Passwords are shared. b. Unencrypted passwords are used. c. Redundant logon IDs exist. d. Third-party users possess administrator access.

b. Unencrypted passwords are used. Unencrypted passwords can be easily read by humans and machines When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered.

Digital signatures require the: a. signer to have a public key and the receiver to have a private key. b. signer to have a private key and the receiver to have a public key. c. signer and receiver to have a public key. d. signer and receiver to have a private key.

b. signer to have a private key and the receiver to have a public key

During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used? a. A biometric, digitalized and encrypted parameter with the customer's public key b. A hash of the data that is transmitted and encrypted with the customer's private key c. A hash of the data that is transmitted and encrypted with the customer's public key d. The customer's scanned signature encrypted with the customer's public key

b. a hash of the data that is transmitted and encrypted with the customer's private key The calculation of a hash, or digest, of the data that are transmitted, and its encryption require the private key of the client (sender) and is called a signature of the message, or digital signature. The receiver hashes the received message and compares the hash they compute with the received hash, after the digital signature has been decrypted with the sender's public key. If the hash values are the same, the conclusion would be that there is integrity in the data that have arrived, and the origin is authenticated. The concept of encrypting the hash with the private key of the originator provides nonrepudiation because it can only be decrypted with their public key, and the private key would not be known to the recipient. Simply put, in a key-pair situation, anything that can be decrypted by a sender's public key must have been encrypted with their private key, so they must have been the sender (i.e., nonrepudiation).

The review of router access control lists should be conducted during: a. an environmental review. b. a network security review. c. a business continuity review. d. a data integrity review.

b. a network security review These include reviewing router access control lists, port scanning, internal and external connections to the system, etc.

An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: a. maintenance of access logs of usage of various system resources. b. authorization and authentication of the user prior to granting access to system resources. c. adequate protection of stored data on servers by encryption or other means. d. accountability system and the ability to identify any terminal accessing system resources.

b. authorization and authentication of the user prior to granting access to system resources the question is asking about ACCESS control This is the most significant aspect in a telecommunication access control review because it is a preventive control. Weak controls at this level can affect all other aspects of security

Inadequate programming and coding practices increase the risk of: a. social engineering. b. buffer overflow exploitation. c. synchronize flood. d. brute force attacks.

b. buffer overflow exploitation. This may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and overwrite part of the program with arbitrary code, which will then be executed with the privileges of the program. The countermeasure is proper programming and good coding practices.

Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce? a. Registration authority b. Certificate authority c. Certification revocation list d. Certification practice statement

b. certification authority The CA maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication.

The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: a. alert the appropriate staff. b. create an entry in the log. c. close firewall-2. d. close firewall-1.

b. create an entry in the log. This is the first step taken by a network IDS. The IDS may also be configured to send an alert to the administrator, send a note to the firewall and may even be configured to record the suspicious packet.

An IS auditor reviewing access controls for a client-server environment should FIRST: a. evaluate the encryption technique. b. identify the network access points. c. review the identity management system. d. review the application level access controls.

b. identify the network access points. A client-server environment typically contains several access points and uses distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified. ' ex; think about cyberark and jump host multiple ways to access server

The PRIMARY reason for using digital signatures is to ensure data: a. confidentiality. b. integrity. c. availability. d. correctness.

b. integrity Digital signatures provide integrity because the digital signature of a signed message (file, mail, document, etc.) changes every time a single bit of the document changes; thus, a signed document cannot be altered. A digital signature provides for message integrity, nonrepudiation and proof of origin.

The MOST likely explanation for a successful social engineering attack is: a. computer errors. b. judgment errors. c. expertise. d. technology.

b. judgment errors. Social engineering is fundamentally about obtaining from someone a level of trust that is not warranted.

