D5 Protection of Information Assets 5/31/2017

Which of the following can be used to help ensure confidentiality of transmitted data? Encrypting the: A. message digest with the sender's private key. B. session key with the sender's public key. Incorrect C. message with the receiver's private key. D. session key with the receiver's public key.

You answered C. The correct answer is D. A. This will ensure authentication and nonrepudiation. B. This will make the message accessible to only the sender. C. Ideally, a sender cannot have access to a receiver's private key. D. Access to the session key can only be obtained using the receiver's private key.

During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor? Incorrect A. The organization does not encrypt all of its outgoing email messages. B. Staff have to type "[PHI]" in the subject field of email messages to be encrypted. C. An individual's computer screen saver function is disabled. D. Server configuration requires the user to change the password annually.

You answered A. The correct answer is B. A. Encrypting all outgoing email is expensive and is not common business practice. B. There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health care information (PHI) to protect sensitive information. C. Disabling the screen saver function increases the risk that sensitive data can be exposed to other employees; however, the risk is not as great as exposing the data to unauthorized individuals outside the organization. D. While changing the password annually is a concern, the risk is not as great as exposing the data to unauthorized individuals outside the organization.

After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over Internet Protocol (VoIP) technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application? Incorrect A. Fine-grained access control B. Role-based access control (RBAC) C. Access control lists D. Network/service access control

You answered A. The correct answer is B. A. Fine-grained access control on Voice-over Internet Protocol (VoIP) web applications does not scale to enterprisewide systems because it is primarily based on individual user identities and their specific technical privileges. B. Authorization in this case can best be addressed by role-based access control (RBAC) technology. RBAC controls access according to job roles or functions. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation. C. Access control lists on VoIP web applications do not scale to enterprisewide systems because they are primarily based on individual user identities and their specific technical privileges. D. Network/service addresses VoIP availability but does not address application-level access or authorization.

Which of the following would MOST effectively enhance the security of a challenge-response based authentication system? Incorrect A. Selecting a more robust algorithm to generate challenge strings B. Implementing measures to prevent session hijacking attacks C. Increasing the frequency of associated password changes D. Increasing the length of authentication strings

You answered A. The correct answer is B. A. Selecting a more robust algorithm will enhance the security; however, this may not be as important in terms of risk mitigation when compared to man-in-the-middle attacks. B. Challenge response-based authentication is prone to session hijacking or man-in-the-middle attacks. Security management should be aware of this and engage in risk assessment and control design such as periodic authentication when they employ this technology. C. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk. D. Increasing the length of authentication strings will not prevent man-in-the-middle or session hijacking attacks.

Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? Incorrect A. Certificate revocation list (CRL) B. Certification practice statement (CPS) C. Certificate policy (CP) D. PKI disclosure statement (PDS)

You answered A. The correct answer is B. A. The certificate revocation list (CRL) is a list of certificates that have been revoked before their scheduled expiration date. B. The certification practice statement (CPS) is the how-to document used in policy-based public key infrastructure (PKI). C. The certificate policy (CP) sets the requirements that are subsequently implemented by the CPS. D. The PKI disclosure statement (PDS) covers critical items such as the warranties, limitations and obligations that legally bind each party.

What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? A. Malicious code could be spread across the network. Incorrect B. The VPN logon could be spoofed. C. Traffic could be sniffed and decrypted. D. The VPN gateway could be compromised.

You answered B. The correct answer is A. A. Virtual private network (VPN) is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means that the firewall cannot adequately examine the traffic. B. A secure VPN solution would use two-factor authentication to prevent spoofing. C. VPN traffic should be encrypted, making the sniffing of traffic unimportant. D. A misconfigured or poorly implemented VPN gateway could be subject to attack, but if it is located in a secure subnet, then the risk is reduced.

The responsibility for authorizing access to application data should be with the: A. data custodian. Incorrect B. database administrator (DBA). C. data owner. D. security administrator.

You answered B. The correct answer is C. A. Data custodians are responsible only for storing and safeguarding the data according to the direction provided by the data owner. B. The database administrator (DBA) is responsible for managing the database, not determining who is authorized to access the data in the database. C. Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible and ensuring that appropriate controls are in place to protect their data and systems. The ultimate responsibility for data resides with the data owner. D. The security administrator may lead investigations and is responsible for implementing and maintaining information security policy, but not for authorizing data access.

Which of the following preventive controls BEST helps secure a web application? A. Password masking B. Developer training Incorrect C. Encryption D. Vulnerability testing

You answered C. The correct answer is B. A. Password masking is a necessary preventive control but is not the best way to secure an application. B. Of the given choices, teaching developers to write secure code is the best way to secure a web application. C. Encryption will protect data but is not sufficient to secure an application because other flaws in coding could compromise the application and data. Ensuring that applications are designed in a secure way is the best way to secure an application. This is accomplished by ensuring that developers are adequately educated on secure coding practices. D. Vulnerability testing can help to ensure the security of web applications; however, the best preventive control is developer education because building secure applications from the start is more effective.

