CISA Questions (701-800)
The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support Voice-over Internet Protocol (VoIP) communication via tunneling. Which of the following considerations should be PRIMARILY addressed? Select an answer: A. Reliability and quality of service (QoS) B. Means of authentication C. Privacy of voice transmissions D. Confidentiality of data transmissions
You answered B. The correct answer is A. A. Reliability and quality of service (QoS) are the primary considerations to be addressed. Voice communications require consistent levels of service, which may be provided through QoS and class of service (CoS) controls. B. The company currently has a virtual private network (VPN); authentication has been implemented by the VPN using tunneling. C. Privacy of voice transmissions is provided by the VPN protocol. D. The company currently has a VPN; confidentiality of both data and Voice-over Internet Protocol (VoIP) traffic has been implemented by the VPN using tunneling.
When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation? Select an answer: A. Wiring and schematic diagram B. Users' lists and responsibilities C. Application lists and their details D. Backup and recovery procedures
You answered B. The correct answer is A. A. The wiring and schematic diagram of the network is necessary to carry out a network audit. The IS auditor needs to know what equipment, configuration and addressing is used on the network to perform an audit of the network setup. B. When performing an audit of network setup, the users' lists would not be of value. C. Application lists are not required to audit network configuration. D. Backup and recovery procedures are important but not as important as knowing the network layout.
During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. Which of the following is the PRIMARY reason that this is a concern to the IS auditor? Without ownership there is no responsibility for: Select an answer: A. updating group metadata. B. reviewing existing user access. C. approval of user access. D. removing terminated users.
You answered B. The correct answer is C. A. Updating data about the group is not a great concern when compared to unauthorized access. B. While the periodic review of user accounts is a good practice, this is a detective control and not as robust as preventing unauthorized access to the group in the first place. C. Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group. D. Revoking access to terminated users is a compensating control for the normal termination process and is also a detective control.
Which of the following antispam filtering techniques would BEST prevent a valid, variable-length email message containing a heavily-weighted spam keyword from being labeled as spam? Select an answer: A. Heuristic (rule-based) B. Signature-based C. Pattern matching D. Bayesian (statistical)
You answered B. The correct answer is D. A. Heuristic filtering is less effective because new exception rules may need to be defined when a valid message is labeled as spam. B. Signature-based filtering is useless against variable-length messages because the calculated message-digest algorithm 5 (MD5) hash changes all the time. C. Pattern matching is actually a degraded rule-based technique where the rules operate at the word level using wildcards and not at higher levels. D. Bayesian filtering applies statistical modeling to messages by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds.
An IS auditor finds that a database administrator (DBA) has read and write access to production data. The IS auditor should: Select an answer: A. accept the DBA access as a common practice. B. assess the controls relevant to the DBA function. C. recommend the immediate revocation of the DBA access to production data. D. review user access authorizations approved by the DBA.
You answered D. The correct answer is B. A. Although granting access to production data to the database administrator (DBA) may be a common practice, the IS auditor should evaluate the relevant controls. B. It is good practice when finding a potential exposure, to look for the best controls. When reviewing privileged accounts, the auditor should look for compensating controls. C. The DBA should have access based on a need-to-know and need-to-do basis, therefore, revocation may remove the access the DBA requires to do his/her job. D. The DBA, typically, may need to have access to some production data. Granting user authorizations is the responsibility of the data owner and not the DBA.
Which of the following BEST describes the role of a directory server in a public key infrastructure (PKI)? Select an answer: A. Encrypts the information transmitted over the network B. Makes other users' certificates available to applications C. Facilitates the implementation of a password policy D. Stores certificate revocation lists (CRLs)
You answered D. The correct answer is B. A. Encrypting the information transmitted over the network is a role performed by a security server. B. A directory server makes other users' certificates available to applications. C. Facilitating the implementation of a password policy is not relevant to public key infrastructure (PKI). D. Storing certificate revocation lists (CRLs) is a role performed by a security server.
An organization can ensure that the recipients of emails from its employees can authenticate the identity of the sender by: Select an answer: A. digitally signing all email messages. B. encrypting all email messages. C. compressing all email messages. D. password protecting all email messages.
You are correct, the answer is A. A. By digitally signing all email messages, the receiver will be able to validate the authenticity of the sender. B. Encrypting all email messages would ensure that only the intended recipient will be able to open the message; however, it would not ensure the authenticity of the sender. C. Compressing all email messages would reduce the size of the message, but would not ensure authenticity. D. Password protecting all email messages would ensure that only those who have the password would be able to open the message; however, it would not ensure authenticity of the sender.
To protect a Voice-over Internet Protocol (VoIP) infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the: Select an answer: A. access control servers. B. session border controllers. C. backbone gateways. D. intrusion detection system (IDS).
You are correct, the answer is B. A. Securing the access control server may prevent account alteration or lockout, but is not the primary protection against denial-of-service (DoS) attacks. B. Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and DoS attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service. C. Backbone gateways are isolated and not readily accessible to hackers so this is not a location of DoS attacks. D. Intrusion detection systems (IDSs) monitor traffic, but do not protect against DoS attacks.
In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides: Select an answer: A. connectionless integrity. B. data origin authentication. C. antireplay service. D. confidentiality.
You are correct, the answer is D. A. Both forms of Internet Protocol Security (IPSec), Authentication Header (AH) and Encapsulating Security Payload (ESP), provide connectionless integrity. B. Both AH and ESP authenticate data origin. C. The time stamps used in IPSec will prevent replay attacks. D. Only the ESP protocol provides confidentiality via encryption.
The PRIMARY goal of a web site certificate is: Select an answer: A. authentication of the web site that will be surfed. B. authentication of the user who surfs through that site. C. preventing surfing of the web site by hackers. D. the same purpose as that of a digital certificate.
You answered B. The correct answer is A. A. Authenticating the site to be surfed is the primary goal of a web certificate. B. Authentication of a user is achieved through passwords and not by a web site certificate. C. The site certificate does not prevent hacking nor does it authenticate a person. D. Web site certificates may serve the same purpose as a digital certificate, but the goal of certificates is authentication.
Which of the following functions is performed by a virtual private network (VPN)? Select an answer: A. Hiding information from sniffers on the net B. Enforcing security policies C. Detecting misuse or mistakes D. Regulating access
You are correct, the answer is A. A. A virtual private network (VPN) hides information from sniffers on the Internet using tunneling. It works based on encapsulation and encryption of sensitive traffic. B. A VPN does support security policies related to secure communications, but its primary purpose is to protect data in transit. C. A VPN does not check the content of packets, so it cannot detect misuse or mistakes. D. A VPN is not used to regulate access. A user may have to log in to use a VPN, but that is not the purpose of the VPN.
Which of the following potentially blocks hacking attempts? Select an answer: A. Intrusion detection system (IDS) B. Honeypot system C. Intrusion prevention system (IPS) D. Network security scanner
You are correct, the answer is C. A. An intrusion detection system (IDS) normally is deployed in sniffing mode and can detect intrusion attempts but cannot effectively stop them. B. A honeypot solution captures intruder activity or traps the intruders when they attempt to explore a simulated target. C. An intrusion prevention system (IPS) is deployed as an inline device on a network or host that can detect and block hacking attempts. D. A network security scanner scans for vulnerabilities, but it will not stop the intrusion.
Which of the following findings would be of GREATEST concern to an IS auditor during a review of logical access to an application? Select an answer: A. Some developers have update access to production data. B. The file storing the application ID password is in cleartext in the production code. C. The change control team has knowledge of the application ID password. D. The application does not enforce the use of strong passwords.
You answered A. The correct answer is B. A. Developers might need limited update access to production data to perform their jobs and this access, when approved and reviewed by management, is acceptable even though it does pose a risk. B. Compromise of the application ID password can result in untraceable, unauthorized changes to production data; storing the password in cleartext poses the greatest risk. While the production code may be protected from update access, it is viewable by development teams. C. Knowledge of the application ID password by the change control team does not pose a great concern if adequate separation of duties exists between change control and development activities. There may be occasions when the application ID needs to be utilized by change control in the production environment. D. While the lack of a strong password policy and configuration can result in compromised accounts, the risk is lower than if the application ID password is compromised because the application ID password does not allow for traceability.