Security administration procedures require read-only access to: a. access control tables. b. security log files. c. logging options. d. user profiles.

b. security log files the admins should not be able to change the security logs as they could be hiding something

To protect a Voice-over Internet Protocol infrastructure against a denial-of-service attack, it is MOST important to secure the: a. access control servers. b. session border controllers. c. backbone gateways. d. intrusion detection system.

b. session border controllers. These enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service. **think create borders to keep attack from spreading

Digital signatures require the: a. signer to have a public key and the receiver to have a private key. b. signer to have a private key and the receiver to have a public key. c. signer and receiver to have a public key. d. signer and receiver to have a private key.

b. signer to have a private key and the receiver to have a public key. When a signer electronically signs a document, the signature is created using the signer's private key, which is always securely kept by the signer (think of like fingerprint everyone's is different/unique to them) As an example, Jane signs an agreement to sell a timeshare using her private key. The buyer receives the document. The buyer who receives the document also receives a copy of Jane's public key. If the public key can't decrypt the signature (via the cipher from which the keys were created), it means the signature isn't Jane's, or has been changed since it was signed. The signature is then considered invalid.

An organization's IT director has approved the installation of a wireless local area network access point in a conference room for a team of consultants to access the Internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that: a. encryption is enabled on the access point. b. the conference room network is on a separate virtual local area network. c. antivirus signatures and patch levels are current on the consultants' laptops. d. default user IDs are disabled and strong passwords are set on the corporate servers.

b. the conference room network is on a separate virtual local area network. The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users.

The MOST effective biometric control system is the one with: a. the highest equal-error rate. b. the lowest equal-error rate. c. false-rejection rate equal to the false-acceptance rate. d. a false-rejection rate equal to the failure-to-enroll rate.

b. the lowest equal-error rate. The EER of a biometric system denotes the percent at which the false-acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the lowest EER is the most effective.

An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when: a. the organization is not permitted to assess the controls in the participating vendor's site. b. the service level agreement does not address the responsibility of the vendor in the case of a security breach. c. laws and regulations are different in the countries of the organization and the vendor. d. the organization is using an older version of a browser and is vulnerable to certain types of security risk.

b. the service level agreement does not address the responsibility of the vendor in the case of a security breach Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach.

Which of the following is the MOST effective control when granting temporary access to vendors? a. Vendor access corresponds to the service level agreement. b. User accounts are created with expiration dates and are based on services provided. c. Administrator access is provided for a limited period. d. User IDs are deleted when the work is completed.

b. user accounts are created with expiration dates and are based on services provided may overlook deleting when the work is complete

Which of the following is an example of the defense in-depth security principle? a. Using two firewalls to consecutively check the incoming network traffic b. Using a firewall as well as logical access controls on the hosts to control incoming network traffic c. Lack of physical signs on the outside of a computer center building d. Using two firewalls in parallel to check different types of incoming traffic

b. using a firewall as well as logical access on the hosts to control incoming network traffic Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense

An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy? a. Stateful inspection firewall b. Web content filter c. Web cache server d. Proxy server

b. web content filter This accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available uniform resource locator blacklists and classifications for millions of web sites Think filters out what you can't see

An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure? a. Data Encryption Standard b. Message digest 5 c. Advanced Encryption Standard d. Secure Shell

c. Advanced Encryption Standard This provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data.

A new business application requires deviation from the standard configuration of the operating system (OS). What activity should the IS auditor recommend to the security manager as a FIRST response? a. Initial rejection of the request because it is against the security policy b. Approval of the exception to policy to meet business needs c. Assessment of the risk and identification of compensating controls d. Revision of the OS baseline configuration

c. Assessment of the risk and identification of compensating controls

Which of the following choices is the MOST effective control that should be implemented to ensure accountability for application users accessing sensitive data in the human resource management system (HRMS) and among interfacing applications to the HRMS? a. Two-factor authentication b. A digital certificate c. Audit trails d. Single sign-on authentication

c. Audit trails enforce accountability These capture which user, at what time, and date, along with other details, has performed the transaction and this helps in establishing accountability among application users.

An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor? a. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network. b. Biometric scanners are not installed in restricted areas. c. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel.

c. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel. the tunnel needs to be protected to protect confidentiality

A web server is attacked and compromised. Organizational policy states that incident response should balance containment of an attack with retaining freedom for later legal action against an attacker. Under the circumstances, which of the following should be performed FIRST? a. Dump the volatile storage data to a disk. b. Run the server in a fail-safe mode. c. Disconnect the web server from the network. d. Shut down the web server.

c. Disconnect the web server from the network. The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker.

Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator? a. Targeted testing b. Internal testing c. Double-blind testing d. External testing

c. Double-blind testing In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator.

Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target? a. Blind testing b. Targeted testing c. Double-blind testing d. External testing

c. Double-blind testing This is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are "blind" to the test. This is the best scenario for testing response capability because the target will react as if the attack were real.

After installing a network, an organization implemented a vulnerability assessment tool to identify possible weaknesses. Which type of reporting poses the MOST serious risk associated with such tools? a. Differential b. False-positive c. False-negative d. Less-detail

c. False-negative This type of reporting on weaknesses means the control weaknesses in the network are not identified and, therefore, may not be addressed, leaving the network vulnerable to attack.

Which of the following potentially blocks hacking attempts? a. Intrusion detection system b. Honeypot system c. Intrusion prevention system d. Network security scanner

c. Intrusion prevention system This is deployed as an inline device on a network or host that can detect and block hacking attempts.

Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization? a. Actions performed on log files should be tracked in a separate log. b. Write access to audit logs should be disabled. c. Only select personnel should have rights to view or delete audit logs. d. Backups of audit logs should be performed periodically.

c. Only select personnel should have rights to view or delete audit logs Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted.

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? a. Dumping the memory content to a file b. Generating disk images of the compromised system c. Rebooting the system d. Removing the system from the network

c. Rebooting the system This may result in a change in the system state and the loss of files and important evidence stored in memory.

During the collection of forensic evidence, which of the following actions would MOST likely result in the destruction or corruption of evidence on a compromised system? a. Dumping the memory content to a file b. Generating disk images of the compromised system c. Rebooting the system d. Removing the system from the network

c. Rebooting the system think rebooting iphone clears all data

The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? a. Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit. b. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. c. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. d. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.

c. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. Ex: think about running ACTT; we have to provide the scripts to IT however it doesn't cover entire environment just the servers we ask them to run it on

An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods? a. Piggybacking b. Dumpster diving c. Shoulder surfing d. Impersonation

c. Shoulder surfing

In wireless communication, which of the following controls allows the receiving device to verify that the received communications have not been altered in transit? a. Device authentication and data origin authentication b. Wireless intrusion detection and intrusion prevention systems c. The use of cryptographic hashes d. Packet headers and trailers

c. The use of cryptographic hashes Calculating cryptographic hashes for wireless communications allows the receiving device to verify that the received communications have not been altered in transit. This prevents masquerading and message modification attacks.

In an online banking application, which of the following would BEST protect against identity theft? a. Encryption of personal password b. Restricting the user to a specific terminal c. Two-factor authentication d. Periodic review of access logs

c. Two-factor authentication Ex: when you log into td they send a text for two factor

Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ? a. Single sign-on authentication b. Password complexity requirements c. Two-factor authentication d. Internet protocol address restrictions

c. Two-factor authentication This is the best method to provide a secure connection because it uses two factors, typically "what you have" (for example, a device to generate one-time-passwords), "what you are" (for example, biometric characteristics) or "what you know" (for example, a personal identification number or password). Using a password in and of itself without the use of one or more of the other factors mentioned is not the best for this scenario. ex: think how you access clients remote machines, always 2 factor authentication

An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? a. System unavailability b. Exposure to malware c. Unauthorized access d. System integrity

c. Unauthorized access Untested common gateway interfaces (CGIs) can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. risk to a gateway would be unauthorized access

What method might an IS auditor use to test wireless security at branch office locations? a. War dialing b. Social engineering c. War driving d. Password cracking

c. War driving this is specific to networks / wifi This is a technique for locating and gaining access to wireless networks by driving or walking around a building with a wireless-equipped computer.

Which of the following is BEST suited for secure communications within a small group? a. Key distribution center b. Certificate authority c. Web of trust d. Kerberos Authentication System

c. Web of trust This is a key distribution method suitable for communication in a small group. It is used by tools such as pretty good privacy and distributes the public keys of users within a group.

An IS auditor is reviewing an organization's network operations center (NOC). Which of the following choices is of the GREATEST concern? The use of: a. a wet pipe-based fire suppression system. b. a rented rack space in the NOC. c. a carbon dioxide-based fire suppression system. d. an uninterrupted power supply with 10 minutes of backup power.

c. a carbon dioxide-based fire suppression system. dangerous to human life

Neural networks are effective in detecting fraud because they can: a. discover new trends because they are inherently linear. b. solve problems where large and general sets of training data are not obtainable. c. address problems that require consideration of a large number of input variables. d. make assumptions about the shape of any curve relating variables to the output.

c. address problems that require consideration of a large number of input variables. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends.

