Domain 5 -2
****A TCP/IP-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? A. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP). B. A digital signature with RSA has been implemented. C. Digital certificates with RSA are being used. D. Work is being completed in TCP services.
A Explanation: Tunnel mode with IP security provides encryption and authentication of the complete IP package. To accomplish this, the AH and ESP services can be nested. Choices B and C provide authentication and integrity. TCP services do not provide encryption and authentication.
****Sophisticated database systems provide many layers and types of security, including (choose all that apply): A. Access control B. Auditing C. Encryption D. Integrity controls E. Compression controls
A. Access control B. Auditing C. Encryption D. Integrity controls Explanation: Sophisticated database systems provide many layers and types of security, including Access control, Auditing, Authentication, Encryption and Integrity controls. An important procedure when evaluating database security is performing vulnerability assessments against the database. Database administrators or Information security administrators run vulnerability scans on databases to discover misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software.
****An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? A. An application-level gateway B. A remote access server C. A proxy server D. Port scanning
A. An application-level gateway Explanation: An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted, it analyzes in detail each package, not only in layers one through four of the OSI model but also layers five through seven, which means that it reviews the commands of each higher-level protocol (HTTP, FTP, SNMP, etc.). For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet creating security exposure. Proxy servers can provide protection based on the IP address and ports. However, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning works when there is a very specific task to complete, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping.
!!2 If a database is restored using before-image dumps, where should the process begin following an interruption? A. Before the last transaction B. After the last transaction C. As the first transaction after the latest checkpoint D. At the last transaction before the latest checkpoint
A. Before the last transaction Explanation: If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken. The last transaction will not have updated the database and must be reprocessed. Program checkpoints are irrelevant in this situation.
Which of the following kinds of function are particularly vulnerable to format string attacks? A. C functions that perform output formatting B. C functions that perform integer computation C. C functions that perform real number subtraction D. VB functions that perform integer conversion E. SQL functions that perform string conversion F. SQL functions that perform text conversion
A. C functions that perform output formatting
****In a botnet, mailbot logs into a particular type of system for making coordinated attack attempts. What type of system is this? A. Chat system B. SMS system C. Email system D. Log system E. Kernel system
A. Chat system Explanation: In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or mailbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously.
Which of the following would be BEST prevented by a raised floor in the computer machine room? A. Damage of wires around computers and servers B. A power failure from static electricity C. Shocks from earthquakes D. Water flood damage.
A. Damage of wires around computers and servers
****An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks? A. Denial-of-service B. Replay C. Social engineering D. Buffer overflow
A. Denial-of-service Explanation: Prior to launching a denial-of-service attack, hackers often use automatic port scanning software to acquire information about the subject of their attack. A replay attack is simply sending the same packet again. Social engineering exploits end-user vulnerabilities, and buffer overflow attacks exploit poorly written code.
Which of the following types of attack makes use of common consumer devices that can be used to transfer data surreptitiously神秘鬼鬼祟祟? A. Direct access attacks B. Indirect access attacks C. Port attack D. Window attack E. Social attack
A. Direct access attacks Direct access attacks make use of common consumer devices that can be used to transfer data surreptitiously. Someone gaining physical access to a computer can install all manner of devices to compromise security, including operating system modifications, software worms, keyboard loggers, and covert listening devices. The attacker can also easily download large quantities of data onto backup media or portable devices.
Which of the following is by far the most common prevention system from a network security perspective? A. Firewall B. IDS C. IPS D. Hardened OS E. Tripwire
A. Firewall Explanation: User account access controls and cryptography can protect systems files and data, respectively. On the other hand, firewalls are by far the most common prevention systems from a network security perspective as they can shield access to internal network services, and block certain kinds of attacks through packet filtering.
Which of the following types of attack often take advantage of curiosity or greed to deliver malware? A. Gimmes B. Tripwire C. Icing D. Soft coding E. Pretexting
A. Gimmes Explanation: Gimmes take advantage of curiosity or greed to deliver malware. Also known as a Trojan Horse, gimmes can arrive as an email attachment promising anything. The recipient is expected to give in to the need to the program and open the attachment. In addition, many users will blindly click on any attachments they receive that seem even mildly legitimate.
****Which of the following may be deployed in a network as lower cost surveillance and early-warning tools? A. Honeypots B. Hardware IPSs C. Hardware IDSs D. Botnets E. Stateful inspection firewalls F. Stateful logging facilities
A. Honeypots Explanation: Honeypots, essentially decoy network-accessible resources, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques.
****With Deep packet inspection, which of the following OSI layers are involved? A. Layer 2 through Layer 7 B. Layer 3 through Layer 7 C. Layer 2 through Layer 6 D. Layer 3 through Layer 6 E. Layer 2 through Layer 5
A. Layer 2 through Layer 7 Explanation: Deep packet inspection (DPI) is a form of computer network packet filtering that examines the data part of a through-passing packet, searching for non- protocol compliance or predefined criteria to decide if the packet can pass. DPI devices have the ability to look at Layer 2 through Layer 7 of the OSI model.
****Which of the following types of attack involves a program that creates an infinite loop, makes lots of copies of itself, and continues to open lots of files? A. Local DoS attacks B. Remote DoS attacks C. Distributed DoS attacks D. Local Virus attacks
A. Local DoS attacks Explanation: Local DoS attacks can be a program that creates an infinite loop, makes lots of copies of itself, and continues to open lots of files. The best defense is to find this program and kill it.
****What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? A. Malicious code could be spread across the network B. VPN logon could be spoofed C. Traffic could be sniffed and decrypted D. VPN gateway could be compromised
A. Malicious code could be spread across the network Explanation: VPN is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organizations network. Though choices B, C and D are security risks, VPN technology largely mitigates these risks.
@@Which of the following attacks targets the Secure Sockets Layer (SSL)? A. Man-in-the middle B. Dictionary C. Password sniffing D. Phishing
A. Man-in-the middle Explanation: Attackers can establish a fake Secure Sockets Layer (SSL) server to accept users SSL traffic and then route to the real SSL server, so that sensitive information can be discovered. A dictionary attack that has been launched to discover passwords would not attack SSL since SSL does not rely on passwords. SSL traffic is encrypted; thus it is not possible to sniff the password. A phishing attack targets a user and not SSL Phishing attacks attempt to have the user surrender private information by falsely claiming to be a trusted person or enterprise.
Iptables is based on which of the following frameworks? A. Netfilter B. NetDoom C. NetCheck D. NetSecure
A. Netfilter Explanation: Iptables controls the packet filtering and NAT components within the Linux kernel. It is based on Netfilter, a framework which provides a set of hooks within the Linux kernel for intercepting and manipulating network packets.
@@Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? A. Power line conditioners B. Surge protective devices C. Alternative power supplies D. Interruptible power supplies
A. Power line conditioners Explanation: Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. Surge protection devices protect against high- voltage bursts. Alternative power supplies are intended for computer equipment running for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. An interruptible power supply would cause the equipment to come down whenever there was a power failure.
Which of the following would be the GREATEST cause for concern when data are sent over the Internet using HTTPS protocol? A. Presence of spyware in one of the ends B. The use of a traffic sniffing tool C. The implementation of an RSA-compliant solution D. A symmetric cryptography is used for transmitting data
A. Presence of spyware in one of the ends Explanation: Encryption using secure sockets layer/transport layer security (SSL/TLS) tunnels makes it difficult to intercept data in transit, but when spyware is running on an end users computer, data are collected before encryption takes place. The other choices are related to encrypting the traffic, but the presence of spyware in one of the ends captures the data before encryption takes place.
***Which of the following refers to the act of creating and using an invented scenario to persuade a target to perform an action? A. Pretexting B. Backgrounding C. Check making D. Bounce checking
A. Pretexting Explanation: Pretexting is the act of creating and using an invented scenario to persuade a target to release information or perform an action and is usually done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information.
****Which of the following provides nonrepudiation services for e-commerce transactions? A. Public key infrastructure (PKI) B. Data Encryption Standard (DES) C. Message authentication code (MAC) D. Personal identification number (PIN)
A. Public key infrastructure (PKI) Explanation: PKl is the administrative infrastructure for digital certificates and encryption key pairs. The qualities of an acceptable digital signature are: it is unique to the person using it; it is capable of verification; it is under the sole control of the person using it; and it is linked to data in such a manner that if data are changed, the digital signature is invalidated. PKl meets these tests. The Data Encryption Standard (DES) is the most common private key cryptographic system. DES does not address nonrepudiation. A MAC is a cryptographic value calculated by passing an entire message through a cipher system. The sender attaches the MAC before transmission and the receiver recalculates the MAC and compares it to the sent MAC. If the two MACs are not equal, this indicates that the message has been altered during transmission; it has nothing to do with nonrepudiation. A PIN is a type of password, a secret number assigned to an individual that, in conjunction with some other means of identification, serves to verify the authenticity of the individual.
****The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed? A. Reliability and quality of service (QoS) B. Means of authentication C. Privacy of voice transmissions D. Confidentiality of data transmissions
A. Reliability and quality of service (QoS) Explanation: The company currently has a VPN; issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the VPN protocol. Reliability and QoS are, therefore, the primary considerations to be addressed.
****IS management is considering a Voice-over Internet Protocol (VoIP) network to reduce telecommunication costs and management asked the IS auditor to comment on appropriate security controls. Which of the following security measures is MOST appropriate? A. Review and, where necessary, upgrade firewall capabilities B. Install modems to allow remote maintenance support access C. Create a physically distinct network to handle VoIP traffic D. Redirect all VoIP traffic to allow clear text logging of authentication credentials
A. Review and, where necessary, upgrade firewall capabilities Explanation: Firewalls used as entry points to a Voice-over Internet Protocol (VoIP) network should be VoIP- capable. VoIP network services such as H.323 introduce complexities that are likely to strain the capabilities of older firewalls. Allowing for remote support access is an important consideration. However, a virtual private network (VPN) would offer a more secure means of enabling this access than reliance on modems. Logically separating the VoIP and data network is a good idea. Options such as virtual LANS (VLA.NS), traffic shaping, firewalls and network address translation (NAT) combined with private IP addressing can be used; however, physically separating the networks will increase both cost and administrative complexity. Transmitting or storing clear text information, particularly sensitive information such as authentication credentials, will increase network vulnerability. When designing a VoIP network, it is important to avoid introducing any processing that will unnecessarily increase latency since this will adversely impact VoIP quality.