An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk? A. Kerberos B. Vitality detection C. Multimodal biometrics Incorrect D. Before-image/after-image logging

You answered D. The correct answer is A. A. Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. B. Vitality detection tries to ensure that a user presenting a biometric is "alive" and not merely an image or photocopy of the biometric values. C. Multimodal biometrics uses a combination of biometric methods to authenticate a user. If the attacker can gain access to the biometric templates the use of multiple templates will not be an effective control. D. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventive control.

Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data? A. Secure Sockets Layer (SSL) B. Intrusion detection system (IDS) C. Public key infrastructure (PKI) Incorrect D. Virtual private network (VPN)

You answered D. The correct answer is A. A. Secure Sockets Layer (SSL) is used for many e-commerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code (HMAC). B. An intrusion detection system (IDS) will log network activity but is not used for protecting traffic over the Internet. C. Public key infrastructure (PKI) is used in conjunction with SSL or for securing communications such as e-commerce and email. D. A virtual private network (VPN) is a generic term for a communications tunnel that can provide confidentiality, integrity and authentication (reliability). A VPN can operate at different levels of the Open Systems Interconnection (OSI) stack and may not always be used in conjunction with encryption. SSL can be called a type of VPN.

An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem utilizing global system for mobile communications (GSM) technology. This modem is being used to connect the CIO's laptop to the corporate virtual private network (VPN) when the CIO travels outside of the office. The IS auditor should: A. do nothing because the inherent security features of GSM technology are appropriate. B. recommend that the CIO stop using the laptop computer until encryption is enabled. C. ensure that media access control (MAC) address filtering is enabled on the network so unauthorized wireless users cannot connect. Incorrect D. suggest that two-factor authentication be used over the wireless link to prevent unauthorized communications.

You answered D. The correct answer is A. A. The inherent security features of global system for mobile communications (GSM) technology combined with the use of a virtual private network (VPN) are appropriate. The confidentiality of the communication on the GSM radio link is ensured by the use of encryption and the use of a VPN signifies that an encrypted session is established between the laptop and the corporate network. GSM is a global standard for cellular telecommunications that can be used for both voice and data. Currently deployed commercial GSM technology has multiple overlapping security features which prevent eavesdropping, session hijacking or unauthorized use of the GSM carrier network. While other wireless technologies such as 802.11b wireless local area network (LAN) technologies have been designed to allow the user to adjust or even disable security settings, GSM does not allow any devices to connect to the system unless all relevant security features are active and enabled. B. Because the chief information officer (CIO) is using a VPN it can be assumed that encryption is enabled in addition to the security features in GSM. C. Media access control (MAC) filtering can be used on a wireless LAN but does not apply to a GSM network device. D. Because the GSM network is being used rather than a wireless LAN, it is not possible to configure settings for two-factor authentication over the wireless link.

Which of the following is the GREATEST risk to the effectiveness of application system controls? A. Removal of manual processing steps B. Inadequate procedure manuals C. Collusion between employees Incorrect D. Unresolved regulatory compliance issues

You answered D. The correct answer is C. A. Automation should remove manual processing steps wherever possible. The only risk would be the removal of manual security controls without replacement with automated controls. B. The lack of documentation is a problem on many systems but not a serious risk in most cases. C. Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented. D. Unregulated compliance issues are a risk but do not measure the effectiveness of the controls.

The technique used to ensure security in virtual private networks (VPNs) is: Correct A. encapsulation. B. wrapping. C. transforming. D. hashing.

You are correct, the answer is A. A. Encapsulation, or tunneling, is a technique used to encrypt the traffic payload so that it can be securely transmitted over an insecure network. B. Wrapping is used where the original packet is wrapped in another packet but is not directly related to security. C. To transform or change the state of the communication would not be used for security. D. Hashing is used in virtual private networks (VPNs) to ensure message integrity.

Which of the following is an advantage of elliptic curve encryption (ECC) over RSA encryption? Correct A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Message integrity controls

You are correct, the answer is A. A. The main advantage of elliptic curve encryption (ECC) over RSA encryption is its computation speed. This is due in part to the use of much smaller keys in the ECC algorithm than in RSA. B. Both encryption methods support digital signatures. C. Both encryption methods are used for public key encryption and distribution. D. Both ECC and RSA offer message integrity controls.

When using public key encryption to secure data being transmitted across a network: A. both the key used to encrypt and decrypt the data are public. B. the key used to encrypt is private, but the key used to decrypt the data is public. Correct C. the key used to encrypt is public, but the key used to decrypt the data is private. D. both the key used to encrypt and decrypt the data are private.