To ensure compliance with a security policy requiring that passwords be a combination of letters and numbers, an IS auditor should recommend that: a. the company policy be changed. b. passwords are periodically changed. c. an automated password management tool be used. d. security awareness training is delivered.

c. an automated password management tool be used. The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules, thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing his/her old password for a designated period of time.

Which of the following types of firewalls provide the GREATEST degree and granularity of control? a. Screening router b. Packet filter c. Application gateway d. Circuit gateway

c. application gateway This is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has a Hypertext Transmission Protocol (HTTP) proxy that acts as an intermediary between externals and internals but is specifically for HTTP. This means that it not only checks the packet Internet Protocol (IP) addresses (Open Systems Interconnection [OSI] Layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (OSI Layers 5 and 7). Therefore, it works in a more detailed (granularity) way than the other choices.

During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. The PRIMARY reason that this is a concern to the IS auditor is that without ownership, there is no one with clear responsibility for: a. updating group metadata. b. reviewing existing user access. c. approval of user access. d. removing terminated users.

c. approval of user access. without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group.

An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to: a. maintain impartiality while evaluating the transaction. b. ensure that the independence of an IS auditor is maintained. c. assure that the integrity of the evidence is maintained. d. assess all relevant evidence for the transaction.

c. assure that the integrity of the evidence is maintained. The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.

An Internet-based attack using password sniffing can: a. enable one party to act as if they are another party. b. cause modification to the contents of certain transactions. c. be used to gain access to systems containing proprietary information. d. result in major problems with billing systems and transaction processing agreements.

c. be used to gain access to systems containing proprietary information.

The GREATEST risk from an improperly implemented intrusion prevention system is: a. too many alerts for system administrators to verify. b. decreased network performance due to additional traffic. c. blocking of critical systems or services due to false triggers. d. reliance on specialized expertise within the IT organization.

c. blocking of critical systems or services due to false triggers. don't want to interrupt business activities

Which of the following presents an inherent risk with no distinct identifiable preventive controls? a. Piggybacking b. Viruses c. Data diddling d. Unauthorized application shutdown

c. data diddling This involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling.

Which of the following is the MOST secure way to remove data from obsolete magnetic tapes during a disposal? a. Overwriting the tapes b. Initializing the tape labels c. Degaussing the tapes d. Erasing the tapes

c. degaussing the tapes The best way to handle obsolete magnetic tapes is to degauss them. Degaussing is the application of a coercive magnetic force to the tape media. This action leaves a very low residue of magnetic induction, essentially erasing the data completely from the tapes.

Which of the following would be of MOST concern to an IS auditor reviewing a virtual private network implementation? Computers on the network that are located: a. on the enterprise's internal network. b. at the backup site. c. in employees' homes. d. at the enterprise's remote offices.

c. in employees' homes One risk of a virtual private network implementation is the chance of allowing high-risk computers onto the enterprise's network. All machines that are allowed onto the virtual network should be subject to the same security policy. Home computers are least subject to the corporate security policies and, therefore, are high-risk computers. Once a computer is hacked and "owned," any network that trusts that computer is at risk. Implementation and adherence to corporate security policy is easier when all computers on the network are on the enterprise's campus.

Applying a digital signature to data traveling in a network provides: a. confidentiality and integrity. b. security and nonrepudiation. c. integrity and nonrepudiation. d. confidentiality and nonrepudiation.

c. integrity and nonrepudiation A digital signature is created by signing a hash of a message with the private key of the sender. This provides for the integrity (through the hash) and the proof of origin (nonrepudiation) of the message.

When protecting an organization's IT systems, which of the following is normally the next line of defense after the network firewall has been compromised? a. Personal firewall b. Antivirus programs c. Intrusion detection system d. Virtual local area network configuration

c. intrusion detection system An IDS would be the next line of defense after the firewall. It would detect anomalies in the network/server activity and try to detect the perpetrator.