When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk? Select an answer: A. There is no registration authority (RA) for reporting key compromises. B. The certificate revocation list (CRL) is not current. C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures. D. Subscribers report key compromises to the certificate authority (CA).
You answered A. The correct answer is B. A. The certificate authority (CA) can assume the responsibility if there is no registration authority (RA). B. If the certificate revocation list (CRL) is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities. C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures; therefore, this is not a risk. D. Subscribers reporting key compromises to the CA is not a risk because reporting this to the CA enables the CA to take appropriate action.
A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use: Select an answer: A. eavesdropping. B. spoofing. C. traffic analysis. D. masquerading.
You answered A. The correct answer is C. A. In eavesdropping, which is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring message contents for personal analysis or for third parties. B. Spoofing is an active attack. In spoofing, a user receives an email that appears to have originated from one source when it actually was sent from another source. C. In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results. D. In masquerading, the intruder presents an identity other than the original identity. This is an active attack.
When protecting an organization's IT systems, which of the following is normally the next line of defense after the network firewall has been compromised? Select an answer: A. Personal firewall B. Antivirus programs C. Intrusion detection system (IDS) D. Virtual local area network (VLAN) configuration
You answered A. The correct answer is C. A. Personal firewalls would be later in the defensive strategy, being located on the endpoints. B. Antivirus programs would be installed on endpoints as well as on the network, but the next layer of defense after a firewall is an intrusion detection system (IDS)/intrusion protection system (IPS). C. An IDS would be the next line of defense after the firewall. It would detect anomalies in the network/server activity and try to detect the perpetrator. D. Virtual local area network (VLAN) configurations are not intended to compensate for a compromise of the firewall. They are an architectural good practice.
An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: Select an answer: A. IDS sensors are placed outside of the firewall. B. a behavior-based IDS is causing many false alarms. C. a signature-based IDS is weak against new types of attacks. D. the IDS is used to detect encrypted traffic.
You answered A. The correct answer is D. A. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. B. Causing many false alarms is normal for a behavior-based intrusion detection system (IDS), and should not be a matter of concern. C. Being weak against new types of attacks is expected from a signature-based IDS because it can only recognize attacks that have been previously identified. D. An IDS cannot detect attacks within encrypted traffic, and it would be a concern if someone were misinformed and thought that the IDS could detect attacks in encrypted traffic.
An organization stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. Which of the following represents the BEST control to ensure separation of the two networks? Select an answer: A. Establish two physically separate networks. B. Implement virtual local area network (VLAN) segmentation. C. Install a dedicated router between the two networks. D. Install a firewall between the networks.
You answered A. The correct answer is D. A. While having two physically separate networks would ensure the security of customer data, it would make it impossible for authorized wireless users to access that data. B. While a VLAN would provide separation of the two networks, it is possible, with sufficient knowledge, for an attacker to gain access to one VLAN from the other. C. A dedicated router between the two networks would separate them; however, this would be less secure than a firewall. D. In this case, a firewall could be used as a strong control to allow authorized users on the wireless network to access the wired network.
Which of the following is the BEST control over a guest wireless ID that is given to vendor staff? Select an answer: A. Assignment of a renewable user ID which expires daily B. A write-once log to monitor the vendor's activities on the system C. Utilization of a user ID format similar to that used by employees D. Ensuring that wireless network encryption is configured properly
You answered B. The correct answer is A. A. A renewable user ID which expires daily would be a good control because it would ensure that wireless access will automatically terminate daily and cannot be used without authorization. B. While it is recommended to monitor vendor activities while vendor staff are on the system, this is a detective control and thus is not as strong as a preventive control. C. The user ID format does not change the overall security of the wireless connection. D. Controls related to the encryption of the wireless network are important; however, the access to that network is a more critical issue.
Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity? Select an answer: A. Statistical-based B. Signature-based C. Neural network D. Host-based
You answered B. The correct answer is A. A. A statistical-based intrusion detection system (IDS) relies on a definition of known and expected behavior of systems. Because normal network activity may, at times, include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. B. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. Signature-based systems traditionally have low levels of false positives, but may be weak at detecting new attacks. C. A neural network combines the statistical- and signature-based IDSs to create a hybrid and better system. D. Host-based is another type of IDS, but it would not be used to monitor network activity.
What would be the MOST effective control for enforcing accountability among database users accessing sensitive information? Select an answer: A. Implement a log management process. B. Implement a two-factor authentication. C. Use table views to access sensitive data. D. Separate database and application servers.
You answered B. The correct answer is A. A. Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour. B. Implementing a two-factor authentication would prevent unauthorized access to the database, but would not record the activity of the user when using the database. C. Using table views would restrict users from seeing data that they should not be able to see, but would not record what users did with data they were allowed to see. D. Separating database and application servers may help in better administration or even in implementing access controls, but does not address the accountability issues.
An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? Select an answer: A. An application-level gateway B. A remote access server C. A proxy server D. Port scanning
You answered B. The correct answer is A. A. An application-level gateway is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection (OSI) model, but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol [HTTP], File Transfer Protocol [FTP], Simple Network Management Protocol [SNMP], etc.). B. For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet, creating security exposure. C. Proxy servers can provide excellent protection, but depending on the type of proxy, they may not be able to examine traffic as effectively as an application gateway. For proxy servers to work, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. D. Port scanning is used to detect vulnerabilities or open ports on a network, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing but would not respond to Ping.
The BEST filter rule for protecting a network from being used as an amplifier in a denial-of-service (DoS) attack is to deny all: Select an answer: A. outgoing traffic with Internet Protocol (IP) source addresses external to the network. B. incoming traffic with discernible spoofed IP source addresses. C. incoming traffic with IP options set. D. incoming traffic to critical hosts.
You answered B. The correct answer is A. A. Outgoing traffic with an Internet Protocol (IP) source address different than the internal IP range in the network is invalid. In most of the cases, it signals a denial-of-service (DoS) attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the infected machine from participating in the attack. B. Denying incoming traffic will not prevent an internal machine from participating in an attack on an outside target. C. Incoming traffic will have the IP options set according to the type of traffic. This is a normal condition. D. Denying incoming traffic to internal hosts will prevent legitimate traffic.
Distributed denial-of-service (DDoS) attacks on Internet sites are typically evoked by hackers using which of the following? Select an answer: A. Logic bombs B. Phishing C. Spyware D. Trojan horses
You answered B. The correct answer is D. A. Logic bombs are programs designed to destroy or modify data at a specific event or time in the future. B. Phishing is an attack, normally via email, pretending to be an authorized person or organization requesting information. C. Spyware is a program that picks up information from PC drives by making copies of their contents. D. Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to coordinate distributed denial-of-service (DDoS) attacks that overload a site so that it may no longer be able to process legitimate requests.
An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation? Select an answer: A. Symmetric key encryption B. Digital signatures C. Message digest algorithms D. Digital certificates
You answered B. The correct answer is D. A. Symmetric key encryption uses a single pass phrase to encrypt and decrypt the message. While this type of encryption is strong, it suffers from the inherent problem of needing to share the pass phrase in a secure manner and does not address integrity and nonrepudiation. B. Digital signatures provide message integrity and nonrepudiation; however, confidentiality is not provided. C. Message digest algorithms are a way to design hashing functions to verify the integrity of the message/data. Message digest algorithms do not provide confidentiality or nonrepudiation. D. A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a trusted authority, with the purpose of associating a person's identity with the public key. Email confidentiality and integrity are obtained by following the public key-private key encryption. With the digital certificate verified by the trusted third party, nonrepudiation of the sender is obtained.
The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when: Select an answer: A. connecting points are available in the facility to connect laptops to the network. B. users take precautions to keep their passwords confidential. C. terminals with password protection are located in insecure locations. D. terminals are located within the facility in small clusters under the supervision of an administrator.