****The human resources (HR) department has developed a system to allow employees to enroll in benefits via a web site on the corporate Intranet. Which of the following would protect the confidentiality of the data? A. SSL encryption B. Two-factor authentication C. Encrypted session cookies D. IP address verification
A. SSL encryption Explanation: The main risk in this scenario is confidentiality, therefore the only option which would provide confidentiality is Secure Socket Layer (SSL) encryption. The remaining options deal with authentication issues.
@@To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a: A. Secure Shell (SSH-2) tunnel for the duration of the problem. B. two-factor authentication mechanism for network access. C. dial-in access. D. virtual private network (VPN) account for the duration of the vendor support contract.
A. Secure Shell (SSH-2) tunnel for the duration of the problem. Explanation: For granting temporary access to the network, a Secure Shell (SSH-2) tunnel is the best approach. It has auditing features and allows restriction to specific access points. Choices B, C and D all give full access to the internal network. Two-factor authentication and virtual private network (VPN) provide access to the entire network and are suitable for dedicated users. Dial-in access would need to be closely monitored or reinforced with another mechanism to ensure authentication to achieve the same level of security as SSH-2.
****Which of the following refers to a primary component of corporate risk management with the goal of minimizing the risk of prosecution for software piracy due to use of unlicensed software? A. Software audit B. System audit C. Application System audit D. Test audit E. Mainframe audit
A. Software audit Explanation: Software audits are a component of corporate risk management, with the goal of minimizing the risk of prosecution for software piracy due to use of unlicensed software. From time to time internal or external audits may take a forensic approach to establish what is installed on the computers in an organization with the purpose of ensuring that it is all legal and authorized and to ensure that its process of processing transactions or events is correct.
****Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity? A. Statistical-based B. Signature-based C. Neural network D. Host-based
A. Statistical-based Explanation: A statistical-based IDS relies on a definition of known and expected behavior of systems. Since normal network activity may at times include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network combines the previous two IDSs to create a hybrid and better system. Host-based is another classification of IDS. Any of the three IDSs above may be host- or network-based.
***Why is it not preferable for a firewall to treat each network frame or packet in isolation? A. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. B. Such a firewall is costly to setup. C. Such a firewall is too complicated to maintain. D. Such a firewall is CPU hungry. E. Such a firewall offers poor compatibility.
A. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Explanation: A stateless firewall treats each network frame or packet in isolation. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet.
****Which of the following measures can effectively minimize the possibility of buffer overflows? A. Sufficient bounds checking B. Sufficient memory C. Sufficient processing capability D. Sufficient code injection E. None of the choices
A. Sufficient bounds checking
The purpose of a mainframe audit is to provide assurance that processes are being implemented as required, the mainframe is operating as it should, security is strong, and that procedures in place are working and are updated as needed. The auditor may accordingly make recommendations for improvement. Which of the following types of audit always takes high priority over the others? A. System audit B. Application audit C. Software audit D. License audit E. Security server audit
A. System audit B. Application audit C. Software audit D. License audit E. Security server audit
Which of the following are examples of tools for launching Distributed DoS Attack (choose all that apply): A. TFN B. TFN2K C. Trin00 D. Stacheldracht E. Tripwire
A. TFN B. TFN2K C. Trin00 D. Stacheldracht Explanation: Distributed DoS Attack is a network-based attack from many servers used remotely to send packets. Examples of tools for conducting such attack include TFN, TFN2K, Trin00, Stacheldracht, and variants. The best defense is to make sure all systems patches are up-to-date. Also make sure your firewalls are configured appropriately.
@@At a hospital, medical personal carry handheld computers which contain patient health data. These handheld computers are synchronized with PCs which transfer data from a hospital database. Which of the following would be of the most importance? A. The handheld computers are properly protected to prevent loss of data confidentiality, in case of theft or loss. B. The employee who deletes temporary files from the local PC, after usage, is authorized to maintain PCs. C. Timely synchronization is ensured by policies and procedures. D. The usage of the handheld computers is allowed by the hospital policy.
A. The handheld computers are properly protected to prevent loss of data confidentiality, in case of theft or loss. Explanation: Data confidentiality is a major requirement of privacy regulations. Choices B, C and D relate to internal security requirements, and are secondary when compared to compliance with data privacy laws.
@@**Which of the following is a concern when data are transmitted through Secure Sockets Layer (SSL) encryption, implemented on a trading partners server? A. The organization does not have control over encryption. B. Messages are subjected to wiretapping. C. Data might not reach the intended recipient. D. The communication may not be secure.
A. The organization does not have control over encryption. Explanation: The SSL security protocol provides data encryption, server authentication, message integrity and optional client authentication. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on the SSL capabilities. SSL encrypts the datum while it is being transmitted over the internet. The encryption is done in the background, without any interaction from the user; consequently, there is no password to remember. The other choices are incorrect. Since the communication between client and server is encrypted, the confidentiality of information is not affected by wiretapping. Since SSL does the client authentication, only the intended recipient will receive the decrypted data. All data sent over an encrypted SSL connection are protected with a mechanism to detect tampering, i.e., automatically determining whether data has been altered in transit.
@@As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a hard copy transaction log. At the end of the day, the order entry files are backed up on tape. During the backup procedure, a drive malfunctions and the order entry files are lost. Which of the following is necessary to restore these files? A. The previous days backup file and the current transaction tape B. The previous days transaction file and the current transaction tape C. The current transaction tape and the current hard copy transaction log D. The current hard copy transaction log and the previous days transaction file
A. The previous days backup file and the current transaction tape Explanation: The previous days backup file will be the most current historical backup of activity in the system. The current days transaction file will contain all of the days activity. Therefore, the combination of these two files will enable full recovery up to the point of interruption.
You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged for later review. Every Friday when major deposits are made you're seeing a series of bits placed in the "Urgent Pointer" field of a TCP packet. This is only 16 bits which isn't much but it concerns you because: A. This could be a sign of covert channeling in bank network communications and should be investigated. B. It could be a sign of a damaged network cable causing the issue. C. It could be a symptom of malfunctioning network card or drivers and the source system should be checked for the problem. D. It is normal traffic because sometimes the previous fields 16-bit checksum value can over run into the urgent pointer's 16-bit field causing the condition.
A. This could be a sign of covert channeling in bank network communications and should be investigated. Explanation: The Urgent Pointer is used when some information has to reach the server ASAP. When the TCP/IP stack at the other end sees a packet using the Urgent Pointer set, it is duty bound to stop all ongoing activities and immediately send this packet up the stack for immediate processing. Since the packet is plucked out of the processing queue and acted upon immediately, it is known as an Out Of Band (OOB)packet and the data is called Out Of Band (OOB) data. The Urgent Pointer is usually used in Telnet, where an immediate response (e.g. the echoing of characters) is desirable. Covert Channels are not directly synonymous with backdoors. A covert channel is simply using a communication protocol in a way it was not intended to be used or sending data without going through the proper access control mechanisms or channels. For example, in a Mandatory Access Control systems a user at secret has found a way to communicate information to a user at Confidential without going through the normal channels.
Which of the following concerns associated with the World Wide Web would be addressed by a firewall? A. Unauthorized access from outside the organization B. Unauthorized access from within the organization C. A delay in Internet connectivity D. A delay in downloading using File Transfer Protocol (FTP)
A. Unauthorized access from outside the organization Explanation: Firewalls are meant to prevent outsiders from gaining access to an organizations computer systems through the internet gateway. They form a barrier with the outside world, but are not intended to address access by internal users; they are more likely to cause delays than address such concerns.
@@Which of the following measures can protect systems files and data, respectively? A. User account access controls and cryptography B. User account access controls and firewall C. User account access controls and IPS D. IDS and cryptography E. Firewall and cryptography
A. User account access controls and cryptography Explanation: User account access controls and cryptography can protect systems files and data, respectively. On the other hand, firewalls are by far the most common prevention systems from a network security perspective as they can shield access to internal network services, and block certain kinds of attacks through packet filtering.
Talking about biometric authentication, which of the following is often considered as a mix of both physical and behavioral characteristics? A. Voice B. Finger measurement C. Body measurement D. Signature
A. Voice Explanation: Biometric authentication refers to technologies that measure and analyze human physical and behavioral characteristics for authentication purposes. Physical characteristics include fingerprints, eye retinas and irises, facial patterns and hand measurements, while behavioral characteristics include signature, gait and typing patterns. Voice is often considered as a mix of both physical and behavioral characteristics.
****When planning an audit of a network setup, an IS auditor should give highest priority to obtaining which of the following network documentation? A. Wiring and schematic diagram B. Users lists and responsibilities C. Application lists and their details D. Backup and recovery procedures
A. Wiring and schematic diagram Explanation: The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are important but not necessary.
***A virus typically consists of what major parts (choose all that apply): A. a mechanism that allows them to infect other files and reproduce- a trigger that activates delivery of a -payload- B. a payload C. a signature D. None of the choices.
A. a mechanism that allows them to infect other files and reproduce- a trigger that activates delivery of a -payload- B. a payload C. a signature Explanation: A virus typically consist of three parts, which are a mechanism that allows them to infect other files and reproduce a trigger that activates delivery of a -payload- and the payload from which the virus often gets its name. The payload is what the virus does to the victim file.
The Federal Information Processing Standards (FIPS) are primarily for use by (choose all that apply): A. all non-military government agencies B. US government contractors C. all military government agencies D. all private and public colleges in the US
A. all non-military government agencies B. US government contractors Explanation: Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all nonmilitary government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community.
****Relatively speaking, firewalls operated at the application level of the seven layer OSI model are: A. almost always less efficient. B. almost always less effective. C. almost always less secure. D. almost always less costly to setup.
A. almost always less efficient. Explanation: Early attempts at producing firewalls operated at the application level of the seven-layer OSI model but this required too much CPU processing power. Packet filters operate at the network layer and function more efficiently because they only look at the header part of a packet.
****A successful risk-based IT audit program should be based on: A. an effective scoring system. B. an effective PERT diagram. C. an effective departmental brainstorm session. D. an effective organization-wide brainstorm session. E. an effective yearly budget.
