November 6th Domain 5 100 questions 45%

Which of the following results in a denial-of-service (DoS) attack? A. Brute force attack B. Ping of death C. Leapfrog attack D. Negative acknowledgement (NAK) attack

You answered A. The correct answer is B. A. A brute force attack is typically a text attack that exhausts all possible key combinations used against encryption keys or passwords. B. The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. C. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host. D. A negative acknowledgment (NAK) is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.

Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)? A. Circuit gateway B. Application gateway C. Packet filter D. Screening router

You answered A. The correct answer is B. A. A circuit gateway firewall is able to prevent paths or circuits, not applications, from entering the organization's network. B. An application gateway firewall is effective in preventing applications such as File Transfer Protocols (FTPs) from entering the organization's network. C. A packet filter firewall or screening router will allow or prevent access based on IP packets/address. D. A screening router is not able to effectively control application level security.

An IS auditor is reviewing Secure Sockets Layer (SSL) enabled web sites for the company. Which of the following choices would be the HIGHEST risk? A. Expired digital certificates B. Self-signed digital certificates C. Using the same digital certificate for multiple web sites D. Using 56-bit digital certificates

You answered A. The correct answer is B. A. An expired certificate leads to blocked access to the web site leading to unwanted downtime. However, there is no loss of data. Therefore, the comparative risk is lower. B. Self-signed digital certificates are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack. C. Using the same digital certificate is not a significant risk. Wildcard digital certificates may be used for multiple subdomain web sites. D. 56-bit digital certificates may be needed to connect with older versions of operating systems (OSs) or browsers. While they have a lower strength than 128-bit or 256-bit digital certificates, the comparative risk of a self-signed certificate is higher.

An IS auditor is reviewing access for an accounting system and notices a segregation of duties issue; however, the business is small and additional workers are not available. What is the BEST recommended compensating control in this situation? A. Implementing role-based access B. Reviewing audit trails C. Performing periodic access reviews D. Reviewing the error log

You answered A. The correct answer is B. A. Implementing role-based access would be beneficial; however, in this situation it would not be effective because resources are limited and the same person may need to fill multiple roles. B. Reviewing audit trails would be the best compensating control for a segregation of duties issue that cannot be eliminated by adding employees. C. Performing periodic access reviews will help to ensure that access is appropriate; however, reviewing audit trails would be a better choice. D. Error log review will only help to identify errors, whereas audit trails would monitor employee activities.

In Internet Protocol Security (IPSec), which of the following PRIMARILY provides data protection? A. Semantic net B. Encapsulated security payload (ESP) C. Authentication header (AH) D. Digital signature

You answered A. The correct answer is B. A. Semantic nets are part of artificial intelligence and would not help in data protection. B. Internet Protocol Security (IPSec) works on two basic packet components—encapsulated security payload (ESP) and authentication header (AH). ESP encrypts the data and stores them in an encapsulated security payload packet component for data protection. C. Though essential, AHs manage the authentication process, not the security of the data. D. Digital signatures are not used in IPSec and, thus, will not provide data protection.

An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? A. Internet protocol (IP) spoofing B. Phishing C. Structured query language (SQL) injection D. Denial-of-service (DoS)

You answered A. The correct answer is B. A. The URL is based on hypertext transmission protocol (HTTP); IP spoofing is used to change the source IP address in a transmission control protocol/Internet protocol (TCP/IP) packet, not in the HTTP protocol. B. URL shortening services have been adopted by hackers to fool users and spread malware, i.e., phishing. C. Although URL shortening services can be used to perform structured query language (SQL) injections, their primary risk is being used for phishing. D. Denial-of-service (DoS) attacks are not affected by URL shortening services.

Which of the following is an example of the defense in-depth security principle? A. Using two firewalls to consecutively check the incoming network traffic B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic C. Having no physical signs on the outside of a computer center building D. Using two firewalls in parallel to check different types of incoming traffic

You answered A. The correct answer is B. A. Use of two firewalls would not represent an effective defense in-depth strategy because the same attack could circumvent both devices. By using two different products, the probability of both products having the same vulnerabilities is diminished. B. Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. C. Having no physical signs on the outside of a computer center building is a single security measure known as security by obscurity. D. Using two firewalls in parallel to check different types of incoming traffic provides redundancy but is only a single security mechanism and, therefore, no different than having a single firewall checking all traffic.

Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization? A. Actions on log files should be tracked in another log. B. Write access to audit logs should be disabled. C. Only select personnel should have rights to view or delete audit logs. D. Backups of audit logs should be performed periodically.

You answered A. The correct answer is C. A. Having additional copies of log file activity would not prevent the original log files from being deleted. B. For servers and applications to operate correctly, write access cannot be disabled. C. Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted. D. Frequent backups of audit logs would not prevent the logs from being deleted.

Which of the following exposures associated with the spooling of sensitive reports for offline printing should an IS auditor consider to be the MOST serious? A. Sensitive data can be read by operators. B. Data can be amended without authorization. C. Unauthorized report copies can be printed. D. Output can be lost in the event of system failure.

You answered A. The correct answer is C. A. Operators often have high-level access as a necessity to perform their job duties. This is addressed through compensating controls. B. Data on spool files are no easier to amend without authority than any other file. C. Unless controlled, spooling for offline printing may enable additional copies to be printed. D. In the event of a system failure it is usually possible to recreate reports or recover them from backup.

When auditing a proxy-based firewall, an IS auditor should: A. verify that the firewall is not dropping any forwarded packets. B. review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and Internet protocol (IP) addresses. C. verify that the filters applied to services such as hypertext transmission protocol (HTTP) are effective. D. test whether routing information is forwarded by the firewall.

You answered A. The correct answer is C. A. The firewall will permit or deny traffic according to its rules. It should drop unacceptable traffic. B. Address Resolution Protocol (ARP) tables are used by a switch to map media access control (MAC) addresses to IP addresses. This is not a proxy firewall function. C. A proxy-based firewall works as an intermediary (proxy) between the service or application and the client. It makes a connection with the client and opens a different connection with the server and, based on specific filters and rules, analyzes all the traffic between the two connections. Unlike a packet-filtering gateway, a proxy-based firewall does not forward any packets. Mapping between MAC and IP addresses is a task for protocols such as address resolution protocol (ARP)/reverse address resolution protocol (RARP). D. A proxy-based firewall is not used to forward routing information.

An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? A. System unavailability B. Exposure to malware C. Unauthorized access D. System integrity

You answered A. The correct answer is C. A. While untested common gateway interfaces (CGIs) can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. B. Untested CGI scripts do not inherently lead to malware exposures. C. Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. D. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.

An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to: A. recommend that mandatory access control (MAC) be implemented. B. report this as an issue. C. report this issue to the data owners to determine whether it is an exception. D. not report this issue because discretionary access controls (DACs) are in place.