You answered C. The correct answer is A. A. Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access. B. If system passwords are not readily available for intruders to use, they must guess, introducing an additional factor and requires time. C. System passwords provide protection against unauthorized use of terminals located in insecure locations. D. Supervision is a very effective control when used to monitor access to a small operating unit or production resources.
At a hospital, medical personal carry handheld computers, which contain patient health data. These handheld computers are synchronized with PCs which transfer data from a hospital database. Which of the following would be of the most importance? Select an answer: A. The handheld computers are properly protected to prevent loss of data confidentiality, in case of theft or loss. B. The employee who deletes temporary files from the local PC, after usage, is authorized to maintain PCs. C. Timely synchronization is ensured by policies and procedures. D. The usage of the handheld computers is allowed by the hospital policy.
You answered C. The correct answer is A. A. Data confidentiality is a major requirement of privacy regulations. B. Only authorized personnel should maintain computer systems; however, the deletion of temporary files would be a minor risk compared to the theft or loss of a handheld device containing unprotected data. C. Policies and procedures are important, but the most important task is to protect sensitive data on handheld units. D. Without policy, no handheld units should be permitted, but once permitted the policy must be backed up with the procedures to enforce policy and protect data. A policy without procedures is only empty words.
An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol (VoIP) packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic? Select an answer: A. Corruption of the Address Resolution Protocol (ARP) cache in Ethernet switches B. Use of a default administrator password on the analog phone switch C. Deploying virtual local area networks (VLANs) without enabling encryption D. End users having access to software tools such as packet sniffer applications
You answered C. The correct answer is A. A. On an Ethernet switch there is a data table known as the Address Resolution Protocol (ARP) cache, which stores mappings between media access control (MAC) and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply "flood" the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol (VoIP) traffic. B. VoIP systems do not use analog switches and inadequate administrator security controls would not be an issue. C. VoIP data are not normally encrypted in a LAN environment because the controls regarding VLAN security are adequate. D. Most software tools such as packet sniffers cannot make changes to LAN devices, such as the VLAN configuration of an Ethernet switch used for VoIP. Therefore, the use of software utilities of this type is not a risk.
During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used? Select an answer: A. A biometric, digitalized and encrypted parameter with the customer's public key B. A hash of the data that is transmitted and encrypted with the customer's private key C. A hash of the data that is transmitted and encrypted with the customer's public key D. The customer's scanned signature encrypted with the customer's public key
You answered C. The correct answer is B. A. Biometrics are not used in digital signatures or public key encryption. B. The calculation of a hash, or digest, of the data that are transmitted and its encryption require the private key of the client (sender) and is called a signature of the message, or digital signature. The receiver hashes the received message and compares the hash they compute with the received hash, after the digital signature has been decrypted with the sender's public key. If the hash values are the same, the conclusion would be that there is integrity in the data that have arrived and the origin is authenticated. The concept of encrypting the hash with the private key of the originator provides nonrepudiation because it can only be decrypted with their public key, and the private key would not be known to the recipient. Simply put, in a key-pair situation, anything that can be decrypted by a sender's public key must have been encrypted with their private key, so they must have been the sender (i.e., nonrepudiation). C. It would not be correct to encrypt the hash with the customer's public key because then the recipient would need access to the customer's private key to decrypt the digital signature. D. A scan of the customer's signature would be known as a digitized signature, not a digital signature, and would be of little or no value in this scenario.
This question refers to the following diagram. Internet --> Firewall 1 --> Mail Gateway --> Firewall-2 --> IDS Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: Select an answer: A. alert the appropriate staff. B. create an entry in the log. C. close firewall-2. D. close firewall-1.
You answered C. The correct answer is B. A. The first action taken by an intrusion detection system (IDS) will be to create a log entry and then alert the appropriate staff. B. Creating an entry in the log is the first step taken by a network IDS. The IDS may also be configured to send an alert to the administrator, send a note to the firewall and may even be configured to record the suspicious packet. C. Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. After the IDS has logged the suspicious traffic, it may signal firewall-2 to close, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator, valuable time can be lost, in which a hacker could also compromise firewall-2. D. The IDS will usually only protect the internal network by closing firewall-2 and will not close the externally facing firewall-1.
Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems? Select an answer: A. Proxy server B. Firewall installation C. Demilitarized zone (DMZ) D. Virtual private network (VPN)
You answered C. The correct answer is D. A. A proxy server is a type of firewall installation used as an intermediary to filter and control traffic between internal and external parties. B. While firewall installations are the primary line of defense, they would need to have encryption and a virtual private network (VPN) to secure remote access traffic. C. A demilitarized zone (DMZ) is an isolated network used to permit outsiders to access certain corporate information in a semi-trusted environment. The DMZ may host a web server or other external facing services. Traffic to a DMZ is not usually encrypted unless it is terminating on a VPN located in the DMZ. D. The best way to secure remote access is through the use of encrypted VPNs. This would allow remote users a secure connection to the main systems.
The role of the certificate authority (CA) as a third party is to: Select an answer: A. provide secured communication and networking services based on certificates. B. host a repository of certificates with the corresponding public and secret keys issued by that CA. C. act as a trusted intermediary between two communication partners. D. confirm the identity of the entity owning a certificate issued by that CA.
You answered C. The correct answer is D. A. Providing a communication infrastructure is not a certificate authority (CA) activity. B. The secret keys belonging to the certificates would not be archived at the CA. C. The CA can contribute to authenticating the communicating partners to each other, but the CA is not involved in the communication stream itself. D. The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued.
Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? Select an answer: A. User registration and password policies B. User security awareness C. Use of intrusion detection/intrusion prevention systems (IDSs/IPSs) D. Domain name system (DNS) server security hardening
You answered C. The correct answer is D. A. User registration and password policies cannot mitigate pharming attacks because they do not prevent manipulation of domain name system (DNS) records. B. User security awareness cannot mitigate pharming attacks because it does not prevent manipulation of DNS records. C. The use of intrusion detection/intrusion prevention systems (IDSs/IPSs) cannot mitigate pharming attacks because they do not prevent manipulation of DNS records. D. The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.
A laptop computer belonging to a company database administrator (DBA) and containing a file of production database passwords has been stolen. What should the organization do FIRST? Select an answer: A. Send a report to the IS audit department. B. Change the name of the DBA account. C. Suspend the DBA account. D. Change the database password
You answered C. The correct answer is D. A. While the IS audit department should be notified, this should not be the first action. B. Changing the database administrator (DBA) account name could impact production database servers and thus would not be a good idea. C. Suspending the DBA account could impact the production database servers and may not be effective if there is more than one DBA account sharing the same database password. The thief may guess the account names of the other DBAs. D. The password should be changed immediately because there is no way to know whether it has been compromised.
An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol (DHCP) is disabled at all wireless access points. This practice: Select an answer: A. reduces the risk of unauthorized access to the network. B. is not suitable for small networks. C. automatically provides an IP address to anyone. D. increases the risk associated with Wireless Encryption Protocol (WEP).
You answered D. The correct answer is A. A. Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access. B. DHCP is suitable for networks of all sizes from home networks to large complex organizations. C. DHCP does not provide IP addresses when disabled. D. Disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in Wireless Encryption Protocol (WEP).
During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: Select an answer: A. encryption. B. callback modems. C. message authentication. D. dedicated leased lines.
You answered D. The correct answer is A. A. Encryption of data is the most secure method of protecting confidential data from exposure. B. A callback system is used to ensure that a user is only logging in from a known location. It is not effective to protect the transmitted data from interception. C. Message authentication is used to prove message integrity and source but not confidentiality. D. It is more difficult to intercept traffic traversing a dedicated leased line than it is to intercept data on a shared network, but the only way to really protect the confidentiality of data is to encrypt it.
An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk? Select an answer: A. Kerberos B. Vitality detection C. Multimodal biometrics D. Before-image/after-image logging
You answered D. The correct answer is A. A. Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. B. Vitality detection tries to ensure that a user presenting a biometric is "alive" and not merely an image or photocopy of the biometric values. C. Multimodal biometrics uses a combination of biometric methods to authenticate a user. If the attacker can gain access to the biometric templates the use of multiple templates will not be an effective control. D. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventive control.