A. an effective scoring system. Explanation: A successful risk-based IT audit program could be based on an effective scoring system. In establishing a scoring system, management should consider all relevant risk factors and avoid subjectivity. Auditors should develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee.
Which of the following refers to an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer? A. buffer overflow B. format string vulnerabilities C. integer misappropriation D. code injection
A. buffer overflow Explanation: A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data.
****In auditing a web server, an IS auditor should be concerned about the risk of individuals gaining unauthorized access to confidential information through: A. common gateway interface (CGI) scripts. B. enterprise Java beans (EJBs). C. applets. D. web services.
A. common gateway interface (CGI) scripts. Explanation: Common gateway interface (CGI) scripts are executable machine independent software programs on the server that can be called and executed by a web server page. CGI performs specific tasks such as processing inputs received from clients. The use of CGI scripts needs to be evaluated, because as they run in the server, a bug in them may allow a user to gain unauthorized access to the server and from there gain access to the organizations network. Applets are programs downloaded from a web server and executed on web browsers on client machines to run any web-based applications. Enterprise java beans (EJBs) and web services have to be deployed by the web server administrator and are controlled by the application server. Their execution requires knowledge of the parameters and expected return values.
****The potential for unauthorized system access by way of terminals or workstations within an organizations facility is increased when: A. connecting points are available in the facility to connect laptops to the network. B. users take precautions to keep their passwords confidential. C. terminals with password protection are located in insecure locations. D. terminals are located within the facility in small clusters under the supervision of an administrator.
A. connecting points are available in the facility to connect laptops to the network. Explanation: Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points, make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access. If system passwords are not readily available for intruders to use, they must guess, introducing an additional factor and requires time. System passwords provide protection against unauthorized use of terminals located in insecure locations. Supervision is a very effective control when used to monitor access to a small operating unit or production resources.
@@An IS auditor performing detailed network assessments and access control reviews should FIRST: A. determine the points of entry. B. evaluate users access authorization. C. assess users identification and authorization. D. evaluate the domain-controlling server configuration.
A. determine the points of entry. Explanation: In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry accordingly for appropriate controls. Evaluation of user access authorization, assessment of user identification and authorization, and evaluation of the domain-controlling server configuration are all implementation issues for appropriate controls for the points of entry.
@@Most trojan horse programs are spread through: A. e-mails. B. MP3. C. MS Office. D. Word template.
A. e-mails. Explanation: Most trojan horse programs are spread through e-mails. Some earlier trojan horse programs were bundled in -Root Kits-. For example, the Linux Root Kit version 3 (lrk3) which was released in December 96 had tcp wrapper trojans included and enhanced in the kit. Portable devices that run Linux can also be affected by trojan horse. The Trojan.Linux.JBellz Trojan horse runs as a malformed .mp3 file.
The technique used to ensure security in virtual private networks (VPNs) is: A. encapsulation. B. wrapping. C. transform. D. encryption
A. encapsulation Explanation: Encapsulation, or tunneling, is a technique used to carry the traffic of one protocol over a network that does not support that protocol directly. The original packet is wrapped in another packet. The other choices are not security techniques specific to VPNs.
****An investment advisor e-mails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by: A. encrypting the hash of the newsletter using the advisors private key. B. encrypting the hash of the newsletter using the advisors public key. C. digitally signing the document using the advisors private key. D. encrypting the newsletter using the advisors private key.
A. encrypting the hash of the newsletter using the advisors private key. Explanation: There is no attempt on the part of the investment advisor to prove their identity or to keep the newsletter confidential. The objective is to assure the receivers that it came to them without any modification, i.e., it has message integrity. Choice A is correct because the hash is encrypted using the advisors private key. The recipients can open the newsletter, recompute the hash and decrypt the received hash using the advisor-s public key. If the two hashes are equal, the newsletter was not modified in transit. Choice B is not feasible, for no one other than the investment advisor can open it. Choice C addresses sender authentication but not message integrity. Choice D addresses confidentiality, but not message integrity, because anyone can obtain the investment advisors public key, decrypt the newsletter, modify it and send it to others. The interceptor will not be able to use the advisors private key, because they do not have it. Anything encrypted using the interceptors private key can be decrypted by the receiver only by using their public key.
****An organization currently using tape backups takes one full backup weekly and incremental backups daily. They recently augmented their tape backup procedures with a backup-to- disk solution. This is appropriate because: A. fast synthetic backups for offsite storage are supported. B. backup to disk is always significantly faster than backup to tape. C. tape libraries are no longer needed. D. data storage on disks is more reliable than on tapes.
A. fast synthetic backups for offsite storage are supported.
****The FIRST step in a successful attack to a system would be: A. gathering information. B. gaining access. C. denying services. D. evading detection.
A. gathering information. Explanation: Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and their vulnerabilities. All of the other choices are based on the information gathered.
****Which of the following typically consists of a computer, some real looking data and/or a network site that appears to be part of a production network but which is in fact isolated and well prepared? A. honeypot B. superpot C. IDS D. IPS E. firewall
A. honeypot Explanation: You may use a honeypot to detect and deflect unauthorized use of your information systems. A typical honeypot consists of a computer, some real looking data and/or a network site that appears to be part of a production network but which is in fact isolated and well prepared for trapping hackers.
As part of the IEEE 802.11 standard ratified in September 1999, WEP uses the CRC- 32 checksum for: A. integrity. B. validity. C. accuracy. D. confidentiality.
A. integrity. Explanation: As part of the IEEE 802.11 standard ratified in September 1999, WEP uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity. Many WEP systems require a key in hexadecimal format. If one chooses keys that spell words in the limited 0-9, A-F hex character set, these keys can be easily guessed.
Which of the following is a rewrite of ipfwadm? A. ipchains B. iptables C. Netfilter D. ipcook
A. ipchains Explanation: ipchains is a free software based firewall running on earlier Linux. It is a rewrite of ipfwadm but is superseded by iptables in Linux 2.4 and above. Iptables controls the packet filtering and NAT components within the Linux kernel. It is based on Netfilter, a framework which provides a set of hooks within the Linux kernel for intercepting and manipulating network packets.
Why is one-time pad not always preferable for encryption (choose all that apply): A. it is difficult to use securely. B. it is highly inconvenient to use. C. it requires licensing fee. D. it requires internet connectivity. E. it is Microsoft only.
A. it is difficult to use securely. B. it is highly inconvenient to use. Explanation: Its possible to protect messages in transit by means of cryptography. One method of encryption - the one-time pad - has been proven to be unbreakable when correctly used. This method uses a matching pair of key- codes, securely distributed, which are used once-and-only-once to encode and decode a single message. Note that this method is difficult to use securely, and is highly inconvenient as well.
Physical access controls are usually implemented based on which of the following means (choose all that apply): A. mechanical locks B. guards C. operating systems D. transaction applications
A. mechanical locks B. guards
Screening router inspects traffic through examining: A. message header. B. virus payload C. message content D. attachment type
A. message header. Explanation: The simplest and almost cheapest type of firewall is a packet filter that stops messages with inappropriate network addresses. It usually consists of a screening router and a set of rules that accept or reject a message based on information in the message header.
Which of the following BEST describes the concept of -defense in depth-? A. more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. B. multiple firewalls are implemented. C. multiple firewalls and multiple network OS are implemented. D. intrusion detection and firewall filtering are required. E. None of the choices.
A. more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Explanation: -With 0-defense in depth-, more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to -fail secure- rather than -fail insecure-.-
***The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure: A. only the sender and receiver are able to encrypt/decrypt the data. B. the sender and receiver can authenticate their respective identities. C. the alteration of transmitted data can be detected. D. the ability to identify the sender by generating a one-time session key.
A. only the sender and receiver are able to encrypt/decrypt the data. Explanation: SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality. Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature along with choices C and D are not the primary objectives.
****The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all: A. outgoing traffic with IP source addresses external to the network. B. incoming traffic with discernible spoofed IP source addresses. C. incoming traffic with IP options set. D. incoming traffic to critical hosts.
A. outgoing traffic with IP source addresses externa! to the network. Explanation: Outgoing traffic with an IP source address different than the IP range in the network is invalid, in most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack.
@@Which of the following is a good tool to use to help enforcing the deployment of good passwords? A. password cracker B. local DoS attacker C. network hacker D. remote windowing tool
A. password cracker Explanation: Passwords are the first defensive line in protecting your data and information. Your users need to be made aware of what a password provides them and what can be done with their password. They also need to be made aware of the things that make up a good password versus a bad password. A good password has mixed-case alphabetic characters, numbers, and symbols. Do use a password that is at least eight or more characters. You may want to run a -password cracker- program periodically, and require users to immediately change any easily cracked passwords. In any case ask them to change their passwords every 90 to 120 days.
Talking about application system audit, focus should always be placed on: A. performance and controls of the system B. the ability to limit unauthorized access and manipulation C. input of data are processed correctly D. output of data are processed correctly E. changes to the system are properly authorized
A. performance and controls of the system B. the ability to limit unauthorized access and manipulation C. input of data are processed correctly D. output of data are processed correctly E. changes to the system are properly authorized Explanation: Talking about application system audit, focus should be placed on the performance and controls of the system, its ability to limit unauthorized access and manipulation, that input and output of data are processed correctly on the system, that any changes to the system are authorized, and that users have access to the system.
****Which of the following refers to an important procedure when evaluating database security (choose the BEST answer)? A. performing vulnerability assessments against the database. B. performing data check against the database. C. performing dictionary check against the database. D. performing capacity check against the database system.
A. performing vulnerability assessments against the database. Explanation: An important procedure when evaluating database security is performing vulnerability assessments against the database. Database administrators or Information security administrators run vulnerability scans on databases to discover misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software.
In a security server audit, focus should be placed on (choose all that apply): A. proper segregation of duties B. adequate user training C. continuous and accurate audit trail D. proper application licensing E. system stability F. performance and controls of the system
A. proper segregation of duties C. continuous and accurate audit trail
Effective transactional controls are often capable of offering which of the following benefits (choose all that apply): A. reduced administrative and material costs B. shortened contract cycle times C. enhanced procurement decisions D. diminished legal risk
A. reduced administrative and material costs B. shortened contract cycle times C. enhanced procurement decisions D. diminished legal risk Explanation: Transactional systems provide a baseline necessary to measure and monitor contract performance and provide a method for appraising efficiency against possible areas of exposure. Effective transactional controls reduce administrative and material costs, shorten contract cycle times, enhance procurement decisions, and diminish legal risk.