You are correct, the answer is C. A. The public and private keys always work as a pair—if a public key is used to encrypt a message, the corresponding private key MUST be used to decrypt the message. B. If the message is encrypted with a private key, that will provide proof of origin but not message security or confidentiality. C. Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it. D. Using two private keys would not be possible with asymmetric encryption.

When planning an audit of a network setup, an IS auditor should give HIGHEST priority to obtaining which of the following network documentation? Correct A. Wiring and schematic diagram B. Users' lists and responsibilities C. Application lists and their details D. Backup and recovery procedures

You answered A. The correct answer is A. A. The wiring and schematic diagram of the network is necessary to carry out a network audit. The IS auditor needs to know what equipment, configuration and addressing is used on the network to perform an audit of the network setup. B. When performing an audit of network setup, the users' lists would not be of value. C. Application lists are not required to audit network configuration. D. Backup and recovery procedures are important but not as important as knowing the network layout.

Which of the following results in a denial-of-service (DoS) attack? Incorrect A. Brute force attack B. Ping of death C. Leapfrog attack D. Negative acknowledgement (NAK) attack

You answered A. The correct answer is B. A. A brute force attack is typically a text attack that exhausts all possible key combinations used against encryption keys or passwords. B. The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. C. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host. D. A negative acknowledgment (NAK) is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.

A new business application has been designed in a large, complex organization and the business owner has requested that the various reports be viewed on a "need to know" basis. Which of the following access control methods would be the BEST method to achieve this requirement? Incorrect A. Mandatory B. Role-based C. Discretionary D. Single sign-on (SSO)

You answered A. The correct answer is B. A. An access control system based on mandatory access control (MAC) would be expensive, and difficult to implement and maintain in a large complex organization. B. Role-based access control limits access according to job roles and responsibilities and would be the best method to allow only authorized users to view reports on a need-to-know basis. C. Discretionary access control (DAC) is where the owner of the resources decides who should have access to that resource. Most access control systems are an implementation of DAC. This answer is not specific enough for this scenario. D. Single sign-on (SSO) is an access control technology used to manage access to multiple systems, networks and applications. This answer is not specific enough for this question.

An IS auditor is reviewing Secure Sockets Layer (SSL) enabled web sites for the company. Which of the following choices would be the HIGHEST risk? Incorrect A. Expired digital certificates B. Self-signed digital certificates C. Using the same digital certificate for multiple web sites D. Using 56-bit digital certificates

You answered A. The correct answer is B. A. An expired certificate leads to blocked access to the web site leading to unwanted downtime. However, there is no loss of data. Therefore, the comparative risk is lower. B. Self-signed digital certificates are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack. C. Using the same digital certificate is not a significant risk. Wildcard digital certificates may be used for multiple subdomain web sites. D. 56-bit digital certificates may be needed to connect with older versions of operating systems (OSs) or browsers. While they have a lower strength than 128-bit or 256-bit digital certificates, the comparative risk of a self-signed certificate is higher.

Which of the following systems or tools can recognize that a credit card transaction is more likely to have resulted from a stolen credit card than from the holder of the credit card? Incorrect A. Intrusion detection systems (IDSs) B. Data mining techniques C. Firewalls D. Packet filtering routers

You answered A. The correct answer is B. A. An intrusion detection system (IDS) is effective in detecting network or host-based errors but not effective in measuring fraudulent transactions. B. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card. C. A firewall is an excellent tool for protecting networks and systems but not effective in detecting fraudulent transactions. D. A packet filtering router operates at a network level and cannot see a transaction.

A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: Incorrect A. recovery. B. retention. C. rebuilding. D. reuse.

You answered A. The correct answer is B. A. Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate recovery. B. Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which email communication is held in the same regard as the official form of classic "paper" makes the retention policy of corporate email a necessity. All email generated on an organization's hardware is the property of the organization, and an email policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of emails after a specified time to protect the nature and confidentiality of the messages themselves. C. Email policy should address the business and legal requirements of email retention. Addressing the retention issue in the email policy would facilitate rebuilding. D. Email policy should address the business and legal requirements of email retention. Reuse of email is not a policy matter.

Digital signatures require the: Incorrect A. signer to have a public key and the receiver to have a private key. B. signer to have a private key and the receiver to have a public key. C. signer and receiver to have a public key. D. signer and receiver to have a private key.

You answered A. The correct answer is B. A. If a sender encrypts a message with a public key, it will provide confidential transmission to the receiver with the private key. B. Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is based on the sender encrypting a digest of the message with their private key and the receiver validating the message with the public key. C. Asymmetric key cryptography always works with key pairs. Therefore, a message encrypted with a public key could only be opened with a private key. D. If both the sender and receiver have a private key there would be no way to validate the digital signature.