What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? Select an answer: A. Malicious code could be spread across the network. B. The VPN logon could be spoofed. C. Traffic could be sniffed and decrypted. D. The VPN gateway could be compromised.
You answered D. The correct answer is A. A. Virtual private network (VPN) is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means that the firewall cannot adequately examine the traffic. B. A secure VPN solution would use two-factor authentication to prevent spoofing. C. VPN traffic should be encrypted, making the sniffing of traffic unimportant. D. A misconfigured or poorly implemented VPN gateway could be subject to attack, but if it is located in a secure subnet, then the risk is reduced.
Digital signatures require the: Select an answer: A. signer to have a public key and the receiver to have a private key. B. signer to have a private key and the receiver to have a public key. C. signer and receiver to have a public key. D. signer and receiver to have a private key.
You answered D. The correct answer is B. A. If a sender encrypts a message with a public key, it will provide confidential transmission to the receiver with the private key. B. Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is based on the sender encrypting a digest of the message with their private key and the receiver validating the message with the public key. C. Asymmetric key cryptography always works with key pairs. Therefore, a message encrypted with a public key could only be opened with a private key. D. If both the sender and receiver have a private key there would be no way to validate the digital signature.
Inadequate programming and coding practices introduce the risk of: Select an answer: A. phishing. B. buffer overflow exploitation. C. synchronize (SYN) flood. D. brute force attacks.
You answered D. The correct answer is B. A. Phishing is a social engineering attack that attempts to gather sensitive information from a customer—often via email. This is not a programming or coding problem. B. Buffer overflow exploitation may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and override part of the program with malicious code. The countermeasure is proper programming and good coding practices. C. A synchronize (SYN) flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target system. A SYN flood is not related to programming and coding practices. D. Brute force attacks are used against passwords and are not related to programming and coding practices.
Which of the following provides the MOST relevant information for proactively strengthening security settings? Select an answer: A. Bastion host B. Intrusion detection system (IDS) C. Honeypot D. Intrusion prevention system
You answered D. The correct answer is C. A. A bastion host is a hardened system used to host services. It does not provide information about an attack. B. Intrusion detection systems (IDSs) are designed to detect and address an attack in progress and stop it as soon as possible. C. The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies, and the resources required to address such attacks. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods. D. Intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible.
In a public key infrastructure (PKI), a registration authority: Select an answer: A. verifies information supplied by the subject requesting a certificate. B. issues the certificate after the required attributes are verified and the keys are generated. C. digitally signs a message to achieve nonrepudiation of the signed message. D. registers signed messages to protect them from future repudiation.
You are correct, the answer is A. A. A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestor's right to request a certificate on behalf of themselves or their organization. B. Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed. C. The sender who has control of his/her private key signs the message, not the registration authority. D. Registering signed messages is not a task performed by registration authorities.
An IS auditor is reviewing system access and discovers an excessive number of users with privileged access. The IS auditor discusses the situation with the system administrator, who states that some personnel in other departments need privileged access and management has approved the access. Which of the following would be the BEST course of action for the IS auditor? Select an answer: A. Determine whether compensating controls are in place. B. Document the issue in the audit report. C. Recommend an update to the procedures. D. Discuss the issue with senior management.
You are correct, the answer is A. A. An excessive number of users with privileged access is not necessarily an issue if compensating controls are in place. B. An IS auditor should gather additional information before presenting the situation in the report. C. An update to procedures would not address a potential weakness in logical security and may not be feasible if individuals are required to have this access to perform their jobs. D. The IS auditor should gather additional information before reporting the item to senior management.
This question refers to the following diagram. To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system (IDS) between the: Select an answer: A. firewall and the organization's network. B. Internet and the firewall. C. Internet and the web server. D. web server and the firewall.
You are correct, the answer is A. A. Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system (IDS) is placed between the firewall and the organization's network. B. A network-based IDS placed between the Internet and the firewall will detect attack attempts, whether they are or are not noticed by the firewall. C. Placing an IDS outside of the web server will identify attacks directed at the web server, but will not detect attacks missed by the firewall. D. Placing the IDS after the web server would identify attacks that have made it past the web server, but will not indicate whether the firewall would have been able to detect the attacks.
The MOST common problem in the operation of an intrusion detection system (IDS) is: Select an answer: A. the detection of false positives. B. receiving trap messages. C. reject-error rates. D. denial-of-service (DoS) attacks.
You are correct, the answer is A. A. Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive. B. Trap messages are generated by the Simple Network Management Protocol (SNMP) agents when an important event happens, but are not particularly related to security or IDSs. C. Reject-error rate is related to biometric technology and is not related to IDSs. D. Denial-of-service (DoS) is a type of attack and is not a problem in the operation of IDSs because an IDS only captures data and does not affect traffic.
Email message authenticity and confidentiality is BEST achieved by signing the message using the: Select an answer: A. sender's private key and encrypting the message using the receiver's public key. B. sender's public key and encrypting the message using the receiver's private key. C. receiver's private key and encrypting the message using the sender's public key. D. receiver's public key and encrypting the message using the sender's private key.
You are correct, the answer is A. A. By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. Encrypting with the receiver's public key provides confidentiality. B. Signing can only occur using the sender's private key. C. The sender would not have access to the receiver's private key. D. By encrypting the message with the receiver's public key, only the receiver can decrypt the message using their own private key. The receiver's private key is confidential and, therefore, unknown to the sender. Messages encrypted using the sender's private key can be read by anyone with the sender's public key.
Which of the following should an IS auditor recommend for the protection of specific sensitive information stored in the data warehouse? Select an answer: A. Implement column- and row-level permissions B. Enhance user authentication via strong passwords C. Organize the data warehouse into subject matter-specific databases D. Log user access to the data warehouse
You are correct, the answer is A. A. Column- and row-level permissions control what information users can access. Column-level security prevents users from seeing one or more attributes on a table. With row-level security a certain grouping of information on a table is restricted (e.g., if a table held details of employee salaries, then a restriction could be put in place to ensure that, unless specifically authorized, users could not view the salaries of executive staff). Column- and row-level security can be achieved in a relational database by allowing users to access logical representations of data (views) rather than physical tables. This "fine-grained" security model is likely to offer the best balance between information protection while still supporting a wide range of analytical and reporting uses. B. Enhancing user authentication via strong passwords is a security control that should apply to all users of the data warehouse and does not specifically address protection of specific sensitive data. C. Organizing a data warehouse into subject-specific databases is a potentially useful practice but, in itself, does not adequately protect sensitive data. Database-level security is normally too "coarse" a level to efficiently and effectively protect information. For example, one database may hold information that needs to be restricted such as employee salary and customer profitability details while other information such as employee department may need to be legitimately accessed by a large number of users. Organizing the data warehouse into subject matter-specific databases is similar to user access in that this control should generally apply. Extra attention could be devoted to reviewing access to tables with sensitive data, but this control is not sufficient without strong preventive controls at the column and row level. D. Logging user access is important, but it is only a detective control that will not provide adequate protection to sensitive information.
The technique used to ensure security in virtual private networks (VPNs) is: Select an answer: A. encapsulation. B. wrapping. C. transforming. D. hashing.
You are correct, the answer is A. A. Encapsulation, or tunneling, is a technique used to encrypt the traffic payload so that it can be securely transmitted over an insecure network. B. Wrapping is used where the original packet is wrapped in another packet but is not directly related to security. C. To transform or change the state of the communication would not be used for security. D. Hashing is used in virtual private networks (VPNs) to ensure message integrity.
Which of the following is the MOST important action in recovering from a cyberattack? Select an answer: A. Activating an incident response team B. Hiring cyberforensic investigators C. Executing a business continuity plan (BCP) D. Preserving evidence
You are correct, the answer is A. A. Hopefully the incident response team and procedures were set up prior to the cyberattack. The first step is to activate the team, contain the incident and keep the business operational. B. When a cyberattack is suspected, cyberforensic investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. The use of cyberforensic experts is only done after the incident has been identified. C. The most important objective in recovering from a cyberattack is to keep the business operational, but most attacks will not require the activation or use of the business continuity plan (BCP). D. The primary objective for the business is to stay in business. In a noncriminal investigation this may even mean that some evidence is lost.