!!!2 An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice: A. reduces the risk of unauthorized access to the network. B. is not suitable for small networks. C. automatically provides an IP address to anyone. D. increases the risks associated with Wireless Encryption Protocol (WEP).
A. reduces the risk of unauthorized access to the network. Explanation: Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connected to the network. With DHCP disabled, static IP addresses must be used and represent less risk due to the potential for address contention between an unauthorized device and existing devices on the network. Choice B is incorrect because DHCP is suitable for small networks. Choice C is incorrect because DHCP does not provide IP addresses when disabled. Choice D is incorrect because disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in WEP.
****Which of the following will replace system binaries and/or hook into the function calls of the operating system to hide the presence of other programs (choose the most precise answer)? A. rootkits B. virus C. trojan D. tripwire
A. rootkits Explanation: A backdoor may take the form of an installed program (e.g., Back Orifice) or could be in the form of an existing -legitimate- program, or executable file. A specific form of backdoors are rootkits, which replaces system binaries and/or hooks into the function calls of the operating system to hide the presence of other programs, users, services and open ports.
****An offsite information processing facility: A. should have the same amount of physical access restrictions as the primary processing site. B. should be easily identified from the outside so that, in the event of an emergency, it can be easily found. C. should be located in proximity to the originating site, so it can quickly be made operational. D. need not have the same level of environmental monitoring as the originating site.
A. should have the same amount of physical access restrictions as the primary processing site. Explanation: An offsite information processing facility should have the same amount of physical control as the originating site. It should not be easily identified from the outside to prevent intentional sabotage. The offsite facility should not be subject to the same natural disaster that could affect the originating site and thus should not be located in proximity of the original site. The offsite facility should possess the same level of environmental monitoring and control as the originating site.
A digital signature contains a message digest to: A. show if the message has been altered after transmission. B. define the encryption algorithm. C. confirm the identity of the originator. D. enable message transmission in a digital format.
A. show if the message has been altered after transmission. Explanation: The message digest is calculated and included in a digital signature to prove that the message has not been altered. It should be the same value as a recalculation performed upon receipt. It does not define the algorithm or enable the transmission in digital format and has no effect on the identity of the user; it is there to ensure integrity rather than identity.
Which of the following is an oft-cited cause of vulnerability of networks? A. software monoculture B. software diversification C. single line of defense D. multiple DMZ
A. software monoculture Explanation: An oft-cited cause of vulnerability of networks is homogeneity or software monoculture. In particular, Microsoft Windows has such a large share of the market that concentrating on it will enable a cracker to subvert a large number of systems. Introducing inhomogeneity purely for the sake of robustness would however bring high costs in terms of training and maintenance.
Which of the following can be thought of as the simplest and almost cheapest type of firewall? A. stateful firewall B. hardware firewall C. PIX firewall D. packet filter
A. stateful firewall Explanation: The simplest and almost cheapest type of firewall is a packet filter that stops messages with inappropriate network addresses. It usually consists of a screening router and a set of rules that accept or reject a message based on information in the message header.
****The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through: A. symmetric encryption. B. message authentication code. C. hash function. D. digital signature certificates.
A. symmetric encryption. Explanation: SSL uses a symmetric key for message encryption. A message authentication code is used for ensuring data integrity. Hash function is used for generating a message digest; it does not use public key encryption for message encryption. Digital signature certificates are used by SSL for server authentication.
The Federal Information Processing Standards (FIPS) were developed by: A. the United States Federal government B. ANSI C. ISO D. IEEE E. IANA
A. the United States Federal government Explanation: Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all nonmilitary government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community.
Within a virus, which component is responsible for what the virus does to the victim file? A. the payload B. the signature C. the trigger D. the premium
A. the payload Explanation: A virus typically consist of three parts, which are a mechanism that allows them to infect other files and reproduce a trigger that activates delivery of a -payload- and the payload from which the virus often gets its name. The payload is what the virus does to the victim file.
****To prevent IP spoofing attacks, a firewall should be configured to drop a packet if: A. the source routing field is enabled. B. it has a broadcast address in the destination field. C. a reset flag (RST) is turned on for the TCP connection. D. dynamic routing is used instead of static routing.
A. the source routing field is enabled. Explanation: IP spoofing takes advantage of the source-routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing (choice D). Choices B and C do not have any relation to IP spoofing attacks. If a packet has a broadcast destination address (choice B), it will be sent to all addresses in the subnet. Turning on the reset flag (RST) (choice C) is part of the normal procedure to end a TCP connection.
@@Which of the following correctly describes the purpose of an Electronic data processing audit? A. to collect and evaluate evidence of an organizations information systems, practices, and operations. B. to ensure document validity. C. to verify data accuracy. D. to collect and evaluate benefits brought by an organizations information systems to its bottom line.
A. to collect and evaluate evidence of an organizations information systems, practices, and operations. Explanation: An Electronic data processing (EDP) audit is an IT audit. It is the process of collecting and evaluating evidence of an organizations information systems, practices, and operations.
****What would be the major purpose of rootkit? A. to hide evidence from system administrators. B. to encrypt files for system administrators. C. to corrupt files for system administrators. D. to hijack system sessions.
A. to hide evidence from system administrators. Explanation: rootkit originally describes those recompiled Unix tools that would hide any trace of the intruder. You can say that the only purpose of rootkit is to hide evidence from system administrators so there is no way to detect malicious special privilege access attempts.
@@A company has decided to implement an electronic signature scheme based on public key infrastructure. The users private key will be stored on the computers hard drive and protected by a password. The MOST significant risk of this approach is: A. use of the users electronic signature by another person if the password is compromised. B. forgery by using another users private key to sign a message with an electronic signature. C. impersonation of a user by substitution of the users public key with another persons public key. D. forgery by substitution of another persons private key on the computer.
A. use of the users electronic signature by another person if the password is compromised. Explanation: The users digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk. Choice B would require subversion of the public key infrastructure mechanism, which is very difficult and least likely. Choice C would require that the message appear to have come from a different person and therefore the true users credentials would not be forged. Choice D has the same consequence as choice C.
@@Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise e-mail? A . The private key certificate has not been updated. B . The certificate revocation list has not been updated. C . The certificate practice statement has not been published. D . The PKI policy has not been updated within the last year.
B . The certificate revocation list has not been updated.
Under the concept of -defense in depth-, subsystems should be designed to:- A. -fail insecure- B. -fail secure- C. -react to attack- D. -react to failure-
B. -fail secure- Explanation: -With 0-defense in depth-, more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to -fail secure- rather than -fail insecure-.
!!!2 Which of the following cryptographic systems is MOST appropriate for bulk data encryption and small devices such as smart cards? A. DES B. AES C. Triple DES D. RSA
B. AES Explanation: Advanced Encryption Standard (AES), a public algorithm that supports keys from 128 to 256 bits in size, not only provides good security, but provides speed and versatility across a variety of computer platforms. AES runs securely and efficiently on large computers, desktop computers and even small devices such as smart cards. DES is not considered a strong cryptographic solution since its entire key space can be brute forced by large computer systems within a relatively short period of time. Triple DES can take up to three times longer than DES to perform encryption and decryption. RSA keys are large numbers that are suitable only for short messages, such as the creation of a digital signature.
!!!2 Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? A. Certificate revocation list (CRL) B. Certification practice statement (CPS) C. Certificate policy (CP) D. PKI disclosure statement (PDS)
B. Certification practice statement (CPS) Explanation: The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items such as the warranties, limitations and obligations that legally bind each party.
****Which of the following is the MOST important objective of data protection? A. identifying persons who need access to information B. Ensuring the integrity of information C. Denying or authorizing access to the IS system D. Monitoring logical accesses
B. Ensuring the integrity of information Explanation: Maintaining data integrity is the most important objective of data security. This is a necessity if an organization is to continue as a viable and successful enterprise. The other choices are important techniques for achieving the objective of data integrity.
Which of the following is not a good tactic to use against hackers? A. Enticement B. Entrapment
B. Entrapment Explanation: Enticement occurs after somebody has gained unlawful access to a system and then subsequently lured to a honey pot. Entrapment encourages the commitment of unlawful access. The latter is not a good tactic to use as it involves encouraging someone to commit a crime.
****Which of the following types of spyware was originally designed for determining the sources of error or for measuring staff productivity? A. Keywords logging B. Keystroke logging C. Directory logging D. Password logging
B. Keystroke logging Explanation: Keystroke logging (in the form of spyware) was originally a function of diagnostic tool deployed by software developers for capturing users keystrokes. This is done for determining the sources of error or for measuring staff productivity.
The Trojan.Linux.JBellz Trojan horse runs as a malformed file of what format? A. e-mails. B. MP3. C. MS Office. D. Word template.
B. MP3. Explanation: -Most trojan horse programs are spread through e-mails. Some earlier trojan horse programs were bundled in -Root Kits-. For example, the Linux Root Kit version 3 (lrk3) which was released in December 96 had tcp wrapper trojans included and enhanced in the kit. Portable devices that run Linux can also be affected by trojan horse. The Trojan.Linux.JBellz Trojan horse runs as a malformed .mp3 file.-
****Which of the following BEST describes the role of a directory server in a public key infrastructure (PKI)? A. Encrypts the information transmitted over the network B. Makes other users certificates available to applications C. Facilitates the implementation of a password policy D. Stores certificate revocation lists (CRLs)
B. Makes other users certificates available to applications Explanation: A directory server makes other users certificates available to applications. Encrypting the information transmitted over the network and storing certificate revocation lists (CRLs) are roles performed by a security server. Facilitating the implementation of a password policy is not relevant to public key infrastructure (PKl).
@@Two-factor authentication can be circumvented through which of the following attacks? A. Denial-of-service B. Man-in-the-middle C. Key logging D. Brute force
B. Man-in-the-middle
Which of the following software tools is often used for stealing money from infected PC owner through taking control of the modem? A. System patcher B. Porn dialer C. War dialer D. T1 dialer E. T3 dialer
B. Porn dialer Explanation: One way of stealing money from infected PC owner is to take control of the modem and dial an expensive toll call. Dialer such as porn dialer software dials up a premium-rate telephone number and leave the line open, charging the toll to the infected user.