The MOST important factor in planning a black box penetration test is: a. the documentation of the planned testing procedure. b. a realistic evaluation of the environment architecture to determine scope. c. knowledge by the management staff of the client organization. d. scheduling and deciding on the timed length of the test.

c. knowledge by the management staff of the client organization. It is important to have management knowledge of the proceedings so that if the test is identified by the monitoring systems, the legality of the actions can be determined quickly. Think you dont want management reporting this to the authorities but dont want staff level to know - think teachers/students with fire drills

To ensure that an organization is complying with privacy requirements, an IS auditor should FIRST review: a. the IT infrastructure. b. organizational policies, standards and procedures. c. legal and regulatory requirements. d. adherence to organizational policies, standards and procedures.

c. legal and regulatory requirements. these are most important above company policies After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.

When reviewing the implementation of a local area network, an IS auditor should FIRST review the: a. node list. b. acceptance test report. c. network diagram. d. users list.

c. network diagram To properly review a local area network implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure.

The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called: a. data integrity. b. authentication. c. nonrepudiation. d. replay protection

c. nonrepudiation Integrity, authentication, nonrepudiation and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message.

A benefit of quality of service is that the: a. entire network's availability and performance will be significantly improved. b. telecom carrier will provide the company with accurate service-level compliance reports. c. participating applications will have bandwidth guaranteed. d. communications link will be supported by security controls to perform secure online transactions.

c. participating applications will have bandwidth guaranteed. The main function of QoS is to optimize network performance by assigning priority to business applications and end users through the allocation of dedicated parts of the bandwidth to specific traffic

When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with: a. analysis. b. evaluation. c. preservation. d. disclosure.

c. preservation. Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when investigating. Failure to properly preserve the evidence could jeopardize the admissibility of the evidence in legal proceedings.

In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend? a. Automated logging of changes to development libraries b. Additional staff to provide separation of duties c. Procedures that verify that only approved program changes are implemented d. Access controls to prevent the operator from making program modifications

c. procedures that verify that only approved program changes are implemented An IS auditor must consider recommending a better process. An IS auditor should recommend a formal change control process that manages and can detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This is a compensating control process.

When conducting a penetration test of an IT system, an organization should be MOST concerned with: a. the confidentiality of the report. b. finding all weaknesses on the system. c. restoring systems to the original state. d. logging changes made to production system.

c. restoring systems to the original state. After the test is completed, the systems must be restored to their original state. In performing the test, changes may have been made to firewall rules, user IDs created, or false files uploaded. These must all be cleaned up before the test is completed.

When using a digital signature, the message digest is computed by the: a. sender only. b. receiver only. c. sender and receiver both. d. certificate authority.

c. sender and receiver both. A digital signature is an electronic identification of a person or entity. It is created by using asymmetric encryption. To verify integrity of data, the sender uses a cryptographic hashing algorithm against the entire message to create a message digest to be sent along with the message. Upon receipt of the message, the receiver will recompute the hash using the same algorithm.

An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST: a. determine whether system developers have proper training on adequate security measures. b. determine whether system administrators have disabled security controls for any reason. c. verify that security requirements have been properly specified in the project plan. d. validate whether security controls are based on requirements which are no longer valid.

c. verify that security requirements have been properly specified in the project plan. If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan would affect the recommendations the auditor would make. was the system correctly designed?

signing

can only occur using senders private key

data dictionary

compiles all of the metadata about the data elements in the data model

A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern? a. most employees use laptops b. A packet filtering firewall is used. c. The IP address space is smaller than the number of PCs. d. Access to a network port is not restricted.

d. Access to a network port is not restricted. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.

A laptop computer belonging to a company database administrator (DBA) and containing a file of production database passwords has been stolen. What should the organization do FIRST? a. Send a report to the IS audit department. b. Change the name of the DBA account. c. Suspend the DBA account. d. Change the database password.

d. Change the database password. The password should be changed immediately because there is no way to know whether it has been compromised.

The IS auditor is reviewing an organization's human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured? a. Database administrators are restricted from access to HR data. b. Database logs are encrypted. c. Database stored procedures are encrypted. d. Database initialization parameters are appropriate.

d. Database initialization parameters are appropriate. When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle Database Management System), which contains many settings. The system initialization parameters address many "global" database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters.