You answered A. The correct answer is D. A. Recommending mandatory access control (MAC) is not correct because it is more appropriate for data owners to have discretionary access controls (DAC) in a low-risk application. B. The use of DAC may not be an exception and, until confirmed, should not be reported as an issue. C. While an IS auditor may consult with data owners regarding whether this access is allowed normally, the IS auditor should not rely on the auditee to determine whether this is an issue. D. DAC allows data owners to modify access, which is a normal procedure and is a characteristic of DAC.

An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation? A. Symmetric key encryption B. Digital signatures C. Message digest algorithms D. Digital certificates

You answered A. The correct answer is D. A. Symmetric key encryption uses a single pass phrase to encrypt and decrypt the message. While this type of encryption is strong, it suffers from the inherent problem of needing to share the pass phrase in a secure manner and does not address integrity and nonrepudiation. B. Digital signatures provide message integrity and nonrepudiation; however, confidentiality is not provided. C. Message digest algorithms are a way to design hashing functions to verify the integrity of the message/data. Message digest algorithms do not provide confidentiality or nonrepudiation. D. A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a trusted authority, with the purpose of associating a person's identity with the public key. Email confidentiality and integrity are obtained by following the public key-private key encryption. With the digital certificate verified by the trusted third party, nonrepudiation of the sender is obtained.

The implementation of access controls FIRST requires: A. a classification of IS resources. B. the labeling of IS resources. C. the creation of an access control list (ACL). D. an inventory of IS resources.

You answered A. The correct answer is D. A. The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. B. Labeling resources cannot be done without first determining the resources' classifications. C. The access control list (ACL) would not be done without a meaningful classification of resources. D. The first step in implementing access controls is an inventory of IS resources, which is the basis for establishing ownership and classification.

A company determined that its web site was compromised and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident? A. A host-based intrusion prevention system (IPS) B. A network-based intrusion detection system (IDS) C. A firewall D. Operating system (OS) patching

You answered B. The correct answer is A. A. A host-based intrusion prevention system (IPS) prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator. B. A network-based intrusion detection system (IDS) relies on attack signatures based on known exploits and attack patterns. If the IDS is not kept up to date with the latest signatures, or the attacker is able to create or gain access to an exploit unknown to the IDS, it will go undetected. A web server exploit performed through the web application itself, such as a Structured Query Language (SQL) injection attack, would not appear to be an attack to the network-based IDS. C. A firewall by itself does not protect a web server because the ports required for users to access the web server must be open in the firewall. Web server attacks are typically performed over the same ports that are open for normal web traffic. Therefore, a firewall does not protect the web server. D. Operating system (OS) patching will make exploitation of the server more difficult for the attacker and less likely. However, attacks on the web application and server OS may succeed based on issues unrelated to any unpatched server vulnerabilities, and the host-based IPS should detect any attempts to change files on the server, regardless of how access was obtained.

The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may: A. use this information to launch attacks. B. forward the security alert. C. implement individual solutions. D. fail to understand the threat.

You answered B. The correct answer is A. A. An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. B. Forwarding the security alert is not harmful to the organization. C. Implementing individual solutions is unlikely and inefficient, but not a serious risk. D. Users failing to understand the threat would not be a serious concern.

The FIRST step in a successful attack to a system would be: A. gathering information. B. gaining access. C. denying services. D. evading detection.

You answered B. The correct answer is A. A. Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and the potential vulnerabilities that can be exploited in the attack. B. Once attackers have discovered potential vulnerabilities through information gathering, they will usually attempt to gain access. C. An attacker will usually launch a denial of service as one of the last steps in the attack. D. When attackers have gained access and possibly infected the victim with a rootkit, they will delete audit logs and take other steps to hide their tracks.

The IS auditor has been informed by the security administrator that the virus scanner is updated in real time. The IS auditor confirms that the virus scanner has been configured to update automatically. What is the NEXT step for the IS auditor to confirm that the control is effective? A. Confirm the current version of the virus signature file with the vendor. B. Review the log files, and confirm that the virus signature file was updated. C. Request a confirmation from the security administrator about the most recent update to the virus signature file. D. The IS auditor's work is adequate, and no further work is required.

You answered B. The correct answer is A. A. The IS auditor is able to use externally provided information to confirm that the most recent vendor-provided virus signature file has been automatically updated in the scanner. B. Reviewing the log files and confirming that the virus signature file was updated only suggests that an update was performed, but not that this is the latest version. The latest version of the virus signature file available should be installed in real time. C. Confirmation is requested from the security administrator about the most recent update to the virus signature file, and the information is provided internally by the security administrator. It is not as reliable as that from an external source. D. Inspection only indicates that the control has been implemented and not necessarily that it is operating effectively.

Which of the following is an advantage of elliptic curve encryption (ECC) over RSA encryption? A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Message integrity controls

You answered B. The correct answer is A. A. The main advantage of elliptic curve encryption (ECC) over RSA encryption is its computation speed. This is due in part to the use of much smaller keys in the ECC algorithm than in RSA. B. Both encryption methods support digital signatures. C. Both encryption methods are used for public key encryption and distribution. D. Both ECC and RSA offer message integrity controls.

Web and email filtering tools are PRIMARILY valuable to an organization because they: A. protect the organization from viruses and nonbusiness materials. B. maximize employee performance. C. safeguard the organization's image. D. assist the organization in preventing legal issues

You answered B. The correct answer is A. A. The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email. B. Maximizing employee performance could be true in some circumstances (i.e., it would need to be implemented along with an awareness program so that employee performance can be significantly improved). However, the primary benefit is protecting the organization from viruses and nonbusiness activity. C. Safeguarding the organization's image is a secondary benefit. D. Preventing legal issues is important, but not the primary reason for filtering.

Which of the following is the MOST reliable sender authentication method? A. Digital signatures B. Asymmetric cryptography C. Digital certificates D. Message authentication code

You answered B. The correct answer is C. A. Digital signatures are used for both authentication and integrity, but the identity of the sender would still be confirmed by the digital certificate. B. Asymmetric cryptography, such as public key infrastructure (PKI), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. C. Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. D. Message authentication code is used for message integrity verification.

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use: A. eavesdropping. B. spoofing. C. traffic analysis. D. masquerading.

You answered B. The correct answer is C. A. In eavesdropping, which is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring message contents for personal analysis or for third parties. B. Spoofing is an active attack. In spoofing, a user receives an email that appears to have originated from one source when it actually was sent from another source. C. In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results. D. In masquerading, the intruder presents an identity other than the original identity. This is an active attack.

An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers? A. Ensure that ports 80 and 443 are blocked at the firewall. B. Inspect file and access permissions on all servers to ensure that all files have read-only access. C. Perform a web application security review. D. Make sure that only the IP addresses of existing customers are allowed through the firewall.