***Over the long term, which of the following has the greatest potential to improve the security incident response process? A. A walkthrough review of incident response procedures B. Postevent reviews by the incident response team C. Ongoing security training for users D. Documenting responses to an incident
B. Postevent reviews by the incident response team Explanation: Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help to improve the process over time. Choices A, C and D are desirable actions, but postevent reviews are the most reliable mechanism for improving security incident response processes.
****Which of the following procedures would BEST determine whether adequate recovery/restart procedures exist? A. Reviewing program code B. Reviewing operations documentation C. Turning off the UPS, then the power D. Reviewing program documentation
B. Reviewing operations documentation Explanation: Operations documentation should contain recovery/restart procedures, so operations can return to normal processing in a timely manner. Turning off the uninterruptible power supply (UPS) and then turning off the power might create a situation for recovery and restart, but the negative effect on operations would prove this method to be undesirable. The review of program code and documentation generally does not provide evidence regarding recovery/restart procedures.
Which of the following would MOST effectively control the usage of universal storage bus (USB) storage devices? A. Policies that require instant dismissal if such devices are found B. Software for tracking and managing USB storage devices C. Administratively disabling the USB port D. Searching personnel for USB storage devices at the facilitys entrance
B. Software for tracking and managing USB storage devices
****When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk? A. There is no registration authority (RA) for reporting key compromises B. The certificate revocation list(CRL) is not current. C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures. D. Subscribers report key compromises to the certificate authority (CA).
B. The certificate revocation list(CRL) is not current. Explanation: If the certificate revocation list (CRL) is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities. The certificate authority (CA) can assume the responsibility if there is no registration authority (RA). Digital certificates containing a public key that is used to encrypt messages and verifying digital signatures is not a risk. Subscribers reporting key compromises to the CA is not a risk since reporting this to the CA enables the CA to take appropriate action.
***Cisco IOS based routers perform basic traffic filtering via which of the following mechanisms? A. datagram scanning B. access lists C. stateful inspection D. state checking E. link progressing
B. access lists Explanation: In addition to deploying stateful firewall, you may setup basic traffic filtering on a more sophisticated router. As an example, on a Cisco IOS based router you may use ip access lists (ACL) to perform basic filtering on the network edge. Note that if they have denied too much traffic, something is obviously being too restrictive and you may want to reconfigure them.
@@An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A. maintenance of access logs of usage of various system resources. B. authorization and authentication of the user prior to granting access to system resources. C. adequate protection of stored data on servers by encryption or other means. D. accountability system and the ability to identify any terminal accessing system resources.
B. authorization and authentication of the user prior to granting access to system resources. Explanation: The authorization and authentication of users is the most significant aspect in a telecommunications access control review, as it is a preventive control. Weak controls at this level can affect all other aspects. The maintenance of access logs of usage of system resources is a detective control. The adequate protection of data being transmitted to and from servers by encryption or other means is a method of protecting information during transmission and is not an access issue. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal.
****Which of the following refers to a symmetric key cipher which operates on fixedlength groups of bits with an unvarying transformation? A. stream cipher B. block cipher C. check cipher D. string cipher
B. block cipher Explanation: In cryptography, a block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. A stream cipher, on the other hand, operates on individual digits one at a time.
****Squid is an example of: A. IDS B. caching proxy C. security proxy D. connection proxy E. dialer
B. caching proxy Explanation: Squid is an example of a caching proxy, not a security proxy. It has the main purpose of locally storing copies of web pages that are popular, with the benefit of saving bandwidth.
Upon receipt of the initial signed digital certificate the user will decrypt the certificate with the public key of the: A. registration authority (RA). B. certificate authority (CA). C. certificate repository. D. receiver.
B. certificate authority (CA). Explanation: A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. As a part of the public key infrastructure, a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestors information, the CA can issue a certificate. The CA signs the certificate with its private key for distribution to the user. Upon receipt, the user will decrypt the certificate with the CAs public key.
What should be done to determine the appropriate level of audit coverage for an organizations IT environment? A. determine the companys quarterly budget requirement. B. define an effective assessment methodology. C. calculate the companys yearly budget requirement. D. define an effective system upgrade methodology. E. define an effective network implementation methodology.
B. define an effective assessment methodology. Explanation: To determine the appropriate level of audit coverage for the organizations IT environment, you must define an effective assessment methodology and provide objective information to prioritize the allocation of audit resources properly.
Performance of a biometric measure is usually referred to in terms of (choose all that apply): A. failure to reject rate B. false accept rate C. false reject rate D. failure to enroll rate
B. false accept rate C. false reject rate D. failure to enroll rate Performance of a biometric measure is usually referred to in terms of the false accept rate (FAR), the false non match or reject rate (FRR), and the failure to enroll rate (FTE or FER). The FAR measures the percent of invalid users who are incorrectly accepted in, while the FRR measures the percent of valid users who are wrongly rejected.
****Which of the following types of attack makes use of unfiltered user input as the format string parameter in the print () function of the C language? A. buffer overflows B. format string vulnerabilities C. integer overflow D. code injection E. command injection
B. format string vulnerabilities Explanation: Format string attacks are a new class of vulnerabilities recently discovered. It can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as print (). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token.
Many WEP systems require a key in a relatively insecure format. What format is this? A. binary format. B. hexadecimal format. C. 128 bit format. D. 256 bit format.
B. hexadecimal format. Explanation: As part of the IEEE 802.11 standard ratified in September 1999, WEP uses the stream cipher RC4 for confidentiality and the CRC-32 checksum for integrity. Many WEP systems require a key in hexadecimal format. If one chooses keys that spell words in the limited 0-9, A-F hex character set, these keys can be easily guessed.
***Network ILD&P are typically installed: A. on the organizations internal network connection. B. on the organizations internet network connection. C. on each end user stations. D. on the firewall.
B. on the organizations internet network connection. Explanation: Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. Network ILD&P are gateway-based systems installed on the organizations internet network connection and analyze network traffic to search for unauthorized information transmissions. Host Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and access information before it has been encrypted.
****Which of the following correctly describe the potential problem of deploying Wi-Fi Protected Access to secure your wireless network? A. potential compatibility problems with wireless network interface cards. B. potential compatibility problems with wireless access points. C. potential performance problems with wireless network interface cards. D. potential performance problems with wireless access points.
B. potential compatibility problems with wireless access points. Explanation: Wi-Fi Protected Access (WPA / WPA2) is a class of systems to secure wireless computer networks. It implements the majority of the IEEE 802.11i standard, and is designed to work with all wireless network interface cards (but not necessarily with first generation wireless access points).
****To protect a VoIP infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the: A. access control servers. B. session border controllers. C. backbone gateways. D. intrusion detection system (IDS).
B. session border controllers. Explanation: Session border controllers enhance the security in the access network and in the core. In the access network, they hide a users real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewalls effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users real addresses. They can also monitor bandwidth and quality of service. Securing the access control server, backbone gateways and intrusion detection systems (IDSs) does not effectively protect against DoS attacks.
Pretexting is an act of: A. DoS B. social engineering C. eavedropping D. soft coding E. hard coding
B. social engineering
****The MOST likely explanation for a successful social engineering attack is: A. that computers make logic errors. B. that people make judgment errors. C. the computer knowledge of the attackers. D. the technological sophistication of the attack method.
B. that people make judgment errors. Explanation: Humans make errors in judging others; they may trust someone when, in fact, the person is untrustworthy. Driven by logic, computers make the same error every time they execute the erroneous logic; however, this is not the basic argument in designing a social engineering attack. Generally, social engineering attacks do not require technological expertise; often, the attacker is not proficient in information technology or systems. Social engineering attacks are human-based and generally do not involve complicated technology.
****Which of the following would provide the BEST protection against the hacking of a computer connected to the Internet? A. A remote access server B. A proxy server C. A personal firewall D. A password-generating token
C. A personal firewall Explanation: A personal firewall is the best way to protect against hacking, because it can be defined with rules that describe the type of user or connection that is or is not permitted. A remote access server can be mapped or scanned from the Internet, creating security exposures. Proxy servers can provide protection based on the IP address and ports; however, an individual would need to have in-depth knowledge to do this, and applications can use different ports for the different sections of their program. A password-generating token may help to encrypt the session but does not protect a computer against hacking.
A computer system is no more secure than the human systems responsible for its operation. Malicious individuals have regularly penetrated well-designed, secure computer systems by taking advantage of the carelessness of trusted individuals, or by deliberately deceiving them. zombie computers are being HEAVILY relied upon on by which of the following types of attack? A. Eavedropping B. DoS C. DDoS D. ATP E. Social Engineering
C. DDoS Explanation: -Distributed denial of service (DDoS) attacks are common, where a large number of compromised hosts (-zombie computers-) are used to flood a target system with network requests, thus attempting to render it unusable through resource exhaustion.-
Attack amplifier is often being HEAVILY relied upon on by which of the following types of attack? A. Packet dropping B. ToS C. DDoS D. ATP E. Wiretapping
C. DDoS Explanation: Distributed denial of service (DDoS) attacks are common, where a large number of compromised hosts are used to flood a target system with network requests. One technique to exhaust victim resources is through the use of an attack amplifier - where the attacker takes advantage of poorly designed protocols on 3rd party machines in order to instruct these hosts to launch the flood.
****Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault? A. There are three individuals with a key to enter the area. B. Paper documents are also stored in the offsite vault. C. Data files that are stored in the vault are synchronized. D. The offsite vault is located in a separate facility.
C. Data files that are stored in the vault are synchronized. Explanation: Choice A is incorrect because more than one person would typically need to have a key to the vault to ensure that individuals responsible for the offsite vault can take vacations and rotate duties. Choice B is not correct because an IS auditor would not be concerned with whether paper documents are stored in the offsite vault. In fact, paper documents, such as procedural documents and a copy of the contingency plan, would most likely be stored in the offsite vault, and the location of the vault is important, but not as important as the files being synchronized.
Which of the following is the MOST reliable sender authentication method? A. Digital signatures B. Asymmetric cryptography C. Digital certificates D. Message authentication code
C. Digital certificates Explanation: Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. Asymmetric cryptography, such as public key infrastructure (PKl), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. Digital signatures are used for both authentication and confidentiality, but the identity of the sender would still be confirmed by the digital certificate. Message authentication code is used for message integrity verification.