An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation? a. Symmetric key encryption b. Digital signatures c. Message digest algorithms d. Digital certificates

d. Digital certificates DC = hash algorithm (integrity) + Asymmetric algorithm (confidentiality) A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a trusted authority, with the purpose of associating a person's identity with the public key. Email confidentiality and integrity are obtained by following the public key-private key encryption. With the digital certificate verified by the trusted third party, nonrepudiation of the sender is obtained.

Which of the following would effectively verify the originator of a transaction? a. Using a secret password between the originator and the receiver b. Encrypting the transaction with the receiver's public key c. Using a portable document format to encapsulate transaction content d. Digitally signing the transaction with the source's private key

d. Digitally signing the transaction with the source's private key A digital signature is an electronic identification of a person, created by using a public key algorithm, to verify the identity of the source of a transaction and the integrity of its content to a recipient.

Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? a. User registration and password policies b. User security awareness c. Use of intrusion detection/intrusion prevention systems d. Domain name system server security hardening

d. Domain name system server security hardening The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.

An organization is planning to replace its wired networks with wireless networks. Which of the following would BEST secure the wireless network from unauthorized access? a. Implement Wired Equivalent Privacy. b. Permit access to only authorized media access control addresses. c. Disable open broadcast of service set identifiers. d. Implement Wi-Fi Protected Access 2.

d. Implement Wi-Fi Protected Access 2. This implements most of the requirements of the IEEE 802.11i standard. The Advanced Encryption Standard used in WPA2 provides better security. Also, WPA2 supports both the Extensible Authentication Protocol and the pre-shared secret key authentication model.

Which of the following should be a concern for an IS auditor reviewing an organization's cloud computing strategy which is based on a software as a service (SaaS) model with an external provider? a. Workstation upgrades must be performed. b. Long-term software acquisition costs are higher. c. Contract with the provider does not include onsite technical support. d. Incident handling procedures with the provider are not well defined.

d. Incident handling procedures with the provider are not well defined. A software-as-a-service (SaaS) provider does not normally have onsite support for the organization. Therefore, incident handling procedures between the organization and its provider are critical for the detection, communication and resolution of incidents, including effective lines of communication and escalation processes.

An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks? a. Establish two physically separate networks. b. Implement virtual local area network segmentation. c. Install a dedicated router between the two networks. d. Install a firewall between the networks.

d. Install a firewall between the networks. In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network.

Which of the following is the MOST reliable form of single factor personal identification? a. Smart card b. Password c. Photo identification d. Iris scan

d. Iris scan Because no two irises are alike, identification and verification can be done with confidence.

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? a. Using an intrusion detection system to report incidents b. Mandating the use of passwords to access all software c. Installing an efficient user log system to track the actions of each user d. Training provided on a regular basis to all current and new employees

d. Training provided on a regular basis to all current and new employees Regular training is an important part of a security awareness program. Think human life most important

Which of the following should an IS auditor be MOST concerned about in a financial application? a. Programmers have access to source code in user acceptance testing environment. b. Secondary controls are documented for identified role conflicts. c. The information security officer does not authorize all application changes. d. Programmers have access to the production database.

d. Programmers have access to the production database is correct. This is considered to be a segregation of duties conflict.

Which of the following will BEST maintain the integrity of a firewall log? a. Granting access to log information only to administrators b. Capturing log events in the operating system layer c. Writing dual logs onto separate storage media d. Sending log information to a dedicated third-party log server

d. Sending log information to a dedicated third-party log server Establishing a dedicated third-party log server and logging events in it is the best procedure for maintaining the integrity of a firewall log. When access control to the log server is adequately maintained, the risk of unauthorized log modification is mitigated, therefore improving the integrity of log information. admins can't access this and change it

A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following presents the GREATEST risk for identity theft? a. Web browser cookies are not automatically deleted. b. The computer is improperly configured. c. System updates have not been applied on the computer. d. Session time out is not activated.

d. Session time out is not activated. If an authenticated session is inactive and unattended, it can be hijacked and used for illegal purposes. It might then be difficult to establish the intruder because a legitimate session was used.

An IS auditor reviewing digital rights management applications should expect to find an extensive use for which of the following technologies? a. Digitalized signatures b. Hashing c. Parsing d. Steganography

d. Steganography This is a technique for concealing the existence of messages or information within another message. An increasingly important steganographical technique is digital watermarking, which hides data within data (e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities).