You answered B. The correct answer is C. A. Port 80 must be open for a web application to work and port 443 for a secured hypertext transmission protocol (HTTPS) to operate. B. For customer orders to be placed, some data must be saved to the server. No customer orders could be placed on a read-only server. C. Performing a web application security review is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers. D. Restricting IP addresses might be appropriate for some types of web applications, but is not the best solution because a new customer could not place an order until the firewall rules were changed to allow the customer to connect.

Which of the following is the MOST effective type of antivirus software to detect an infected application? A. Scanners B. Active monitors C. Integrity checkers D. Vaccines

You answered B. The correct answer is C. A. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. B. Active monitors interpret disk operating system (DOS) and read-only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions such as formatting a disk or deleting a file or set of files. C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. D. Vaccines are known to be good antivirus software. However, they need to be updated periodically to remain effective.

An organization is disposing of a number of laptop computers. Which of the following data destruction methods would be the MOST effective? A. Run a low-level data wipe utility on all hard drives. B. Erase all data file directories. C. Format all hard drives. D. Physical destruction of the hard drive.

You answered B. The correct answer is D. A. Running a low-level data wipe utility may leave some residual data that could be recovered. B. Erasing data directories is easily reversed, exposing all data on the drive to unauthorized individuals. C. Formatting hard drives is easily reversed, exposing all data on the drive to unauthorized individuals. D. The most effective method of rendering data irrecoverable is physical destruction of the storage media.

An IS auditor is reviewing the access control list (ACL) of active network users. Which of the following types of user IDs should be of GREATEST concern? A. Test or training user IDs B. Shared IDs C. Administrative IDs D. User IDs of past employees

You answered B. The correct answer is D. A. Test or training user IDs could be a concern. However, it is unlikely that their access privileges are greater than a real user, and therefore they pose less of an overall risk. B. The use of shared IDs, while not a best practice, is not as great a risk as having a terminated employee with access to the network. There can be many situations in which a shared ID is necessary. The risk with shared IDs is that accountability cannot be established. C. Administrative IDs are commonly found on a network and are not cause for concern. D. If a user's network ID is not disabled on termination, the user or other unauthorized individual could potentially gain access to the network. User IDs of past employees pose the greatest risk because users can access the network via the Internet. In addition, many applications rely on network credentials to identify and authenticate access.

Which of the following is the BEST control over a guest wireless ID that is given to vendor staff? A. Assignment of a renewable user ID which expires daily B. A write-once log to monitor the vendor's activities on the system C. Utilization of a user ID format similar to that used by employees D. Ensuring that wireless network encryption is configured properly

You answered C. The correct answer is A. A. A renewable user ID which expires daily would be a good control because it would ensure that wireless access will automatically terminate daily and cannot be used without authorization. B. While it is recommended to monitor vendor activities while vendor staff are on the system, this is a detective control and thus is not as strong as a preventive control. C. The user ID format does not change the overall security of the wireless connection. D. Controls related to the encryption of the wireless network are important; however, the access to that network is a more critical issue.

What would be the MOST effective control for enforcing accountability among database users accessing sensitive information? A. Implement a log management process. B. Implement a two-factor authentication. C. Use table views to access sensitive data. D. Separate database and application servers.

You answered C. The correct answer is A. A. Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour. B. Implementing a two-factor authentication would prevent unauthorized access to the database, but would not record the activity of the user when using the database. C. Using table views would restrict users from seeing data that they should not be able to see, but would not record what users did with data they were allowed to see. D. Separating database and application servers may help in better administration or even in implementing access controls, but does not address the accountability issues.

Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? A. Power line conditioners B. Surge protective devices C. Alternative power supplies D. Interruptible power supplies

You answered C. The correct answer is A. A. Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. B. Surge protection devices protect against high-voltage bursts. C. Alternative power supplies are intended for power failures that last for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. D. An interruptible power supply would cause the equipment to come down whenever there was a power failure.

The sender of a public key would be authenticated by a: A. certificate revocation list (CRL). B. digital signature. C. digital certificate. D. receiver's private key.

You answered D. The correct answer is C. A. A certificate revocation list (CRL) is the list of certificates that can no longer be trusted. B. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination. C. A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message. D. The sender's public key cannot be opened by any key except the sender's private key.

Which of the following would be the BEST access control procedure? A. The data owner formally authorizes access and an administrator implements the user authorization tables. B. Authorized staff implements the user authorization tables and the data owner sanctions them. C. The data owner and an IS manager jointly create and update the user authorization tables. D. The data owner creates and updates the user authorization tables.

You answered C. The correct answer is A. A. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner. B. The owner sets the rules and conditions for access. It is best to obtain approval before implementing the tables. C. The data owner may consult with the IS manager to set out access control rules, but the responsibility for appropriate access remains with the data owner. The IS department should set up the access control tables at the direction of the owner. D. The data owner would not usually manage updates to the authorization tables.

Web application developers sometimes use hidden fields on web pages to save information about a client session. This technique is used, in some cases, to store session variables that enable persistence across web pages, such as maintaining the contents of a shopping cart on a retail web site application. The MOST likely web-based attack due to this practice is: A. parameter tampering. B. cross-site scripting. C. cookie poisoning. D. stealth commanding.

You answered C. The correct answer is A. A. Web application developers sometimes use hidden fields to save information about a client session or to submit hidden parameters, such as the language of the end user, to the underlying application. Because hidden form fields do not display in the browser, developers may feel safe passing unvalidated data in the hidden fields (to be validated later). This practice is not safe because an attacker can intercept, modify and submit requests, which can discover information or perform functions that the web developer never intended. The malicious modification of web application parameters is known as parameter tampering. B. Cross-site scripting involves the compromise of the web page to redirect users to content on the attacker web site. The use of hidden fields has no impact on the likelihood of a cross-site scripting attack because these fields are static content that cannot ordinarily be modified to create this type of attack. Web applications use cookies to save session state information on the client machine so that the user does not need to log on every time a page is visited. C. Cookie poisoning refers to the interception and modification of session cookies to impersonate the user or steal logon credentials. The use of hidden fields has no relation to cookie poisoning. *Picked Last time D. Stealth commanding is the hijacking of a web server by the installation of unauthorized code. While the use of hidden forms may increase the risk of server compromise, the most common server exploits involve vulnerabilities of the server operating system or web server.

Reverse proxy technology for web servers should be deployed if: A. hypertext transmission protocol (HTTP) server addresses must be hidden. B. accelerated access to all published pages is required. C. caching is needed for fault tolerance. D. bandwidth to the user is limited.

You answered C. The correct answer is A. ***REVIEW*** A. Reverse proxies are primarily designed to hide physical and logical internal structures from outside access. Complete Uniform Resource Locators (URLs) or Uniform Resource Identifiers (URIs) can be partially or completely redirected without disclosing which internal or demilitarized zone (DMZ) server is providing the requested data. This technology might be used if a trade-off between security, performance and costs has to be achieved. Proxy servers cache some data but normally cannot cache all pages to be published because this depends on the kind of information the web servers provide. B. The ability to accelerate access depends on the speed of the back-end servers, i.e., those that are cached. Thus, without making further assumptions, a gain in speed cannot be assured, but virtualization and hiding of internal structures can. If speed is an issue, a scale-out approach (avoiding adding additional delays by passing firewalls, involving more servers, etc.) would be a better solution. C. Due to the limited caching option, reverse proxies are not suitable for enhancing fault tolerance. D. User requests that are handled by reverse proxy servers are using exactly the same bandwidth as direct requests to the hosts providing the data.