@@Which of the following is the MOST important action in recovering from a cyberattack? A. Creation of an incident response team B. Use of cybenforensic investigators C. Execution of a business continuity plan D. Filling an insurance claim
C. Execution of a business continuity plan Explanation: The most important key step in recovering from cyberattacks is the execution of a business continuity plan to quickly and cost-effectively recover critical systems, processes and data. The incident response team should exist prior to a cyberattack. When a cyberattack is suspected, cybenforensic investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. After taking the above steps, an organization may have a residual risk that needs to be insured and claimed for traditional and electronic exposures.
!!!2Which of the following provides the MOST relevant information for proactively strengthening security settings? A. Bastion host B. Intrusion detection system C. Honeypot D. Intrusion prevention system
C. Honeypot Explanation: The design of a honeypot is such that it lures the hacker and provides clues as to the hackers methods and strategies and the resources required to address such attacks. A bastion host does not provide information about an attack. Intrusion detection systems and intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible. A honeypot allows the attack to continue, so as to obtain information about the hackers strategy and methods.
****Which of the following aspects of symmetric key encryption influenced the development of asymmetric encryption? A. Processing power B. Volume of data C. Key distribution D. Complexity of the algorithm
C. Key distribution Explanation: Symmetric key encryption requires that the keys be distributed. The larger the user group, the more challenging the key distribution. Symmetric key cryptosystems are generally less complicated and, therefore, use less processing power than asymmetric techniques, thus making it ideal for encrypting a large volume of data. The major disadvantage is the need to get the keys into the hands of those with whom you want to exchange data, particularly in e-commerce environments, where customers are unknown, untrusted entities
Which of the following refers to the collection of policies and procedures for implementing controls capable of restricting access to computer software and data files? A. Binary access control B. System-level access control C. Logical access control D. Physical access control E. Component access control
C. Logical access control Explanation: Logical access control is about the use of a collection of policies, procedures, and controls to restrict access to computer software and data files. Such control system should provide reasonable assurance that an organizations objectives are being properly achieved securely and reliably.
@@An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? A. The tools used to conduct the test B. Certifications held by the IS auditor C. Permission from the data owner of the server D. An intrusion detection system (IDS) is enabled
C. Permission from the data owner of the server Explanation: The data owner should be informed of the risks associated with a penetration test, what types of tests are to be conducted and other relevant details. All other choices are not as important as the data owners responsibility for the security of the data assets.
****Which of the following encryption techniques will BEST protect a wireless network from a man-in-the-middle attack? A. 128-bit wired equivalent privacy (WEP) B. MAC-based pre-shared key(PSK) C. Randomly generated pre-shared key (PSKJ) D. Alphanumeric service set identifier (SSID)
C. Randomly generated pre-shared key (PSKJ) Explanation: A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a computer is fixed and often accessible. WEP has been shown to be a very weak encryption technique and can be cracked within minutes. The SSID is broadcast on the wireless network in plaintext.
***Which of the following is a distinctive feature of the Secure Electronic Transactions (SET) protocol when used for electronic credit card payments? A. The buyer is assured that neither the merchant nor any other party can misuse their credit card data. B. All personal SET certificates are stored securely in the buyers computer. C. The buyer is liable for any transaction involving his/her personal SET certificates. D. The payment process is simplified, as the buyer is not required to enter a credit card number and an expiration date.
C. The buyer is liable for any transaction involving his/her personal SET certificates. Explanation: The usual agreement between the credit card issuer and the cardholder stipulates that the cardholder assumes responsibility for any use of their personal SET certificates for e- commerce transactions. Depending upon the agreement between the merchant and the buyers credit card issuer, the merchant will have access to the credit card number and expiration date. Secure data storage in the buyers computer (local computer security) is not part of the SET standard. Although the buyer is not required to enter their credit card data, they will have to handle the wallet software.
***An organization has a mix of access points that cannot be upgraded to stronger security and newer access points having advanced wireless security. An IS auditor recommends replacing the non-upgradeable access points. Which of the following would BEST justify the IS auditors recommendation? A. The new access points with stronger security are affordable. B. The old access points are poorer in terms of performance. C. The organizations security would be as strong as its weakest points. D. The new access points are easier to manage.
C. The organizations security would be as strong as its weakest points. Explanation: The old access points should be discarded and replaced with products having strong security; otherwise, they will leave security holes open for attackers and thus make the entire network as weak as they are. Affordability is not the auditors major concern. Performance is not as important as security in this situation. Product manageability is not the IS auditors concern.
Back Orifice is an example of: A. a virus. B. a legitimate remote control software. C. a backdoor that takes the form of an installed program. D. an eavesdropper.
C. a backdoor that takes the form of an installed program. Explanation: -A backdoor may take the form of an installed program (e.g., Back Orifice) or could be in the form of an existing -legitimate- program, or executable file. A specific form of backdoors are rootkits, which replaces system binaries and/or hooks into the function calls of the operating system to hide the presence of other programs, users, services and open ports.-
***An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption: A. provides authenticity. B. is faster than asymmetric encryption. C. can cause key management to be difficult. D. requires a relatively simple algorithm.
C. can cause key management to be difficult. Explanation: In a symmetric algorithm, each pair of users- needs a unique pair of keys, so the number of keys grows and key management can become overwhelming. Symmetric algorithms do not provide authenticity, and symmetric encryption is faster than asymmetric encryption. Symmetric algorithms require mathematical calculations, but they are not as complex as asymmetric algorithms.
@@E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: A. alert the appropriate staff. B. create an entry in the log. C. close firewall-2. D. close firewall-1.
C. close firewall-2. Explanation: Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been caused by an attack from a hacker. Closing firewall-2 is the first thing that should be done, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator valuable time can be lost, in which a hacker could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might not be possible for the IDS to close it.
Which of the following types of attack works by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs? A. format string vulnerabilities B. integer overflow C. code injection D. command injection
C. code injection Explanation: Code injection is a technique to introduce code into a computer program or system by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs.
Gimmes often work through: A. SMS B. IRC chat C. email attachment D. news E. file download
C. email attachment Explanation: Gimmes take advantage of curiosity or greed to deliver malware. Also known as a Trojan Horse, gimmes can arrive as an email attachment promising anything. The recipient is expected to give in to the need to the program and open the attachment. In addition, many users will blindly click on any attachments they receive that seem even mildly legitimate.
@@The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks (RAID) level 1 in a file server is to: A. achieve performance improvement. B. provide user authentication. C. ensure availability of data. D. ensure the confidentiality of data.
C. ensure availability of data. Explanation: RAID level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data. RAID level 1 does not improve performance, has no relevance to authentication and does nothing to provide for data confidentiality.
@@A penetration test performed as part of evaluating network security: A. provides assurance that all vulnerabilities are discovered. B. should be performed without warning the organizations management. C. exploits the existing vulnerabilities to gain unauthorized access. D. would not damage the information assets when performed at network perimeters.
C. exploits the existing vulnerabilities to gain unauthorized access. Explanation: Penetration tests are an effective method of identifying real-time risks to an information processing environment. They attempt to break into a live site in order to gain unauthorized access to a system. They do have the potential for damaging information assets or misusing information because they mimic an experienced hacker attacking a live system. On the other hand, penetration tests do not provide assurance that all vulnerabilities are discovered because they are based on a limited number of procedures. Management should provide consent for the test to avoid false alarms to IT personnel or to law enforcement bodies.
Transmitting redundant information with each character or frame to facilitate detection and correction of errors is called a: A. feedback error control. B. block sum check. C. forward error control. D. cyclic redundancy check
C. forward error control. Explanation: Forward error control involves transmitting additional redundant information with each character or frame to facilitate detection and correction of errors, in feedback error control, only enough additional information is transmitted so the receiver can identify that an error has occurred. Choices B and D are both error detection methods but not error correction methods. Block sum check is an extension of parity check wherein an additional set of parity bits is computed for a block of characters. A cyclic redundancy check is a technique wherein a single set of check digits is generated, based on the contents of the frame, for each frame transmitted.
@@Which of the following is the MOST effective type of antivirus software? A. Scanners B. Active monitors C. integrity checkers D. Vaccines
C. integrity checkers Explanation: Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. Active monitors interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions like formatting a disk or deleting a file or set of files. Vaccines are known to be good antivirus software. However, they also need to be updated periodically to remain effective.
Which of the following are often considered as the first defensive line in protecting a typical data and information environment? A. certificates B. security token C. password D. biometrics
C. password Explanation: Passwords are the first defensive line in protecting your data and information. Your users need to be made aware of what a password provides them and what can be done with their password. They also need to be made aware of the things that make up a good password versus a bad password.
****IS management has decided to install a level 1 Redundant Array of Inexpensive Disks (RAID) system in all servers to compensate for the elimination of offsite backups. The IS auditor should recommend: A. upgrading to a level 5 RAID. B. increasing the frequency of onsite backups. C. reinstating the offsite backups. D. establishing a cold site in a secure location.
C. reinstating the offsite backups. Explanation: A RAID system, at any level, will not protect against a natural disaster. The problem will not be alleviated without offsite backups, more frequent onsite backups or even setting up a cold site. Choices A, B and D do not compensate for the lack of offsite backup.
****When conducting a penetration test of an IT system, an organization should be MOST concerned with: A. the confidentiality of the report. B. finding all possible weaknesses on the system. C. restoring all systems to the original state. D. logging all changes made to the production system.
C. restoring all systems to the original state. Explanation: All suggested items should be considered by the system owner before agreeing to penetration tests, but the most important task is to be able to restore all systems to their original state. Information that is created and/or stored on the tested systems should be removed from these systems. If for some reason, at the end of the penetration test, this is not possible, all files (with their location) should be identified in the technical report so that the clients technical staff will be able to remove these after the report has been received.
Cross-site scripting (XSS) attacks are BEST prevented through: A. application firewall policy settings. B. a three-tier web architecture. C. secure coding practices. D. use of common industry frameworks.
C. secure coding practices.
****Buffer overflow aims primarily at corrupting: A. system processor B. network firewall C. system memory D. disk storage
C. system memory Explanation: A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data.
****The GREATEST risk posed by an improperly implemented intrusion prevention system (IPS) is: A. that there will be too many alerts for system administrators to verify. B. decreased network performance due to IPS traffic. C. the blocking of critical systems or services due to false triggers. D. reliance on specialized expertise within the IT organization.