To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet if: Select an answer: A. the source routing field is enabled. B. it has a broadcast address in the destination field. C. a reset flag (RST) is turned on for the Transmission Control Protocol (TCP) connection. D. dynamic routing is used instead of static routing.
You are correct, the answer is A. A. IP spoofing takes advantage of the source-routing option in the Internet Protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing. B. If a packet has a broadcast destination address, it is definitely suspicious and if allowed to pass will be sent to all addresses in the subnet. This is not related to IP spoofing. C. Turning on the reset flag (RST) is part of the normal procedure to end a Transmission Control Protocol (TCP) connection. D. The use of dynamic or static routing will not represent a spoofing attack.
An IS auditor discovers that the configuration settings for password controls are more stringent for business users than for IT developers. Which of the following is the BEST action for the IS auditor to take? Select an answer: A. Determine whether this is a policy violation and document it. B. Document the observation as an exception. C. Recommend that all password configuration settings be identical. D. Recommend that logs of IT developer access are reviewed periodically.
You are correct, the answer is A. A. If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed. B. This condition would not be considered an exception if procedures are followed according to approved policies. C. There may be valid reasons for these settings to be different; therefore, the auditor would not normally recommend changes before researching company policies and procedures. D. While reviewing logs may be a good compensating control, the more important course of action would be to determine if policies are being followed.
An IS auditor performing detailed network assessments and access control reviews should FIRST: Select an answer: A. determine the points of entry. B. evaluate users' access authorization. C. assess users' identification and authorization. D. evaluate the domain-controlling server configuration.
You are correct, the answer is A. A. In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry accordingly for appropriate controls. B. Evaluation of user access authorization is an implementation issue for appropriate controls for the points of entry. C. Assessment of user identification and authorization are implementation issues for appropriate controls for the points of entry. D. Evaluation of the domain-controlling server configuration is not the first area to be reviewed. It will be reviewed once the network entry points have been identified.
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer? Select an answer: A. Nonrepudiation B. Encryption C. Authentication D. Integrity
You are correct, the answer is A. A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message. B. Encryption may protect the data transmitted over the Internet but may not prove that the transactions were made. C. Authentication is necessary to establish the identification of all parties to a communication. D. Integrity ensures that transactions are accurate but does not provide the identification of the customer.
When installing an intrusion detection system (IDS), which of the following is MOST important? Select an answer: A. Properly locating it in the network architecture B. Preventing denial-of-service (DoS) attacks C. Identifying messages that need to be quarantined D. Minimizing the rejection errors
You are correct, the answer is A. A. Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. B. A network IDS will monitor network traffic and a host-based IDS will monitor activity on the host but it has no capability of preventing a denial-of-service (DoS) attack. C. Configuring an IDS can be a challenge because it may require the IDS to "learn" what normal activity is, but the most important part of the installation is to install it in the right places. D. An IDS is only a monitoring device and does not reject traffic. Rejection errors would apply to a biometric device.
The FIRST step in a successful attack to a system would be: Select an answer: A. gathering information. B. gaining access. C. denying services. D. evading detection.
You are correct, the answer is A. A. Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and the potential vulnerabilities that can be exploited in the attack. B. Once attackers have discovered potential vulnerabilities through information gathering, they will usually attempt to gain access. C. An attacker will usually launch a denial of service as one of the last steps in the attack. D. When attackers have gained access and possibly infected the victim with a rootkit, they will delete audit logs and take other steps to hide their tracks.
Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? Select an answer: A. Virtual private network (VPN) B. Dedicated line C. Leased line D. Integrated services digital network (ISDN)
You are correct, the answer is A. A. The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet. B. A dedicated line is quite expensive and only needed when there are specific confidentiality and availability needs. C. A leased line is an expensive but private option, but rarely a good option today. D. Integrated services digital network (ISDN) is not encrypted and would need additional security to be a valid option.
A company has decided to implement an electronic signature scheme based on public key infrastructure (PKI). The user's private key will be stored on the computer's hard drive and protected by a password. The MOST significant risk of this approach is: Select an answer: A. use of the user's electronic signature by another person if the password is compromised. B. forgery by using another user's private key to sign a message with an electronic signature. C. impersonation of a user by substitution of the user's public key with another person's public key. D. forgery by substitution of another person's private key on the computer.
You are correct, the answer is A. A. The user's digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk. B. Creating a digital signature with another user's private key would indicate that the message came from a different person, and therefore, the true user's credentials would not be forged. C. Impersonation of a public key would require the modification of the certificate issued by the certificate authority (CA). This is very difficult and least likely. D. The substitution of another person's private key would not work because the digital signature would be validated with the original user's public key.
A characteristic of User Datagram Protocol (UDP) in network communications is: Select an answer: A. packets may arrive out of order. B. increased communication latency. C. incompatibility with packet broadcast. D. error correction may slow down processing.
You are correct, the answer is A. A. User Datagram Protocol (UDP) utilizes a simple transmission model without implicit handshaking routines for providing reliability, ordering or data integrity. Thus, UDP provides an unreliable service and datagrams may arrive out of order, appear duplicated or get dropped. B. The advantage of UDP is that the lack of error checking allows for reduced latency. Time-sensitive applications, such as online video or audio, often use UDP because of the reduced latency of this protocol. C. UDP is compatible with packet broadcast (sending to all on the local network) and multicasting (sending to all subscribers). D. UDP assumes that error checking and correction is either not necessary or performed in the application, avoiding the overhead of such processing at the network interface level.
Validated digital signatures in an email software application will: Select an answer: A. help detect spam. B. provide confidentiality. C. add to the workload of gateway servers. D. significantly reduce available bandwidth.
You are correct, the answer is A. A. Validated electronic signatures are based on qualified certificates that are created by a certificate authority (CA), with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority (RA) after a proof of identity has been passed. Using strong signatures in email traffic, nonrepudiation can be assured and a sender can be tracked. The recipient can configure his/her email server or client to automatically delete emails from specific senders. B. For confidentiality issues, one must use encryption, not a signature. C. Without any filters directly applied on mail gateway servers to block traffic without strong signatures, the workload will not increase. Using filters directly on a gateway server will result in an overhead less than antivirus software imposes. D. Digital signatures are only a few bytes in size and will not slash bandwidth. Even if gateway servers were to check certificate revocation lists (CRLs), there is little overhead.
Two-factor authentication can be circumvented through which of the following attacks? Select an answer: A. Denial-of-service B. Man-in-the-middle C. Key logging D. Brute force
You are correct, the answer is B. A. A denial-of-service attack does not have a relationship to authentication. B. A man-in-the-middle attack is similar to piggybacking in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. This is done in many instances of bank fraud. C. Key logging could circumvent single-factor authentication but not two-factor authentication. D. Brute force could circumvent single-factor authentication but not two-factor authentication.
A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment? Select an answer: A. Reviewing logs frequently B. Testing and validating the rules C. Training a local administrator at the new location D. Sharing firewall administrative duties
You are correct, the answer is B. A. A regular review of log files would not start until the deployment has been completed. B. A mistake in the rule set can render a firewall ineffective or insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. C. Training a local administrator may not be necessary if the firewalls are managed from a central location. D. Having multiple administrators is a good idea, but not the most important for successful deployment.
Over the long term, which of the following has the greatest potential to improve the security incident response process? Select an answer: A. A walk-through review of incident response procedures B. Postevent reviews by the incident response team C. Ongoing security training for users D. Documenting responses to an incident
You are correct, the answer is B. A. A walk-through is a good first step to evaluate the incident response plan, but the lessons learned from incidents will provide more meaningful long-term benefits. B. Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help improve the process over time. C. Training the users and members of the incident response team will improve the effectiveness of the team, but learning from the lessons of previous incidents will generate the greatest benefit. D. Documenting all incidents is important to allow later analysis and review, but is not as important as the results of the analysis.