An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy? A. Stateful inspection firewall B. Web content filter C. Web cache server D. Proxy server

You answered C. The correct answer is B. A. A stateful inspection firewall is of little help in filtering web traffic because it does not review the content of the web site, nor does it take into consideration the site's classification. B. A web content filter accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available URL blacklists and classifications for millions of web sites. C. A web cache server is designed to improve the speed of retrieving the most common or recently visited web pages. D. A proxy server is incorrect because a proxy server services the request of its clients by forwarding requests to other servers. Many people incorrectly use proxy server as a synonym of web proxy server even though not all web proxy servers have content filtering capabilities.

Which of the following preventive controls BEST helps secure a web application? A. Password masking B. Developer training C. Encryption D. Vulnerability testing

You answered C. The correct answer is B. A. Password masking is a necessary preventive control, but is not the best way to secure an application. B. Of the given choices, teaching developers to write secure code is the best way to secure a web application. C. Encryption will protect data, but is not sufficient to secure an application because other flaws in coding could compromise the application and data. Ensuring that applications are designed in a secure way is the best way to secure an application. This is accomplished by ensuring that developers are adequately educated on secure coding practices. D. Vulnerability testing can help to ensure the security of web applications; however, the best preventive control is developer education because building secure applications from the start is more effective.

When reviewing an implementation of a Voice-over Internet Protocol (VoIP) system over a corporate wide area network (WAN), an IS auditor should expect to find: A. an integrated services digital network (ISDN) data link. B. traffic engineering. C. wired equivalent privacy (WEP) encryption of data. D. analog phone terminals.

You answered C. The correct answer is B. A. The standard bandwidth of an integrated services digital network (ISDN) data link would not provide the quality of services required for corporate Voice-over Internet Protocol (VoIP) services. B. To ensure that quality of service requirements are achieved, the VoIP service over the wide area network (WAN) should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed to provide quality of service (QoS) and class of service (CoS) support using statistical techniques such as traffic engineering. C. Wired equivalent privacy (WEP) is an encryption scheme related to wireless networking. D. The VoIP phones are usually connected to a corporate local area network (LAN) and are not analog.

Which of the following is the GREATEST concern for an IS auditor reviewing the security controls of an online job-search application? A. The web server is running an unsupported operating system (OS) and web server application. B. The web application has a Structured Query Language (SQL) injection vulnerability. C. The firewall has port 80 (HTTP), port 443 (HTTPS) and port 23 (Telnet) open. D. The access to the web server and its database have only minimal logging enabled.

You answered C. The correct answer is B. A. While outdated versions of the OS or web server can allow some vulnerabilities to exist, the more significant risk in this case is the SQL injection vulnerability. B. The biggest risk to any web application is security vulnerabilities that allow unvalidated input to be passed from the interface to the back-end system. An SQL injection vulnerability in a database-driven web application is a significant risk and is the greatest concern. C. While having unnecessary firewall ports open increases the security risk, the greater risk is that a vulnerability exists that can be accessed through the application. Therefore, the SQL injection vulnerability is the more significant risk. D. While maintaining audit logs is an important method to detect security intrusion attempts and application errors, having log configuration settings set to a high level may impact performance. Often, logging may be set to a minimal level for performance reasons. The more significant concern in this case is the SQL injection vulnerability.

The MOST effective control for addressing the risk of piggybacking is: A. a single entry point with a receptionist. B. the use of smart cards. C. a biometric door lock. D. a mantrap.

You answered C. The correct answer is D. A. A receptionist can prevent piggybacking, but is often subject to distraction or social engineering. B. A smart card may be used by an unauthorized person if it is lost or stolen, and an unauthorized person may be able to follow an authorized person into a facility if there are no other controls. C. A biometric door lock will not stop an unauthorized person from following an authorized person into a facility. D. Mantrap doors are a system of using a pair of (two) doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This reduces the risk of an unauthorized person following an authorized person through a secured entry (piggybacking).

An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing C. Parsing D. Steganography

You answered C. The correct answer is D. A. Digitalized signatures are the scans of a signature (not the same as a digital signature) and not related to digital rights management. B. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. C. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing. D. Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities.

An IS auditor observed brute force attacks on the administrator account. The BEST recommendation to prevent a successful brute force attack would be to: A. increase the password length for the user. B. configure a session timeout mechanism. C. perform periodic vulnerability scans. D. configure a hard-to-guess username.

You answered C. The correct answer is D. A. Increasing the password length is not as good as having a username that cannot be discovered. B. Session timeouts do not prevent unauthorized access. C. Vulnerability scans typically test for default usernames and passwords and are a good detective control, but performing periodic vulnerability scans does not prevent brute force attacks. D. Knowledge of both a username and password is required to successfully compromise an account using brute force attack. If a username is guessable, brute force attacks are much more feasible.

Which of the following is the MOST common concern for an IS auditor regarding audit logs? A. Logs can be examined only by system administrators. B. Logs require special tools for collection and review. C. Logs are typically not backed up regularly. D. Logs are collected but not analyzed.

You answered C. The correct answer is D. A. Logs can be accessed and reviewed by authorized personnel with a minimal amount of training; however, in most cases no one is reviewing the logs on a regular basis. B. Log analysis tools range from simple filters to complex security event and incident management (SEIM) systems. C. Logs are rarely backed up and may be subject to alteration by administrators. D. One of the most common problems with audit logs is that they are collected but not analyzed. In most circumstances, audit logs are reviewed only in the case of an incident, error or exception.

Which of the following is the MOST effective access control to help ensure confidentiality of a classified system? A. Network access control (NAC) B. Public key infrastructure (PKI) C. Discretionary access control (DAC) D. Mandatory access control (MAC)

You answered C. The correct answer is D. A. Network access control (NAC) is at the network level and limits system access to a network. B. Public key infrastructure (PKI) is used for public key/private key encryption. While PKI can be stored in the authorization mechanism by itself, it is not an access control. C. Discretionary access control (DAC) is a protection that may be activated or modified by the data owner, at the owner's discretion. This is the most common form of access control but not the strongest. D. Mandatory access control (MAC) is an expensive but very strong form of access control based on the policies of the organization and strict procedures. This is a typically effective preventive access control.

Transmitting redundant information with each character or frame to facilitate detection and correction of errors is called a: A. feedback error control. B. block sum check. C. forward error control. D. cyclic redundancy check.