Which of the following is the MOST reliably effective method for dealing with the spread of a network worm that exploits vulnerability in a protocol? a. Install the latest vendor security patches immediately. b. Block the protocol traffic in the perimeter firewall. c. Block the protocol traffic between internal network segments. d. Stop the services that the protocol uses.

d. Stop the services that the protocol uses. This is the most effective way to prevent a worm from spreading, because it directly addresses the means of propagation at the lowest practical level.

The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor's initial determination be? a. There is no significant potential risk. b. Soft zoning presents a potential risk. c. Disabling of unused ports presents a potential risk. d. The SAN administrator presents a potential risk.

d. The SAN administrator presents a potential risk. The potential risk in this scenario is posed by the SAN administrator. One concern is having a "single point of failure." Because only one administrator has the knowledge and access required to administer the system, the organization is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly, or was otherwise unavailable, the company may not be able to adequately administer the SAN. In addition, having a single administrator for a large, complex system such as a SAN also presents a segregation of duties risk. The organization currently relies entirely on the SAN administrator to implement, maintain, and validate all security controls; this means that the SAN administrator could modify or remove those controls without detection.

An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources department. Which of the following should be the GREATEST concern to an IS auditor? a. The service level agreement (SLA) ensures strict limits for uptime and performance. b. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA. c. The SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider. d. The cloud provider's data centers are in multiple cities and countries.

d. The cloud provider's data centers are in multiple cities and countries. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information. There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply.

Which of the following controls would BEST detect intrusion? a. User IDs and user privileges are granted through authorized procedures. b. Automatic logoff is used when a workstation is inactive for a particular period of time. c. Automatic logoff of the system occurs after a specified number of unsuccessful attempts. d. Unsuccessful logon attempts are monitored by the security administrator.

d. Unsuccessful logon attempts are monitored by the security administrator. only one which is detecting anything

During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities and, because of this, failed to meet the business service level agreement (SLA). What is the GREATEST concern? a. The support model was not approved by senior management. b. The incident resolution time specified in the SLA is not realistic. c. There are inadequate resources to support the applications. d. The support model was not properly developed and implemented.

d. The support model was not properly developed and implemented. he greatest concern for the IS auditor is that the support model was not developed and implemented correctly to prevent or react to potential outages. Incidents could cost the business a significant amount of money and a support model should be implemented with the project. This should be a step within the system development life cycle and procedures and, if it is missed on one project, it may be a symptom of an overall breakdown in process.

Users are issued security tokens to be used in combination with a personal identification number (PIN) to access the corporate virtual private network. Regarding the PIN, what is the MOST important rule to be included in a security policy? a. Users should not leave tokens where they could be stolen. b. Users must never keep the token in the same bag as their laptop computer. c. Users should select a PIN that is completely random, with no repeating digits. d. Users should never write down their PIN.

d. Users should never write down their PIN. If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method.

When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated? a. Using a cryptographic hashing algorithm b. Enciphering the message digest c. Calculating a checksum of the transaction d. Using a sequence number and time stamp

d. Using a sequence number and time stamp When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection and could be used to verify that a payment instruction was not duplicated.

Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ? a. Secret key encryption b. Dynamic Internet protocol address and port c. Hash functions d. Virtual private network tunnel

d. Virtual private network tunnel As ABC and XYZ are communicating over the Internet, which is an untrusted network, establishing an encrypted virtual private network tunnel would best ensure that the transmission of information was secure.

When auditing a role-based access control system, the IS auditor noticed that some IT security employees have system administrator privileges on some servers, which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make? a. Ensure that these employees are adequately supervised. b. Ensure that backups of the transaction logs are retained. c. Implement controls to detect the changes. d. Write transaction logs in real time to Write Once and Read Many drives.

d. Write transaction logs in real time to Write Once and Read Many drives. Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. It is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution.

A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern? a. Most employees use laptops. b. A packet filtering firewall is used. c. The IP address space is smaller than the number of PCs. d. Access to a network port is not restricted.

d. access to a network port is not restricted Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.