When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following? Select an answer: A. Number of nonthreatening events identified as threatening B. Attacks not being identified by the system C. Reports/logs being produced by an automated tool D. Legitimate traffic being blocked by the system
You are correct, the answer is B. A. Although the number of false-positives is a serious issue, the problem will be known and can be corrected. B. Reviewing the logs from the intrusion detection system (IDS) following an attack to identify which attacks were not identified by the system indicates a high risk; because the attacks were not identified, they are unknown and no action will be taken to address the attacks. C. Often, IDS reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem. D. An IDS does not block any traffic.
An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure? Select an answer: A. The corporate network is using an intrusion prevention system (IPS). B. This part of the network is isolated from the corporate network. C. A single sign-on has been implemented in the corporate network. D. Antivirus software is in place to protect the corporate network.
You are correct, the answer is B. A. An intrusion prevention system (IPS) may stop an attack but it would be far better to restrict the ability of machines in the conference rooms from being able to access the corporate network altogether. B. If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or by being physically separated. C. A single sign-on solution is used for access control but would not still leave a risk when unauthorized people have physical access to the corporate network. D. Antivirus software would reduce the impact of possible viruses; however, unauthorized users would still be able to access the corporate network, which is the biggest risk.
An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software: Select an answer: A. is configured with an implicit deny rule as the last rule in the rule base. B. is installed on an operating system with default settings. C. has been configured with rules permitting or denying access to systems or networks. D. is configured as a virtual private network (VPN) endpoint.
You are correct, the answer is B. A. Configuring a firewall with an implicit deny rule is common practice. B. Default settings of most equipment—including operating systems—are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software. C. A firewall configuration should have rules allowing or denying access according to policy. D. A firewall is often set up as the endpoint for a virtual private network (VPN).
An IS auditor reviewing access controls for a client-server environment should FIRST: Select an answer: A. evaluate the encryption technique. B. identify the network access points. C. review the identity management system. D. review the application level access controls.
You are correct, the answer is B. A. Evaluating encryption techniques would be performed at a later stage of the review. B. A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified. C. Reviewing the identity management system would be performed at a later stage of the review. D. Reviewing the application level access controls would be performed at a later stage of the review.
Which of the following is an effective preventive control to ensure that a database administrator (DBA) complies with the custodianship of the enterprise's data? Select an answer: A. Exception reports B. Segregation of duties (SoD) C. Review of access logs and activities D. Management supervision
You are correct, the answer is B. A. Exception reports are detective controls used to indicate when the activities of the database administrator (DBA) were performed without authorization. B. Adequate segregation of duties (SoD) can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task. C. Reviews of access logs are used to detect the activities performed by the DBA. D. Management supervision of DBA activities is used to detect which DBA activities were not authorized.
Which of the following is a control that can be implemented if application programmers are allowed to move programs into the production environment in a small organization? Select an answer: A. Independent postimplementation testing B. Independent review of the changed program C. Independent review of user requirements D. Independent review of user acceptance
You are correct, the answer is B. A. Independent postimplementation testing would not be as effective because the system could be accepted by the end user without detecting the undocumented functionality. B. An independent review of the changes to the program in production could identify any unauthorized changes, versions or functionality that the programmer had put into production. C. An independent review of user requirements would not be as effective because the system could meet user requirements and still include undocumented functionalities. D. An independent review of user acceptance would not be as effective because the system could be accepted by the end users, and the undocumented functionalities could remain undetected.
During an audit of an internally developed, web-based purchase approval application, an IS auditor discovers that all business users share a common access profile. Which of the following is the MOST important recommendation for the IS auditor to include in the report? Select an answer: A. Ensure that all user activity is logged and that the logs are reviewed by management. B. Develop additional profiles within the application to restrict user access per the job profiles. C. Ensure that a policy exists to control what activities users can perform within the application. D. Ensure that a virtual private network (VPN) is implemented so that users can log on to the application securely.
You are correct, the answer is B. A. Logging is a detective control and often a secondary recommendation in the event that technical issues or costs prohibit implementation of preventive controls. B. The strongest control is a preventive control that is automated through the system. Developing additional access profiles would ensure that the system restricts users to privileges defined by their job responsibilities and that an audit trail exists for those user actions. C. While a policy is a type of preventive control, it is not as strong a control as a logical control because its adoption and success rely on human behavior. D. Virtual private network (VPN) access is recommended for secure access to the application. Implementing a VPN may not be necessary; however, the primary issue at hand is users sharing a common user profile.
Which of the following message services provides the STRONGEST evidence that a specific action has occurred? Select an answer: A. Proof of delivery B. Nonrepudiation C. Proof of submission D. Message origin authentication
You are correct, the answer is B. A. Proof of delivery can be manipulated by the receiver and is not a trustworthy form of evidence. B. Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts (i.e., proof of submission, proof of delivery and message origin authentication). However, nonrepudiation provides stronger evidence because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation. C. Proof of submission is a weak form of evidence that is not as trusted as nonrepudiation. D. Message origination authentication will only confirm the source of the message and does not confirm the specific action that has been completed.
Which of the following would MOST effectively enhance the security of a challenge-response based authentication system? Select an answer: A. Selecting a more robust algorithm to generate challenge strings B. Implementing measures to prevent session hijacking attacks C. Increasing the frequency of associated password changes D. Increasing the length of authentication strings
You are correct, the answer is B. A. Selecting a more robust algorithm will enhance the security; however, this may not be as important in terms of risk mitigation when compared to man-in-the-middle attacks. B. Challenge response-based authentication is prone to session hijacking or man-in-the-middle attacks. Security management should be aware of this and engage in risk assessment and control design such as periodic authentication when they employ this technology. C. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk. D. Increasing the length of authentication strings will not prevent man-in-the-middle or session hijacking attacks.
An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? Select an answer: A. Internet Protocol (IP) spoofing B. Phishing C. Structured query language (SQL) injection D. Denial-of-service (DoS)
You are correct, the answer is B. A. The URL is based on Hypertext Transmission Protocol (HTTP); IP spoofing is used to change the source IP address in a Transmission Control Protocol/Internet Protocol (TCP/IP) packet, not in the HTTP protocol. B. URL shortening services have been adopted by hackers to fool users and spread malware (i.e., phishing). C. Although URL shortening services can be used to perform structured query language (SQL) injections, their primary risk is being used for phishing. D. Denial-of-service (DoS) attacks are not affected by URL shortening services.
Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? Select an answer: A. Certificate revocation list (CRL) B. Certification practice statement (CPS) C. Certificate policy (CP) D. PKI disclosure statement (PDS)
You are correct, the answer is B. A. The certificate revocation list (CRL) is a list of certificates that have been revoked before their scheduled expiration date. B. The certification practice statement (CPS) is the how-to document used in policy-based public key infrastructure (PKI). C. The certificate policy (CP) sets the requirements that are subsequently implemented by the CPS. D. The PKI disclosure statement (PDS) covers critical items such as the warranties, limitations and obligations that legally bind each party.
A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data? Select an answer: A. Introduce a secondary authentication method such as card swipe. B. Apply role-based permissions within the application system. C. Have users input the ID and password for each database transaction. D. Set an expiration period for the database password embedded in the program.
You are correct, the answer is B. A. The issue is user permissions, not authentication; therefore, adding a stronger authentication does not improve the situation. B. This is a normal process to allow the application to communicate with the database. Therefore, the best control is to control access to the application and procedures to ensure that access to data is granted based on a user's role. C. Having a user input the ID and password for access would provide a better control because a database log would identify the initiator of the activity. However, this may not be efficient because each transaction would require a separate authentication process. D. It is a good practice to set an expiration date for a password. However, this might not be practical for an ID automatically logged in from the program. Often, this type of password is set not to expire.
An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: Select an answer: A. maintenance of access logs of usage of various system resources. B. authorization and authentication of the user prior to granting access to system resources. C. adequate protection of stored data on servers by encryption or other means. D. accountability system and the ability to identify any terminal accessing system resources.