You answered D. The correct answer is C. A. In feedback error control, only enough additional information is transmitted so the receiver can identify that an error has occurred. B. Block sum check is an extension of parity check wherein an additional set of parity bits is computed for a block of characters. This is a detection method, not an error correction method. C. Forward error control involves transmitting additional redundant information with each character or frame to facilitate detection and correction of errors. D. A cyclic redundancy check is a technique wherein a single set of check digits is generated, based on the contents of the frame, for each frame transmitted. This is a detection method, not an error correction method.

Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? A. User registration and password policies B. User security awareness C. Use of intrusion detection/intrusion prevention systems (IDSs/IPSs) D. Domain name system (DNS) server security hardening

You answered C. The correct answer is D. A. User registration and password policies cannot mitigate pharming attacks because they do not prevent manipulation of domain name system (DNS) records. B. User security awareness cannot mitigate pharming attacks because it does not prevent manipulation of DNS records. C. The use of intrusion detection/intrusion prevention systems (IDSs/IPSs) cannot mitigate pharming attacks because they do not prevent manipulation of DNS records. D. The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.

When are errors in the process of granting logical access to a financial accounting application MOST likely to be identified? A. During an IS audit B. After implementation of an identity management solution C. During account reconciliations D. During periodic review of access by the business owner

You answered C. The correct answer is D. A. While an IS audit may identify instances of inappropriate access, it should be the business owner who would identify that issue first. B. Presence of an identity management application is not a prerequisite for carrying out a review of the access list. C. Account reconciliations assess the validity, correctness or appropriateness of the account balance at a specific point in time, but do not review user access privileges. D. Periodic review of the access list by the business owner should determine whether errors in granting access have occurred.

The MOST common problem in the operation of an intrusion detection system (IDS) is: A. the detection of false positives. B. receiving trap messages. C. reject-error rates. D. denial-of-service (DoS) attacks.

You answered D. The correct answer is A. A. Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive. B. Trap messages are generated by the Simple Network Management Protocol (SNMP) agents when an important event happens, but are not particularly related to security or IDSs. C. Reject-error rate is related to biometric technology and is not related to IDSs. D. Denial-of-service (DoS) is a type of attack and is not a problem in the operation of IDSs because an IDS only captures data and does not affect traffic.

An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol (DHCP) is disabled at all wireless access points. This practice: A. reduces the risk of unauthorized access to the network. B. is not suitable for small networks. C. automatically provides an IP address to anyone. D. increases the risk associated with Wireless Encryption Protocol (WEP).

You answered D. The correct answer is A. A. Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access. B. DHCP is suitable for networks of all sizes from home networks to large complex organizations. C. DHCP does not provide IP addresses when disabled. D. Disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in Wireless Encryption Protocol (WEP).

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy B. Wavelength can be absorbed by the human body C. RFID tags may not be removable D. RFID eliminates line-of-sight reading

You answered D. The correct answer is A. A. The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because radio frequency identification (RFID) can carry unique identifier numbers. If desired, it would be possible for a firm to track individuals who purchase an item containing an RFID. B. That wavelength can be absorbed by the human body is a concern of less importance. C. That RFID tags may not be removable is a concern of less importance than the violation of privacy. D. RFID eliminates line-of-sight reading. This is a benefit of RFID, not a concern.

An IS auditor is reviewing the expansion plans for an organization that is opening a new office about 80 meters away from its existing facility. The plan is to implement fiber-optic cabling within the new facility and it has been determined that a 100-meter, Category 5 (Cat 5), unshielded twisted-pair (UTP) cable can be installed to provide the connectivity between both buildings. What is the PRIMARY risk that the IS auditor should identify with this expansion plan? A. The link between buildings may not meet the long-term business requirements. B. The fiber-optic cabling will be expensive to install and maintain. C. The implementation plan may not be achievable. D. The new building is too close to the existing facility (a single disaster could destroy both sites).

You answered D. The correct answer is A. A. Using Cat 5 unshielded twisted-pair (UTP) cabling for the link between the two buildings may meet short-term bandwidth requirements but, over time, additional new requirements may drive the need for more bandwidth that may not be delivered over UTP. The Cat 5 UTP can deliver an effective bandwidth of 100 Mbs within a 100-meter range. Fiber-optic cable would be the best choice for this solution. B. Fiber-optic cable is difficult and expensive to install; however, the cost incurred by using fiber-optic cable does not present as significant a risk compared with the use of UTP cable for the link between buildings. C. Based on the scenario given, there is no issue with respect to the plan being achievable. D. The new building is very close to the old one and the risk that a disaster could destroy both buildings is real, and potentially significant, but not very likely depending on the type of disaster to which the area is subject.

During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result? A. A denial-of-service (DoS) attack B. Spoofing C. Port scanning D. A man-in-the-middle attack

You answered D. The correct answer is B. A. A denial-of-service (DoS) attack is designed to limit the availability of a resource and is characterized by a high number of requests that require response from the resource (usually a web site). The target spends so many resources responding to the attack requests that legitimate requests are not serviced. These attacks are most commonly launched from networks of compromised computers (botnets) and may involve attacks from multiple computers at once. B. Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network, but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources. C. Port scanning is a reconnaissance technique that is designed to gather information about a target before a more active attack. Port scanning might be used to determine the internal address of the payroll server, but would not normally create a log entry that indicated external traffic from an internal server address. D. A man-in-the-middle attack is a form of active eavesdropping where the attacker intercepts a computerized conversation between two parties and then allows the conversation to continue by relaying the appropriate data to both parties, while simultaneously monitoring the same data passing through the attacker's conduit. This type of attack would not register as an attack originating from the payroll server, but instead might be designed to hijack an authorized connection between a workstation and the payroll server.

The GREATEST benefit of having well-defined data classification policies and procedures is: A. a more accurate inventory of information assets. B. a decreased cost of controls. C. a reduced risk of inappropriate system access. D. an improved regulatory compliance.

You answered D. The correct answer is B. A. A more accurate inventory of information assets is a benefit, but would not be the greatest benefit of the choices listed. B. An important benefit of a well-defined data classification process would be to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, more costly than is required based on the data classification. C. Classifying the data may assist in reducing the risk of inappropriate system access, but that would not be the greatest benefit. D. Improved regulatory compliance would be a benefit; however, achieving a cost reduction would be a greater benefit.

An IS auditor is working with the database administrator (DBA) group to mitigate risk associated with individual users who have direct access to SQL databases. The IS auditor recommends using Lightweight Directory Access Protocol (LDAP) groups. What approval should be required to ensure least privilege? A. Manager approval B. Database owner approval C. System administrator approval D. Database administrator (DBA) approval

You answered D. The correct answer is B. A. Although manager approval is typically required, there are times when the manager may think a user requires full access, but the database owner does not agree. B. Requiring database owner approval will ensure that after the group is created only users who require access will be added. The group owner would be the data owner and would be the best person to understand access needs. C. The system administrator would not be in the best position to know what access is needed. D. Database administrator (DBA) approval would not be able to appropriately determine access for users. DBAs have expertise with databases and they would not necessarily understand the security required for the data.