C. the blocking of critical systems or services due to false triggers. Explanation: An intrusion prevention system (IPS) prevents a connection or service based on how it is programmed to react to specific incidents. If the packets are coming from a spoofed address and the IPS is triggered based on previously defined behavior, it may bLock the service or connection of a critical internal system. The other choices are risks that are not as severe as blocking critical systems or services due to false triggers.
****A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use: A. eavesdropping B. spoofing. C. traffic analysis. D. masquerading.
C. traffic analysis. Explanation: In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, and the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results, in eavesdropping, which also is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring and releasing message contents for personal analysis or for third parties. Spoofing and masquerading are active attacks, in spoofing, a user receives an e-mail that appears to have originated from one source when it actually was sent from another source. In masquerading, the intruder presents an identity other than the original identity.
Which of the following refers to any program that invites the user to run it but conceals a harmful or malicious payload? A. virus B. worm C. trojan horse D. spyware E. rootkits
C. trojan horse Broadly speaking, a Trojan horse is any program that invites the user to run it, but conceals a harmful or malicious payload. The payload may take effect immediately and can lead to immediate yet undesirable effects, or more commonly it may install further harmful software into the users system to serve the creators longer-term goals.
****What is wrong with a Black Box type of intrusion detection system? A. you cannot patch it B. you cannot test it C. you cannot examine its internal workings from outside. D. you cannot tune it
C. you cannot examine its internal workings from outside. Explanation: An intrusion detection system should be able to run continually without human supervision. The system must be reliable enough to allow it to run in the background of the system being observed. However, it should not be a -black box-, because you want to ensure its internal workings are examinable from outside.
@@After observing suspicious activities in a server, a manager requests a forensic analysis. Which of the following findings should be of MOST concern to the investigator? A. Server is a member of a workgroup and not part of the server domain B. Guest account is enabled on the server C. Recently, 100 users were created in the server D. Audit logs are not enabled for the server
D. Audit logs are not enabled for the server Explanation: Audit logs can provide evidence which is required to proceed with an investigation and should not be disabled. For business needs, a server can be a member of a workgroup and, therefore, not a concern. Having a guest account enabled on a system is a poor security practice but not a forensic investigation concern. Recently creating 100 users in the server may have been required to meet business needs and should not be a concern.
****Which of the following antispam filtering techniques would BEST prevent a valid, variable- length e-mail message containing a heavily weighted spam keyword from being labeled as spam? A. Heuristic (rule-based) B. Signature-based C. Pattern matching D. Bayesian (statistical)
D. Bayesian (statistical) Explanation: Bayesian filtering applies statistical modeling to messages, by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds. Heuristic filtering is less effective, since new exception rules may need to be defined when a valid message is labeled as spam. Signature-based filtering is useless against variable- length messages, because the calculated MD5 hash changes all the time. Finally, pattern matching is actually a degraded rule- based technique, where the rules operate at the word level using wildcards, and not at higher levels.
A shared resource matrix is a technique commonly used to locate: A. Malicious code B. Security flaws C. Trap doors D. Covert channels
D. Covert channels Explanation: Analyzing resources of a system is one standard for locating covert channels because the basis of a covert channel is a shared resource. The following properties must hold for a storage channel to exist: 1. Both sending and receiving process must have access to the same attribute of a shared object.2. The sending process must be able to modify the attribute of the shared object.3. The receiving process must be able to reference that attribute of the shared object.4. A mechanism for initiating both processes and properly sequencing their respective accesses to the shared resource must exist.
Which of the following is the MOST robust method for disposing of magnetic media that contains confidential information? A. Degaussing B. Defragmenting C. Erasing D. Destroying
D. Destroying Explanation: Destroying magnetic media is the only way to assure that confidential information cannot be recovered. Degaussing or demagnetizing is not sufficient to fully erase information from magnetic media. The purpose of defragmentation is to eliminate fragmentation in file systems and does not remove information. Erasing or deleting magnetic media does not remove the information; this method simply changes a files indexing information.
****Which of the following penetration tests would MOST effectively evaluate incident handling and response capabilities of an organization? A. Targeted testing B. External testing C. internal testing D. Double-blind testing
D. Double-blind testing Explanation: In a double-blind test, the administrator and security staff are not aware of the test, which will result in an assessment of the incident handling and response capability in an organization. In targeted, external, and internal testing, the system administrator and security staff are aware of the tests since they are informed before the start of the tests.
****The network of an organization has been the victim of several intruders attacks. Which of the following measures would allow for the early detection of such incidents? A. Antivirus software B. Hardening the servers C. Screening routers D. Honeypots
D. Honeypots Explanation: Honeypots can collect data on precursors of attacks. Since they serve no business function, honeypots are hosts that have no authorized users other than the honeypot administrators. All activity directed at them is considered suspicious. Attackers will scan and attack honeypots, giving administrators data on new trends and attack tools, particularly malicious code. However, honeypots are a supplement to, not a replacement for, properly securing networks, systems and applications. If honeypots are to be used by an organization, qualified incident handlers and intrusion detection analysts should manage them. The other choices do not provide indications of potential attacks.
****An organization is planning to replace its wired networks with wireless networks. Which of the following would BEST secure the wireless network from unauthorized access? A. Implement Wired Equivalent Privacy (WEP) B. Permit access to only authorized Media Access Control (MAC) addresses C. Disable open broadcast of service set identifiers (SSID) D. Implement Wi-Fi Protected Access (WPA) 2
D. Implement Wi-Fi Protected Access (WPA) 2 Explanation: Wi-Fi Protected Access (WPA) 2 implements most of the requirements of the IEEE 802.11i standard. The Advanced Encryption Standard (AESJ used in WPA2 provides better security. Also, WPA2 supports both the Extensible Authentication Protocol and the preshared secret key authentication model. Implementing Wired Equivalent Privacy (WEP) is incorrect since it can be cracked within minutes. WEP uses a static key which has to be communicated to all authorized users, thus management is difficult. Also, there is a greater vulnerability if the static key is not changed at regular intervals. The practice of allowing access based on Media Access Control (MAC) is not a solution since MAC addresses can be spoofed by attackers to gain access to the network. Disabling open broadcast of service set identifiers (SSID) is not the correct answer as they cannot handle access control.
!!!Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems? A. Proxy server B. Firewall installation C. Network administrator D. Password implementation and administration
D. Password implementation and administration Explanation: The most comprehensive control in this situation is password implementation and administration. While firewall installations are the primary line of defense, they cannot protect all access and, therefore, an element of risk remains. A proxy server is a type of firewall installation; thus, the same rules apply. The network administrator may serve as a control, but typically this would not be comprehensive enough to serve on multiple and diverse systems.
A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it? A. Rewrite the hard disk with random Os and Is. B. Low-level format the hard disk. C. Demagnetize the hard disk. D. Physically destroy the hard disk.
D. Physically destroy the hard disk.
Which of the following ensures confidentiality of information sent over the internet? A. Digital signature B. Digital certificate C. Online Certificate Status Protocol D. Private key cryptosystem
D. Private key cryptosystem Explanation: Confidentiality is assured by a private key cryptosystem. Digital signatures assure data integrity, authentication and nonrepudiation, but not confidentially. A digital certificate is a certificate that uses a digital signature to bind together a public key with an identity; therefore, it does not address confidentiality. Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of a digital certificate.
***Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)? A. Analyzer B. Administration console C. User interface D. Sensor
D. Sensor Explanation: Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS.
****What should an organization do before providing an external agency physical access to its information processing facilities (IPFs)? A. The processes of the external agency should be subjected to an IS audit by an independent agency. B. Employees of the external agency should be trained on the security procedures of the organization. C. Any access by an external agency should be limited to the demilitarized zone (DMZ). D. The organization should conduct a risk assessment and design and implement appropriate controls.
D. The organization should conduct a risk assessment and design and implement appropriate controls. Explanation: Physical access of information processing facilities (IPFs) by an external agency introduces additional threats into an organization. Therefore, a risk assessment should be conducted and controls designed accordingly. The processes of the external agency are not of concern here. It is the agencys interaction with the organization that needs to be protected. Auditing their processes would not be relevant in this scenario. Training the employees of the external agency may be one control procedure, but could be performed after access has been granted. Sometimes an external agency may require access to the processing facilities beyond the demilitarized zone (DMZ). For example, an agency which undertakes maintenance of servers may require access to the main server room. Restricting access within the DMZ will not serve the purpose.
****Distributed denial-of-service (DDOS) attacks on Internet sites are typically evoked by hackers using which of the following? A. Logic bombs B. Phishing C. Spyware D. Trojan horses
D. Trojan horses Explanation: Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future. Phishing is an attack, normally via e-mail, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents.
What is the BEST approach to mitigate the risk of a phishing attack? A. implement an intrusion detection system (IDS) B. Assess web site security C. Strong authentication D. User education
D. User education Explanation: Phishing attacks can be mounted in various ways; intrusion detection systems (IDSs) and strong authentication cannot mitigate most types of phishing attacks. Assessing web site security does not mitigate the risk. Phishing uses a server masquerading as a legitimate server. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pages and e-mail.
Creating which of the following is how a hacker can insure his ability to return to the hacked system at will? A. rootsec B. checksum C. CRC D. backdoors
D. backdoors Explanation: A backdoor refers to a generally undocumented means of getting into a system, mostly for programming and maintenance/troubleshooting needs. Most real world programs have backdoors. Creating backdoors is how a hacker can insure his ability to return to the hacked system at will.
In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as: A. wormnets B. trojannets C. spynets D. botnets E. rootnets F. backdoor
D. botnets Explanation: In order to coordinate the activity of many infected computers, attackers are used coordinating systems known as botnets. In a botnet, the malware or mailbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously.
***Fault-tolerance is a feature particularly sought-after in which of the following kinds of computer systems (choose all that apply): A. desktop systems B. laptop systems C. handheld PDAs D. business-critical systems
D. business-critical systems Explanation: Fault-tolerance enables a system to continue operating properly in the event of the failure of some parts of it. It avoids total breakdown, and is particularly sought-after in high-availability environment full of businesscritical systems.