The implementation of access controls FIRST requires: a. a classification of IS resources. b. the labeling of IS resources. c. the creation of an access control list. d. an inventory of IS resources.

d. an inventory of IS resources. first need a complete list of IS resources to establish ownership and classification

Distributed denial-of-service attacks on Internet sites are typically evoked by hackers using which of the following? a. Logic bombs b. Phishing site c. Spyware d. Botnets

d. botnets A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection.

An IS auditor evaluating logical access controls should FIRST: a. document the controls applied to the potential access paths to the system. b. test controls over the access paths to determine if they are functional. c. evaluate the security environment in relation to written policies and practices. d. obtain an understanding of the security risk to information processing.

d. obtain an understanding of the security risk to information processing. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk.

Which of the following components is responsible for the collection of data in an intrusion detection system? a. Analyzer b. Administration console c. User interface d. Sensor

d. sensor Sensors are responsible for collecting data. Sensors may be attached to a network, server or other location and may gather data from many points for later analysis. analyzer - receives input from sensors and determine the presence of and type of intrusive activity. administration console - is the management interface component of an intrusion detection system (IDS). user interface - allows the administrators to interact with the IDS.

Confidentiality of transmitted data can best be delivered by encrypting the: a. message digest with the sender's private key. b. session key with the sender's public key. c. messages with the receiver's private key. d. session key with the receiver's public key.

d. session key with the receiver's public key. This will ensure that the session key can only be obtained using the receiver's private key, retained by the receiver.

In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: a. implementation. b. compliance. c. documentation. d. sufficiency.

d. sufficiency An IS auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of the control baseline to meet security requirements. sufficiency, implementation, compliance is the order

The MAIN reason for requiring that all computer clocks across an organization are synchronized is to: a. prevent omission or duplication of transactions. b. ensure smooth data transition from client machines to servers. c. ensure that email messages have accurate time stamps. d. support the incident investigation process.

d. support the incident investigation process. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult, because a time line of events occurring on different systems might not be easily established.

An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: a. IDS sensors are placed outside of the firewall. b. a behavior-based IDS is causing many false alarms. c. a signature-based IDS is weak against new types of attacks. d. the IDS is used to detect encrypted traffic.

d. the IDS is used to detect encrypted traffic. An IDS cannot detect attacks within encrypted traffic, but there may be good reason to detect the presence of encrypted traffic, such as when a next-generation firewall is configured to terminate encrypted connections at the perimeter. In such cases, detecting encrypted packets flowing past the firewall could indicate improper configuration or even a compromise of the firewall itself.

An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture? a. A Secure Sockets Layer has been implemented for user authentication and remote administration of the firewall. b. Firewall policies are updated on the basis of changing requirements. c. Inbound traffic is blocked unless the traffic type and connections have been specifically permitted. d. The firewall is placed on top of the commercial operating system with all default installation options.

d. the firewall is placed on top of the commercial operating system with all default installation options The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached, that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risk of vulnerabilities and exploits.

The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure: a. the confidentiality of the message. b. nonrepudiation by the sender. c. the authenticity of the message. d. the integrity of data transmitted by the sender.

d. the integrity of data transmitted by the sender. If the hash sum is different from what is expected, it implies that the message has been altered. This is an integrity test.

Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet? a. Customers are widely dispersed geographically, but the certificate authorities (CAs) are not. b. Customers can make their transactions from any computer or mobile device. c. The CA has several data processing subcenters to administer certificates. d. The organization is the owner of the CA.

d. the organization is the owner of the CA If the CA belongs to the same organization, this would pose a risk. The management of a CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust.

An employee has received a digital photo frame as a gift and has connected it to his/her work PC to transfer digital photos. The PRIMARY risk that this scenario introduces is that: a. the photo frame storage media could be used to steal corporate data. b. the drivers for the photo frame may be incompatible and crash the user's PC. c. the employee may bring inappropriate photographs into the office. d. the photo frame could be infected with malware.

d. the photo frame could be infected with malware. Any storage device can be a vehicle for infecting other computers with malware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs.

Nonrepudiation

refers to a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated"

Referential Integrity

refers to the accuracy and consistency of data within a relationship. In relationships, data is linked between two or more tables. This is achieved by having the foreign key (in the associated table) reference a primary key value (in the primary - or parent - table)

Spooling

sends documents to be printed to a buffer instead of sending them immediately to the printer it's a place that your documents can "line up" and get ready to be printed after a previous printing task is completed.