An IS auditor reviewing access controls for a client-server environment should FIRST: A. evaluate the encryption technique. B. identify the network access points. C. review the identity management system. D. review the application level access controls.

You answered D. The correct answer is B. A. Evaluating encryption techniques would be performed at a later stage of the review. B. A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified. C. Reviewing the identity management system would be performed at a later stage of the review. D. Reviewing the application level access controls would be performed at a later stage of the review.

An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers—one filled with carbon dioxide (CO2), the other filled with halon. Which of the following should be given the HIGHEST priority in the IS auditor's report? A. The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer. B. Both fire suppression systems present a risk of suffocation when used in a closed room. C. The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires involving solid combustibles (paper). D. The documentation binders should be removed from the equipment room to reduce potential risk.

You answered D. The correct answer is B. A. The Montreal Protocol allows existing halon installations to remain, although some countries may have laws that require its removal. B. Protecting people's lives should always be of highest priority in fire suppression activities. CO2 and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards. In many countries, installing or refilling halon fire suppression systems is not allowed. C. CO2 extinguishers can be used on most types of fires, and their use in a server room would be appropriate. D. Although not of highest priority, removal of the documentation would probably reduce some of the risk.

Which of the following provides the GREATEST assurance of message authenticity? A. The hash code is derived mathematically from the message being sent. B. The hash code is encrypted using the sender's private key. C. The hash code and the message are encrypted using the secret key. D. The sender attains the recipient's public key and verifies the authenticity of its digital certificate with a certificate authority.

You answered D. The correct answer is B. A. The hash itself proves integrity, but unless it is protected by signing it with a private key it can be altered in transit. B. Encrypting the hash code using the sender's private key provides assurance of the authenticity of the message and prevents anyone from being able to alter the hash code. C. Encrypting the hash and the message will provide confidentiality of the message and protect the hash from alteration, but will not provide proof of origin or authenticity of the sender because the secret key is shared by both the sender and receiver. D. If a sender uses the receiver's public key, that will provide confidentiality, but it will not ensure authenticity of the sender.

Which of the following types of firewalls would BEST protect a network from an Internet attack? A. Screened subnet firewall B. Application filtering gateway C. Packet filtering router D. Circuit-level gateway

You are correct, the answer is A. A. A screened subnet firewall would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network. B. Application-level gateways are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not just at a packet level. This would be the best solution to protect an application but not a network. C. A packet filtering router examines the header of every packet or data traveling between the Internet and the corporate network. This is a low-level control. D. A circuit level gateway, such as a Socket Secure (SOCKS) server, will protect users by acting as a proxy, but is not the best defense for a network.

The MOST important difference between hashing and encryption is that hashing: A. is irreversible. B. output is the same length as the original message. C. is concerned with integrity and security. D. is the same at the sending and receiving end.

You are correct, the answer is A. A. Hashing works one way—by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. B. Hashing creates a fixed-length output that is usually smaller than the original message, and encryption creates an output that is usually the same length as the original message. C. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. D. Encryption may use different keys or a reverse process at the sending and receiving ends to encrypt and decrypt.

Which of the following would BEST describe encrypting and decrypting data using an asymmetric encryption algorithm? A. Use the receiver's private key to decrypt data encrypted by the receiver's public key. B. Use the sender's private key to decrypt the data. C. Use the receiver's public key to decrypt the data encrypted by the sender's private key. D. Use the sender's public key to both encrypt and decrypt the data.

You are correct, the answer is A. A. In asymmetric encryption, if the message was encrypted by the receiver's public key, it can only be decrypted by the receiver's private key. B. The recipient would not have access to the sender's private key to decrypt the data. C. If the data were encrypted with the sender's private key, the recipient's public key could not decrypt them. D. In asymmetric cryptography, the keys operate as a pair, and using the sender's public key for both operations would not be possible.

From a control perspective, the PRIMARY objective of classifying information assets is to: A. establish guidelines for the level of access controls that should be assigned. B. ensure access controls are assigned to all information assets. C. assist management and auditors in risk assessment. D. identify which assets need to be insured against losses.

You are correct, the answer is A. A. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset. B. Not all information needs to be protected through access controls. Overprotecting data would be expensive. C. The classification of information is usually based on the risk assessment, not the other way around. D. Insuring assets is valid; however, this is not the primary objective of information classification.

An IS auditor wishes to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness? A. Observation of a logged event B. Review of the procedure manual C. Interview with management D. Interview with security personnel

You are correct, the answer is A. A. Observation of the process to reset an employee's security access to the server room and the subsequent logging of this event provide the best evidence of the adequacy of the physical security control. B. Although reviewing the procedure manual can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control. C. Although interviewing management can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control. D. Although interviewing security personnel can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control.

The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support Voice-over Internet Protocol (VoIP) communication via tunneling. Which of the following considerations should be PRIMARILY addressed? A. Reliability and quality of service (QoS) B. Means of authentication C. Privacy of voice transmissions D. Confidentiality of data transmissions

You are correct, the answer is A. A. Reliability and quality of service (QoS) are the primary considerations to be addressed. Voice communications require consistent levels of service, which may be provided through QoS and class of service (CoS) controls. B. The company currently has a virtual private network (VPN); authentication has been implemented by the VPN using tunneling. C. Privacy of voice transmissions is provided by the VPN protocol. D. The company currently has a VPN; confidentiality of both data and Voice-over Internet Protocol (VoIP) traffic has been implemented by the VPN using tunneling.

A digital signature contains a message digest to: A. show if the message has been altered after transmission. B. define the encryption algorithm. C. confirm the identity of the originator. D. enable message transmission in a digital format.

You are correct, the answer is A. A. The message digest is calculated and included in a digital signature to prove that the message has not been altered. The message digest sent with the message should have the same value as the recalculation of the digest of the received message. B. The message digest does not define the algorithm; it is there to ensure integrity. C. The message digest does not confirm the identity of the user; it is there to ensure integrity. D. The message digest does not enable the transmission in digital format; it is there to ensure integrity.

An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol (VoIP) packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic? A. Corruption of the address resolution protocol (ARP) cache in Ethernet switches B. Use of a default administrator password on the analog phone switch C. Deploying virtual local area networks (VLANs) without enabling encryption D. End users having access to software tools such as packet sniffer applications ware utilities of this type is not a risk.