You are correct, the answer is B. A. The maintenance of access logs of usage of system resources is a detective control. A preventive control should be used first. B. The authorization and authentication of users before granting them access to system resources (networks, servers, applications, etc.) is the most significant aspect in a telecommunication access control review because it is a preventive control. Weak controls at this level can affect all other aspects of security. C. The adequate protection of data being stored on servers by encryption or other means is a method of protecting stored information and is not a network access issue. D. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal or device attempting to connect to the network. This is called node authentication and is not as good as authenticating the user sitting at that node.
Applying a digital signature to data traveling in a network provides: Select an answer: A. confidentiality and integrity. B. security and nonrepudiation. C. integrity and nonrepudiation. D. confidentiality and nonrepudiation.
You are correct, the answer is C. A. A digital signature does not encrypt the message so it cannot provide confidentiality. B. A digital signature does not encrypt the message so it cannot provide security. C. A digital signature is created by signing a hash of a message with the private key of the sender. This provides for the integrity (through the hash) and the proof of origin (nonrepudiation) of the message. D. A digital signature does not provide confidentiality.
Which of the following is BEST suited for secure communications within a small group? Select an answer: A. Key distribution center B. Certificate authority (CA) C. Web of trust D. Kerberos Authentication System
You are correct, the answer is C. A. A key distribution center is a part of a Kerberos implementation suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. B. Certificate authority (CA) is a trusted third party that ensures the authenticity of the owner of the certificate. This is necessary for large groups and formal communication. C. Web of trust is a key distribution method suitable for communication in a small group. It is used by tools such as pretty good privacy (PGP) and distributes the public keys of users within a group. D. A Kerberos Authentication System extends the function of a key distribution center by generating "tickets" to define the facilities on networked machines, which are accessible to each user.
The GREATEST risk from an improperly implemented intrusion prevention system (IPS) is: Select an answer: A. that there will be too many alerts for system administrators to verify. B. decreased network performance due to IPS traffic. C. the blocking of critical systems or services due to false triggers. D. reliance on specialized expertise within the IT organization.
You are correct, the answer is C. A. A number of false positives may cause excessive administrator workload, but this is a relatively minor risk. B. The intrusion prevention system (IPS) will not generate any traffic that would impact network performance. C. An IPS prevents a connection or service based on how it is programmed to react to specific incidents. If the IPS is triggered based on incorrectly defined or nonstandard behavior, it may block the service or connection of a critical internal system. D. Configuring an IPS can take months of learning what is and what is not acceptable behavior, but this does not require specialized expertise.
The use of digital signatures: Select an answer: A. requires the use of a one-time password generator. B. provides encryption to a message. C. validates the source of a message. D. ensures message confidentiality.
You are correct, the answer is C. A. A one-time password generator is not a requirement for using digital signatures. B. A digital signature provides for integrity and proof of origin for a message, but does not address confidentiality. C. The use of a digital signature verifies the identity of the sender. D. A digital signature does not ensure message confidentiality.
In an online banking application, which of the following would BEST protect against identity theft? Select an answer: A. Encryption of personal password B. Restricting the user to a specific terminal C. Two-factor authentication D. Periodic review of access logs
You are correct, the answer is C. A. A password alone is only single-factor authentication and could be guessed or broken. B. Restricting the user to a specific terminal is not a practical alternative for an online application because the users may need to log in from multiple devices. C. Two-factor authentication requires two independent methods for establishing identity and privileges. Factors include something you know such as a password; something you have such as a token; and something you are which is biometric. Requiring two of these factors makes identity theft more difficult. D. Periodic review of access logs is a detective control and does not protect against identity theft.
The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called: Select an answer: A. data integrity. B. authentication. C. nonrepudiation. D. replay protection.
You are correct, the answer is C. A. Data integrity refers to changes in the plaintext message that would result in the recipient failing to compute the same message hash. B. Because only the claimed sender has the private key used to create the digital signature, authentication ensures that the message has been sent by the claimed sender. C. Integrity, authentication, nonrepudiation and replay protection are all features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message. D. Replay protection is a method that a recipient can use to check that the message was not intercepted and re-sent (replayed).
In wireless communication, which of the following controls allows the receiving device to verify that the received communications have not been altered in transit? Select an answer: A. Device authentication and data origin authentication B. Wireless intrusion detection (IDS) and prevention systems (IPS) C. The use of cryptographic hashes D. Packet headers and trailers
You are correct, the answer is C. A. Device authentication and data origin authentication allow wireless endpoints to authenticate each other to prevent man-in-the-middle attacks and masquerading. B. Wireless intrusion detection (IDS) and prevention systems (IPS) have the ability to detect misconfigured devices and rogue devices and detect and possibly stop certain types of attacks. C. Calculating cryptographic hashes for wireless communications allows the receiving device to verify that the received communications have not been altered in transit. This prevents masquerading and message modification attacks. D. Packet headers and trailers alone do not ensure that the content has not been altered because an attacker could alter both the data and the trailer.
A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident? Select an answer: A. Dump the volatile storage data to a disk. B. Run the server in a fail-safe mode. C. Disconnect the web server from the network. D. Shut down the web server.
You are correct, the answer is C. A. Dumping the volatile storage data to a disk may be used at the investigation stage, but does not contain an attack in progress. B. To run the server in a fail-safe mode, the server needs to be shut down. C. The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker. D. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.
Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator? Select an answer: A. Targeted testing B. Internal testing C. Double-blind testing D. External testing
You are correct, the answer is C. A. In targeted testing, penetration testers are provided with information related to target and network design and the target's IT team is aware of the testing activities. B. Internal testing refers to attacks and control circumvention attempts on the target from within the perimeter. The system administrator is typically aware of the testing activities. C. In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator. D. External testing is a generic term that refers to attacks and control circumvention attempts on the target from outside the target system. The system administrator may or may not be aware of the testing activities, so this is not the correct answer. (Note: Rather than concentrating on specific terms, CISA candidates should understand the differences between various types of penetration testing.)
Confidentiality of the data transmitted in a wireless local area network (WLAN) is BEST protected if the session is: Select an answer: A. restricted to predefined media access control (MAC) addresses. B. encrypted using static keys. C. encrypted using dynamic keys. D. initiated from devices that have encrypted storage.
You are correct, the answer is C. A. Limiting the number of devices that can access the network via media access control (MAC) address filtering is an inefficient control and does not address the issue of encrypting the session. B. Encryption with static keys—using the same key for a long period of time—carries a risk that the key would be compromised. C. When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted. D. Encryption of the data on the connected device (laptop, smart phone, etc.) addresses the confidentiality of the data on the device, not the wireless session.
Which of the following is the MOST effective type of antivirus software to detect an infected application? Select an answer: A. Scanners B. Active monitors C. Integrity checkers D. Vaccines
You are correct, the answer is C. A. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. B. Active monitors interpret disk operating system (DOS) and read-only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions such as formatting a disk or deleting a file or set of files. C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. D. Vaccines are known to be good antivirus software. However, they need to be updated periodically to remain effective.
An Internet-based attack using password sniffing can: Select an answer: A. enable one party to act as if they are another party. B. cause modification to the contents of certain transactions. C. be used to gain access to systems containing proprietary information. D. result in major problems with billing systems and transaction processing agreements.
You are correct, the answer is C. A. Spoofing attacks can be used to enable one party to act as if they are another party. B. Data modification attacks can be used to modify the contents of certain transactions. C. Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. D. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements.
An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important? Select an answer: A. The tools used to conduct the test B. Certifications held by the IS auditor C. Permission from the data owner of the server D. An intrusion detection system (IDS) is enabled
You are correct, the answer is C. A. The choice of tools is important to ensure a valid test and prevent system failure; however, the permission of the owner is most important. B. Whether the IS auditor holds certifications is not relevant to the effectiveness of the test. C. The data owner should be informed of the risk associated with a penetration test, the timing of the test, what types of tests are to be conducted and other relevant details. D. An intrusion detection system (IDS) is not required for a penetration test.
When using a digital signature, the message digest is computed: Select an answer: A. only by the sender. B. only by the receiver. C. by both the sender and the receiver. D. by the certificate authority (CA).