!!2 In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides: A. connectionless integrity. B. data origin authentication. C. antireplay service. D. confidentiality.
D. confidentiality. Explanation: Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality via encryption.
The role of the certificate authority (CA) as a third party is to: A. provide secured communication and networking services based on certificates. B. host a repository of certificates with the corresponding public and secret keys issued by that CA. C. act as a trusted intermediary between two communication partners. D. confirm the identity of the entity owning a certificate issued by that CA.
D. confirm the identity of the entity owning a certificate issued by that CA. Explanation: The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued. Providing a communication infrastructure is not a CA activity. The secret keys belonging to the certificates would not be archived at the CA. The CA can contribute to authenticating the communicating partners to each other, but the CA is not involved in the communication stream itself.
@@Online banking transactions are being posted to the database when processing suddenly comes to a halt. The integrity of the transaction processing is BEST ensured by: A. database integrity checks. B. validation checks. C. input controls. D. database commits and rollbacks.
D. database commits and rollbacks. Explanation: Database commits ensure the data are saved to disk, while the transaction processing is underway or complete. Rollback ensures that the already completed processing is reversed back, and the data already processed are not saved to the disk in the event of the failure of the completion of the transaction processing. All other options do not ensure integrity while processing is underway.
***What is the best defense against Local DoS attacks? A. patch your systems. B. run a virus checker. C. run an anti-spy software. D. find this program and kill it.
D. find this program and kill it. Explanation: Local DoS attacks can be a program that creates an infinite loop, makes lots of copies of itself, and continues to open lots of files. The best defense is to find this program and kill it.
****Introducing inhomogeneity to your network for the sake of robustness would have which of the following drawbacks? A. poorer performance. B. poor scalability. C. weak infrastructure. D. high costs in terms of training and maintenance.
D. high costs in terms of training and maintenance.
@@Host Based ILD&P primarily addresses the issue of: A. information integrity B. information accuracy C. information validity D. information leakage
D. information leakage
****An efficient use of public key infrastructure (PKI) should encrypt the: A. entire message. B. private key. C. public key. D. symmetric session key.
D. symmetric session key. Explanation: Public key (asymmetric) cryptographic systems require larger keys (1,024 bits) and involve intensive and time-consuming computations. In comparison, symmetric encryption is considerably faster, yet relies on the security of the process for exchanging the secret key. To enjoy the benefits of both systems, a symmetric session key is exchanged using public key methods, after which it serves as the secret key for encrypting/decrypting messages sent between two parties.
*****An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: A. IDS sensors are placed outside of the firewall. B. a behavior-based IDS is causing many false alarms. C. a signature-based IDS is weak against new types of attacks. D. the IDS is used to detect encrypted traffic.
D. the IDS is used to detect encrypted traffic. Explanation: An intrusion detection system (IDS) cannot detect attacks within encrypted traffic, and it would be a concern if someone was misinformed and thought that the IDS could detect attacks in encrypted traffic. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. Causing many false alarms is normal for a behavior-based IDS, and should not be a matter of concern. Being weak against new types of attacks is also expected from a signature- based IDS, because it can only recognize attacks that have been previously identified.
****The use of risk assessment tools for classifying risk factors should be formalized in your IT audit effort through: A. the use of risk controls. B. the use of computer assisted functions. C. using computer assisted audit technology tools. D. the development of written guidelines.
D. the development of written guidelines. Explanation: A successful risk-based IT audit program could be based on an effective scoring system. In establishing a scoring system, management should consider all relevant risk factors and avoid subjectivity. Auditors should develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee.
An IS auditor doing penetration testing during an audit of internet connections would: A. evaluate configurations. B. examine security settings. C. ensure virus-scanning software is in use. D. use tools and techniques available to a hacker.
D. use tools and techniques available to a hacker. Explanation: Penetration testing is a technique used to mimic an experienced hacker attacking a live site by using tools and techniques available to a hacker. The other choices are procedures that an IS auditor would consider undertaking during an audit of Internet connections, but are not aspects of penetration testing techniques.
Which of the following are valid examples of Malware (choose all that apply): A. viruses B. worms C. trojan horses D. spyware E. All of the above
E. All of the above
Human error is being HEAVILY relied upon on by which of the following types of attack? A. Eavedropping B. DoS C. DDoS D. ATP E. Social Engineering
E. Social Engineering
Integer overflow occurs primarily with: A. string formatting B. debug operations C. output formatting D. input verifications E. arithmetic operations
E. arithmetic operations Explanation: An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is larger than can be represented within the available storage space. On some processors the result saturates - once the maximum value is reached attempts to make it larger simply return the maximum result.
Which of the following encryption methods uses a matching pair of key-codes, securely distributed, which are used once-and-only-once to encode and decode a single message? A. Blowfish B. Tripwire C. certificate D. DES E. one-time pad
E. one-time pad Explanation: Its possible to protect messages in transit by means of cryptography. One method of encryption - the one-time pad - has been proven to be unbreakable when correctly used. This method uses a matching pair of key- codes, securely distributed, which are used once-and-only-once to encode and decode a single message. Note that this method is difficult to use securely, and is highly inconvenient as well.
Which of the following methods of encryption has been proven to be almost unbreakable when correctly used? A. key pair B. Oakley C. certificate D. 3-DES E. one-time pad
E. one-time pad Explanation: Its possible to protect messages in transit by means of cryptography. One method of encryption -the one-time pad -has been proven to be unbreakable when correctly used. This method uses a matching pair of key- codes, securely distributed, which are used once-and-only-once to encode and decode a single message. Note that this method is difficult to use securely, and is highly inconvenient as well.
Which of the following terms is used more generally for describing concealment routines in a malicious program? A. virus B. worm C. trojan horse D. spyware E. rootkits F. backdoor
E. rootkits Explanation: Rootkits can prevent a malicious process from being reported in the process table, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator access. Today, the term is used more generally for concealment routines in a malicious program.
****Which of the following types of firewall treats each network frame or packet in isolation? A. statefull firewall B. hardware firewall C. combination firewall D. packet filtering firewall E. stateless firewall
E. stateless firewall
****TEMPEST is a hardware for which of the following purposes? A. Eavedropping B. Social engineering C. Virus scanning D. Firewalling E. None of the choices.
Explanation: Any data that is transmitted over a network is at some risk of being eavesdropped, or even modified by a malicious person. Even machines that operate as a closed system can be eavesdropped upon via monitoring the faint electromagnetic transmissions generated by the hardware such as TEMPEST.
@@An IS auditor should be MOST concerned with what aspect of an authorized honeypot? A. The data collected on attack methods B. The information offered to outsiders on the honeypot C. The risk that the honeypot could be used to launch further attacks on the organizations infrastructure D. The risk that the honeypot would be subject to a distributed denial-of-service attack
Explanation: Choice C represents the organizational risk that the honeypot could be used as a point of access to launch further attacks on the enterprises systems. Choices A and B are purposes for deploying a honeypot, not a concern. Choice D, the risk that the honeypot would be subject to a distributed denial-of-service (DDoS) attack, is not relevant, as the honeypot is not a critical device for providing service.
Which of the following types of attack almost always requires physical access to the targets? A. Direct access attack B. Wireless attack C. Port attack D. Window attack E. System attack
Explanation: Direct access attacks make use of common consumer devices that can be used to transfer data surreptitiously. Someone gaining physical access to a computer can install all manner of devices to compromise security, including operating system modifications, software worms, keyboard loggers, and covert listening devices. The attacker can also easily download large quantities of data onto backup media or portable devices.
!!!3 If inadequate, which of the following would be the MOST likely contributor to a denial-of- service attk? A. Router configuration and rulesa B. Design of the internal network C. Updates to the router system software D. Audit testing and review techniques
Explanation: Inadequate router configuration and rules would lead to an exposure to denial-of-service attacks. Choices B and C would be lesser contributors. Choice D is incorrect because audit testing and review techniques are applied after the fact.
@@Which of the following internet security threats could compromise integrity? A. Theft of data from the client B. Exposure of network configuration information C. A Trojan horse browser D. Eavesdropping on the net
Explanation: Internet security threats/vulnerabilities to integrity include a Trojan horse, which could modify user data, memory and messages found in client-browser software. The other options compromise confidentiality.
***Software is considered malware based on: A. the intent of the creator. B. its particular features. C. its location. D. its compatibility.
Explanation: Malware is software designed to infiltrate or damage a computer system without the owners informed consent. Software is considered malware based on the intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, adware, and other malicious and unwanted software.
@@Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? A. Virtual private network B. Dedicated line C. Leased line D. integrated services digital network
Explanation: The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the internet. Choices B, C and D are network connectivity options that are normally too expensive to be practical for small- to medium-sized organizations.
!!!2 Which of the following is BEST suited for secure communications within a small group? A. Key distribution center B. Certification authority C. Web of trust D. Kerberos Authentication System
Explanation: Web of trust is a key distribution method suitable for communication in a small group. It ensures pretty good privacy (PGP) and distributes the public keys of users within a group. Key distribution center is a distribution method suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. Certification authority is a trusted third party that ensures the authenticity of the owner of the certificate. This is necessary for large groups and formal communication. A Kerberos Authentication System extends the function of a key distribution center, by generating tickets to define the facilities on networked machines which are accessible to each user.
You should keep all computer rooms at reasonable humidity levels, which are in between: A. 20 - 70 percent. B. 10 - 70 percent. C. 10 - 60 percent. D. 70 - 90 percent. E. 60 - 80 percent.
Explanation: You should keep all computer rooms at reasonable temperatures, which is in between 60 - 75 degrees Fahrenheit or 10 - 25 degrees Celsius. You should also keep humidity levels at 20 - 70 percent.
Which of the following is a tool you can use to simulate a big network structure on a single computer? A. honeymoon B. honeytrap C. honeytube D. honeyd
Explanation: honeyd is a GPL licensed software you can use to simulate a big network structure on a single computer.
Which of the following refers to a method of bypassing normal system authentication procedures? A. virus B. worm C. trojan horse D. spyware E. rootkits F. backdoor
F. backdoor Explanation: A backdoor is a method of bypassing normal authentication procedures. Many computer manufacturers used to preinstall backdoors on their systems to provide technical support for customers. Hackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors, hackers prefer to use either Trojan horse or computer worm.