You are correct, the answer is A. **Review*** A. On an Ethernet switch there is a data table known as the address resolution protocol (ARP) cache, which stores mappings between media access control (MAC) and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply "flood" the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol (VoIP) traffic. B. VoIP systems do not use analog switches and inadequate administrator security controls would not be an issue. C. VoIP data are not normally encrypted in a LAN environment because the controls regarding VLAN security are adequate. D. Most software tools such as packet sniffers cannot make changes to LAN devices, such as the VLAN configuration of an Ethernet switch used for VoIP. Therefore, the use of soft

Which of the following would MOST effectively control the usage of universal storage bus (USB) devices? A. Policies that require instant dismissal if such devices are found B. Software for tracking and managing USB storage devices C. Administratively disabling the USB port D. Searching personnel for USB storage devices at the facility's entrance

You are correct, the answer is B. A. A policy requiring dismissal may result in increased employee attrition and business requirements would not be properly addressed. B. Software for centralized tracking and monitoring would allow a universal storage bus (USB) usage policy to be applied to each user based on allowed devices and possibly requiring encryption. This would provide for monitoring and reporting exceptions to management. C. Disabling ports would be complex to manage and might not allow for new business needs. D. Searching of personnel for USB storage devices at the entrance to a facility is not a practical solution because these devices are small and could be easily hidden.

An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure? A. The corporate network is using an intrusion prevention system (IPS). B. This part of the network is isolated from the corporate network. C. A single sign-on has been implemented in the corporate network. D. Antivirus software is in place to protect the corporate network.

You are correct, the answer is B. A. An intrusion prevention system (IPS) may stop an attack but it would be far better to restrict the ability of machines in the conference rooms from being able to access the corporate network altogether. B. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated. C. A single sign-on solution is used for access control, but would not still leave a risk when unauthorized people have physical access to the corporate network. D. Antivirus software would reduce the impact of possible viruses; however, unauthorized users would still be able to access the corporate network, which is the biggest risk.

An organization's IT director has approved the installation of a wireless local area network (WLAN) access point in a conference room for a team of consultants to access the Internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that: A. encryption is enabled on the access point. B. the conference room network is on a separate virtual local area network (VLAN). C. antivirus signatures and patch levels are current on the consultants' laptops. D. default user IDs are disabled and strong passwords are set on the corporate servers.

You are correct, the answer is B. A. Enabling encryption is a good idea to prevent unauthorized network access, but it is more important to isolate the consultants from the rest of the corporate network. B. The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network (VLAN) is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users. C. Antivirus signatures and patch levels are good practices, but not as critical as preventing network access via access controls for the corporate servers. D. Protecting the organization's servers through good passwords is best practice, but it is still necessary to isolate the network being used by the consultants. If the consultants can access the rest of the network they could use password cracking tools against other corporate machines.

When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk? A. There is no registration authority (RA) for reporting key compromises. B. The certificate revocation list (CRL) is not current. C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures. D. Subscribers report key compromises to the certificate authority (CA).

You are correct, the answer is B. A. The certificate authority (CA) can assume the responsibility if there is no registration authority (RA). B. If the certificate revocation list (CRL) is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities. C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures; therefore, this is not a risk. D. Subscribers reporting key compromises to the CA is not a risk because reporting this to the CA enables the CA to take appropriate action.

An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control? A. User-level permissions B. Role-based C. Fine-grained D. Discretionary

You are correct, the answer is B. A. User-level permissions for an enterprise resource management (ERP) system would create a larger administrative overhead. B. Role-based access control defines roles for a group of users. Users are assigned to the various roles and access is granted based on the user's role. C. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise. D. Discretionary access control (DAC) is too general of a term to be the appropriate response. In DAC, the data owner makes the decision of who or what is allowed access to a system or data.

Which of the following is the GREATEST concern associated with the use of peer-to-peer computing? A. Virus infection B. Data leakage C. Network performance issues D. Unauthorized software usage

You are correct, the answer is B. A. While peer-to-peer computing does increase the risk of virus infection, the risk of data leakage is more severe, especially if it contains proprietary data or intellectual property. B. Peer-to-peer computing can share the contents of a user hard drive over the Internet. The risk that sensitive data could be shared with others is the greatest concern. C. Peer-to-peer computing may utilize more network bandwidth and therefore may create performance issues. However, data leakage is a more severe risk. D. Peer-to-peer computing may be used to download or share unauthorized software, which users could install on their PCs unless other controls prevent it. However, data leakage is a more severe risk.

While downloading software, a hash may be provided to: A. ensure that the software comes from a genuine source. B. ensure that the software is the correct revision number. C. ensure that the software has not been modified. D. serve as a license key for paid users of the software.

You are correct, the answer is C. A. A digital signature is used to ensure that software comes from the genuine source. B. The hash value has no relation to the revision number of the software, nor is the hash value used for this purpose. The hash value can be verified by using a software utility that calculates the hash of the downloaded file, which then can be compared to the value displayed on the web site. If these two values match, then the downloaded file is intact and has not been modified. C. Hash values are used as a means to ensure file integrity. The computed hash value for a file will be different if even a single bit within the file has been modified. It is common practice for the hash value to be displayed on the software publisher's web site so that those downloading the application can be certain that the software has not been modified. D. The hash value is not used as a license key.

The GREATEST risk from an improperly implemented intrusion prevention system (IPS) is: A. that there will be too many alerts for system administrators to verify. B. decreased network performance due to IPS traffic. C. the blocking of critical systems or services due to false triggers. D. reliance on specialized expertise within the IT organization.

You are correct, the answer is C. A. A number of false positives may cause excessive administrator workload, but this is a relatively minor risk. B. The intrusion prevention system (IPS) will not generate any traffic that would impact network performance. C. An IPS prevents a connection or service based on how it is programmed to react to specific incidents. If the IPS is triggered based on incorrectly defined or nonstandard behavior, it may block the service or connection of a critical internal system. D. Configuring an IPS can take months of learning what is and what is not acceptable behavior, but this does not require specialized expertise.

What is the MOST effective method of preventing unauthorized use of data files? A. Automated file entry B. Tape librarian C. Access control software D. Locked library

You are correct, the answer is C. A. Automated file entry can be used to ensure integrity of data input and that the correct files are accessed by a system, but is not intended to address data file access. B. A tape librarian is used in major systems such as a mainframe and will ensure that backups and other production files are protected; however, this is not applicable for most applications today. C. Access control software is an active control designed to allow authorized access and prevent unauthorized access to data. D. A locked library is a physical control, but it only has limited value.

While auditing an e-commerce architecture, an IS auditor notes that customer master data are stored on the web server for six months after the transaction date and then purged due to inactivity. Which of the following should be the PRIMARY concern for the IS auditor? A. Availability of customer data B. Integrity of customer data C. Confidentiality of customer data D. System storage performance

You are correct, the answer is C. A. Availability of customer data may be affected during an Internet connection outage, but this is of a lower concern than confidentiality. B. Integrity of customer data is affected only if security controls are weak enough to permit unauthorized modifications to the data, and it may be tracked by logging of changes. Confidentiality of data is a larger concern. C. Due to its exposure to the Internet, storing customer data for six months raises concerns regarding confidentiality of customer data. D. System storage performance may be a concern due to the volume of data. However, the bigger issue is that the information is protected.