You are correct, the answer is C. A. The message digest must be computed by the sender and the receiver to ensure message integrity. B. The receiver will compute a digest of the received message to verify integrity of the received message. C. A digital signature is an electronic identification of a person or entity. It is created by using asymmetric encryption. To verify integrity of data, the sender uses a cryptographic hashing algorithm against the entire message to create a message digest to be sent along with the message. Upon receipt of the message, the receiver will recompute the hash using the same algorithm. D. The certificate authority (CA) issues certificates that link the public key with its owner. The CA does not compute digests of the messages to be communicated between the sender and receiver.
When using public key encryption to secure data being transmitted across a network: Select an answer: A. both the key used to encrypt and decrypt the data are public. B. the key used to encrypt is private, but the key used to decrypt the data is public. C. the key used to encrypt is public, but the key used to decrypt the data is private. D. both the key used to encrypt and decrypt the data are private.
You are correct, the answer is C. A. The public and private keys always work as a pair—if a public key is used to encrypt a message, the corresponding private key MUST be used to decrypt the message. B. If the message is encrypted with a private key, that will provide proof of origin but not message security or confidentiality. C. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it. D. Using two private keys would not be possible with asymmetric encryption.
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that: Select an answer: A. an unauthorized user may use the ID to gain access. B. user access management is time consuming. C. user accountability is not established. D. passwords are easily guessed.
You are correct, the answer is C. A. The risk of an unauthorized user accessing the system with a shared ID is no greater than an unauthorized user accessing the system with a unique user ID. B. Access management would not be any different with shared IDs. C. The use of a single user ID by more than one individual precludes knowing who, in fact, used that ID to access a system; therefore, it is more difficult to hold anyone accountable. D. Shared user IDs do not necessarily have easily guessed passwords.
What method might an IS auditor utilize to test wireless security at branch office locations? Select an answer: A. War dialing B. Social engineering C. War driving D. Password cracking
You are correct, the answer is C. A. War dialing is a technique for gaining access to a computer or a network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. B. Social engineering is a technique used to gather information that can assist an attacker in gaining logical or physical access to data or resources. Social engineering exploits human weaknesses. C. War driving is a technique for locating and gaining access to wireless networks by driving or walking around a building with a wireless-equipped computer. D. Password crackers are tools used to guess users' passwords by trying combinations and dictionary words. Once a wireless device has been identified, password crackers may be used to try to attack it.
The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure: Select an answer: A. the confidentiality of the message. B. nonrepudiation by the sender. C. the authenticity of the message. D. the integrity of data transmitted by the sender.
You are correct, the answer is D. A. A hash function ensures integrity of a message; encrypting with a secret key provides confidentiality. B. Signing the message with the private key of the sender ensures nonrepudiation and authenticity. C. Authenticity of the message is provided by the digital signature. D. If the hash sum is different from what is expected, it implies that the message has been altered. This is an integrity test.
Which of the following would effectively verify the originator of a transaction? Select an answer: A. Using a secret password between the originator and the receiver B. Encrypting the transaction with the receiver's public key C. Using a portable document format (PDF) to encapsulate transaction content D. Digitally signing the transaction with the source's private key
You are correct, the answer is D. A. Because they are a "shared secret" between the user and the system itself, passwords are considered a weaker means of authentication. B. Encrypting the transaction with the recipient's public key will provide confidentiality for the information but will not verify the source. C. Using a portable document format (PDF) will protect the integrity of the content but not necessarily authorship. D. A digital signature is an electronic identification of a person, created by using a public key algorithm, to verify the identity of the source of a transaction and the integrity of its content to a recipient.
An IS auditor is reviewing an organization's controls over email encryption. The company's policy states that all sent email must be encrypted to protect the confidentiality of the message because the organization shares nonpublic information through email. To ensure that personnel are complying with the policy, an IS auditor must be sure the message is: Select an answer: A. encrypted with the sender's private key and decrypted with the sender's public key. B. encrypted with the recipient's private key and decrypted with the sender's private key. C. encrypted with the sender's private key and decrypted with the recipient's private key. D. encrypted with the recipient's public key and decrypted with the recipient's private key.
You are correct, the answer is D. A. Encrypting a message with the sender's private key and decrypting it with the sender's public key ensures that the message came from the sender; however, it does not guarantee message confidentiality. With public key infrastructure (PKI), a message encrypted with a private key must be decrypted with the responding public key, and vice versa. B. The sender would not have access to the receiver's private key. C. A message encrypted with the sender's private key could only be opened using the sender's public key. D. Encrypting a message with the recipient's public key and decrypting it with the recipient's private key ensures message confidentiality.
Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure (PKI) with digital certificates for its business-to-consumer transactions via the Internet? Select an answer: A. Customers are widely dispersed geographically, but the certificate authorities (CAs) are not. B. Customers can make their transactions from any computer or mobile device. C. The CA has several data processing subcenters to administer certificates. D. The organization is the owner of the CA.
You are correct, the answer is D. A. It is common to use a single certificate authority (CA). They do not need to be geographically dispersed. B. The use of public key infrastructure (PKI) and certificates allows flexible secure communications from many devices. C. The CA will often have redundancy and failover capabilities to alternate data centers. D. If the CA belongs to the same organization, this would pose a risk. The management of a CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust.
Which of the following is a passive attack to a network? Select an answer: A. Message modification B. Masquerading C. Denial-of-service (DoS) D. Traffic analysis
You are correct, the answer is D. A. Message modification involves the capturing of a message and making unauthorized changes or deletions, changing the sequence or delaying transmission of captured messages. An attack that modifies the data would be an active attack. B. Masquerading is an active attack in which the intruder presents an identity other than the original identity. C. Denial-of-service (DoS) occurs when a computer connected to the Internet is flooded with data and/or requests that must be processed. This is an active attack. D. The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts and is able to guess the type of communication taking place.
IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? Select an answer: A. Port scanning B. Back door C. Man-in-the-middle D. War driving
You are correct, the answer is D. A. Port scanning will often target the external firewall of the organization. Use of wireless will not affect this. B. A back door is an opening implanted into or left in software that enables an unauthorized entry into a system. C. Man-in-the-middle attacks intercept a message and can read, replace or modify it. D. A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside.
Which of the following controls would BEST detect intrusion? Select an answer: A. User IDs and user privileges are granted through authorized procedures. B. Automatic logoff is used when a workstation is inactive for a particular period of time. C. Automatic logoff of the system occurs after a specified number of unsuccessful attempts. D. Unsuccessful logon attempts are monitored by the security administrator.
You are correct, the answer is D. A. User IDs and the granting of user privileges define a policy. This is a type of administrative or managerial control that may prevent intrusion but would not detect it. B. Automatic logoff is a method of preventing access through unattended or inactive terminals, but is not a detective control. C. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting it. D. Intrusion is detected by the active monitoring and review of unsuccessful logon attempts.
An organization is planning to replace its wired networks with wireless networks. Which of the following would BEST secure the wireless network from unauthorized access? Select an answer: A. Implement Wired Equivalent Privacy (WEP). B. Permit access to only authorized media access control (MAC) addresses. C. Disable open broadcast of service set identifiers (SSID). D. Implement Wi-Fi Protected Access (WPA) 2.
You are correct, the answer is D. A. Wired Equivalent Privacy (WEP) can be cracked within minutes. WEP uses a static key that has to be communicated to all authorized users, thus management is difficult. Also, there is a greater vulnerability if the static key is not changed at regular intervals. B. The practice of allowing access based on media access control (MAC) is not a solution because MAC addresses can be spoofed by attackers to gain access to the network. C. Disabling open broadcast of service set identifiers (SSID) is not an effective access control because many tools can detect a wireless access point that is not broadcasting. D. Wi-Fi Protected Access (WPA) 2 implements most of the requirements of the IEEE 802.11i standard. The Advanced Encryption Standard (AES) used in WPA2 provides better security. Also, WPA2 supports both the Extensible Authentication Protocol (EAP) and the preshared secret key authentication model.