The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called: A. data integrity. B. authentication. C. nonrepudiation. D. replay protection.

You are correct, the answer is C. A. Data integrity refers to changes in the plaintext message that would result in the recipient failing to compute the same message hash. B. Because only the claimed sender has the private key used to create the digital signature, authentication ensures that the message has been sent by the claimed sender. C. Integrity, authentication, nonrepudiation, and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message. D. Replay protection is a method that a recipient can use to check that the message was not intercepted and re-sent (replayed).

ABC Inc. offers a number of services through its web site. One day, senior executives of ABC Inc. were surprised to discover that sensitive data on their servers were being leaked to unauthorized individuals on the Internet. Postincident investigations revealed that ABC Inc.'s key servers were infected with a Trojan. The incident occurred after deployment of a newly acquired module from a software vendor, which was tested on test servers in accordance with functional specifications. The incident had gone unnoticed for a period of about four weeks. A potential cause of the leak may have been malware embedded in the new module. Which of the following measures could have prevented communication to dubious hosts? A. Encryption of server data B. Updated antivirus software C. Intrusion detection/intrusion prevention systems (IDSs/IPSs) D. Secure Sockets Layer (SSL)/Transport Layer Security (TLS)

You are correct, the answer is C. A. Encryption of server data will render the data useless, but will not prevent its illegal flow. B. Updated antivirus software is not always effective in the detection of malware, but intrusion detection/intrusion prevention systems (IDSs/IPSs) are much more likely to detect data leak activity initiated by malware. C. IPSs can prevent network connection to unknown hosts. D. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) will provide confidentiality to data in transit, but will not prevent connection to unauthorized hosts.

Accountability for the maintenance of appropriate security measures over information assets resides with the: A. security administrator. B. systems administrator. C. data and systems owners. D. systems operations group.

You are correct, the answer is C. A. System owners are accountable for systems security, but they typically delegate day-to-day security responsibilities to a security administrator. B. The systems administrator is responsible for operating the system according to the conditions set by the system owner. C. Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. Even though they delegate much of the operational responsibility, owners remain accountable for the maintenance of appropriate security measures. D. System owners typically delegate day-to-day custodianship to the system's delivery/operations group.

An IS auditor is assessing a biometric fingerprint system that protects a data center containing protected health information. The auditor should be MOST concerned with which of the following? A. False rejection rate (FRR) B. Crossover error rate (CER) C. False acceptance rate (FAR) D. Accuracy ratio

You are correct, the answer is C. A. The false rejection rate (FRR) is the probability (or percentage of times) that the system fails to detect a match between the input pattern and a matching template in the database. FRR is the likelihood that a previously authorized individual's biometric print will be incorrectly rejected. This is a fail-safe condition. B. The crossover error rate (CER) is the rate at which accept and reject error rates are equal. CER is an important measure of the accuracy of a biometric system. C. The false acceptance rate (FAR) is the probability (or percentage of times) that the system incorrectly matches the input pattern to a nonmatching template in the database. FAR is the likelihood that an invalid biometric input—from an impostor or unauthorized person—will be incorrectly accepted. This is a fail-unsafe condition, i.e., an unauthorized individual may be granted access. A low FAR is most desirable when it is used to protect highly sensitive data, such as protected health information. D. The accuracy ratio is equal to the CER; it is the rate at which accept and reject error rates are equal and an important measure of the accuracy of a biometric system.

A certificate authority (CA) can delegate the processes of: A. revocation and suspension of a subscriber's certificate. B. generation and distribution of the CA public key. C. establishing a link between the requesting entity and its public key. D. issuing and distributing subscriber certificates.

You are correct, the answer is C. **REVIEW** Total guess A. Revocation and suspension of the subscriber certificate are functions of the subscriber certificate life cycle management, which the certificate authority (CA) must perform. B. Generation and distribution of the CA public key is a part of the CA key life cycle management process and, as such, cannot be delegated. C. Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. D. Issuance and distribution of the subscriber certificate are functions of the subscriber certificate life cycle management, which the CA must perform.

Which of the following criteria are MOST needed to ensure that log information is admissible in court? Ensure that data have been: A. independently time stamped. B. recorded by multiple logging systems. C. encrypted by the most secure algorithm. D. verified to ensure log integrity.

You are correct, the answer is D. A. Independent time stamps are a key requirement in logging. This is one method of ensuring log integrity; however, this does not prevent information from being modified. B. Having multiple logging resources may work to ensure redundancy; however, increased redundancy may not effectively add value to the credibility of log information. C. The strength of the encryption algorithm may improve data confidentiality; however, this does not necessarily prevent data from being modified. D. It is important to assure that log information existed at a certain point of time and it has not been altered. Therefore, evidential credibility of log information is enhanced when there is proof that no one has tampered with this information.

Which of the following is a passive attack to a network? A. Message modification B. Masquerading C. Denial-of-service (DoS) D. Traffic analysis

You are correct, the answer is D. A. Message modification involves the capturing of a message and making unauthorized changes or deletions, changing the sequence or delaying transmission of captured messages. An attack that modifies the data would be an active attack. B. Masquerading is an active attack in which the intruder presents an identity other than the original identity. C. Denial-of-service (DoS) occurs when a computer connected to the Internet is flooded with data and/or requests that must be processed. This is an active attack. D. The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts and is able to guess the type of communication taking place.

Which of the following should an IS auditor be MOST concerned about in a financial application? A. Programmers have access to application source code. B. Secondary controls are documented for identified role conflicts. C. The information security officer does not authorize all application changes. D. Programmers have access to the production database.

You are correct, the answer is D. A. Programmers who have access to application source code are not of concern to the IS auditor because programmers need access to source code to do their jobs. B. When segregation of duties conflicts are identified, secondary controls should be in place to mitigate risk. While the IS auditor reviews secondary controls, in this case the greater concern is programmers having access to the production database. C. The information security officer is not likely to authorize all application changes, therefore this is not a concern for an IS auditor. D. Programmers who have access to the production database are considered a segregation of duties conflict and should be of concern to an IS auditor.

Which of the following protocols provides the BEST confidentiality protection for web-based e-commerce transactions while in transit over the Internet? A. Secure Multipurpose Internet Mail Extensions (S/MIME) B. Secure Shell (SSH) C. Secure File Transfer Protocol (SFTP) D. Secure Sockets Layer (SSL)

You are correct, the answer is D. A. Secure Multipurpose Internet Mail Extensions (S/MIME) is a protocol used to secure email messages and cannot be used to protect web traffic. B. Secure Shell (SSH) is a protocol used to establish secure terminal connections between two systems. It does not protect web traffic. C. Secure File Transfer Protocol (SFTP) is a secure encrypted file transfer solution, but it does not provide support for web traffic. D. Secure Sockets Layer (SSL) is a modern cryptographic protocol that may be used to encrypt web communications at the transport layer. A common implementation of SSL is via Hypertext Transfer Protocol Secure (HTTPS).