After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? Incorrect A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

You answered A. The correct answer is B. A. In postmerger integration programs, it is common to form project management offices (often staffed with external experts) to ensure standardized and comparable information levels in the planning and reporting structures, and to centralize dependencies of project deliverables or resources. B. The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. C. The development of new integrated systems can require some knowledge of the legacy systems to gain an understanding of each business process. D. In most cases, mergers result in application changes and thus in training needs as organizations and processes change to leverage the intended synergy effects of the merger.

During an audit of an internally developed, web-based purchase approval application, an IS auditor discovers that all business users share a common access profile. Which of the following is the MOST important recommendation for the IS auditor to include in the report? Incorrect A. Ensure that all user activity is logged and that the logs are reviewed by management. B. Develop additional profiles within the application to restrict user access per the job profiles. C. Ensure that a policy exists to control what activities users can perform within the application. D. Ensure that a virtual private network (VPN) is implemented so that users can log on to the application securely.

You answered A. The correct answer is B. A. Logging is a detective control and often a secondary recommendation in the event that technical issues or costs prohibit implementation of preventive controls. B. The strongest control is a preventive control that is automated through the system. Developing additional access profiles would ensure that the system restricts users to privileges defined by their job responsibilities and that an audit trail exists for those user actions. C. While a policy is a type of preventive control, it is not as strong a control as a logical control because its adoption and success rely on human behavior. D. Virtual private network (VPN) access is recommended for secure access to the application. Implementing a VPN may not be necessary; however, the primary issue at hand is users sharing a common user profile.

When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? Incorrect A. Transfer B. Mitigation C. Avoidance D. Acceptance

You answered A. The correct answer is B. A. Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities that pose a risk). B. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan (DRP), it is a risk mitigation strategy. C. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. D. Risk acceptance occurs when an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it.

An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? Incorrect A. Internet Protocol (IP) spoofing B. Phishing C. Structured query language (SQL) injection D. Denial-of-service (DoS)

You answered A. The correct answer is B. A. The URL is based on Hypertext Transmission Protocol (HTTP); IP spoofing is used to change the source IP address in a Transmission Control Protocol/Internet Protocol (TCP/IP) packet, not in the HTTP protocol. B. URL shortening services have been adopted by hackers to fool users and spread malware (i.e., phishing). C. Although URL shortening services can be used to perform structured query language (SQL) injections, their primary risk is being used for phishing. D. Denial-of-service (DoS) attacks are not affected by URL shortening services.

When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk? Incorrect A. There is no registration authority (RA) for reporting key compromises. B. The certificate revocation list (CRL) is not current. C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures. D. Subscribers report key compromises to the certificate authority (CA).

You answered A. The correct answer is B. A. The certificate authority (CA) can assume the responsibility if there is no registration authority (RA). B. If the certificate revocation list (CRL) is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities. C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures; therefore, this is not a risk. D. Subscribers reporting key compromises to the CA is not a risk because reporting this to the CA enables the CA to take appropriate action.

When reviewing an organization's logical access security to its remote systems, which of the following would be of GREATEST concern to an IS auditor? Incorrect A. Passwords are shared. B. Unencrypted passwords are used. C. Redundant logon IDs exist. D. Third-party users are granted administrator-level access.

You answered A. The correct answer is B. A. The passwords should not be shared, but this is less important than ensuring that the password files are encrypted. B. When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it would be assumed that remote access would be over an untrusted network where passwords could be discovered. C. Checking for the redundancy of logon IDs is essential, but is less important than ensuring that the passwords are encrypted. D. There may be business requirements such as the use of contractors that requires them to have system access, so this may not be a concern.

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? Incorrect A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IT audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization.

You answered A. The correct answer is B. A. While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. D. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented.

Which of the following is the MOST reliable sender authentication method? Incorrect A. Digital signatures B. Asymmetric cryptography C. Digital certificates D. Message authentication code

You answered A. The correct answer is C. A. Digital signatures are used for both authentication and integrity, but the identity of the sender would still be confirmed by the digital certificate. B. Asymmetric cryptography, such as public key infrastructure (PKI), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. C. Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. D. Message authentication code is used for message integrity verification.

Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator? Incorrect A. Targeted testing B. Internal testing C. Double-blind testing D. External testing

You answered A. The correct answer is C. A. In targeted testing, penetration testers are provided with information related to target and network design and the target's IT team is aware of the testing activities. B. Internal testing refers to attacks and control circumvention attempts on the target from within the perimeter. The system administrator is typically aware of the testing activities. C. In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator. D. External testing is a generic term that refers to attacks and control circumvention attempts on the target from outside the target system. The system administrator may or may not be aware of the testing activities, so this is not the correct answer. (Note: Rather than concentrating on specific terms, CISA candidates should understand the differences between various types of penetration testing.)

Neural networks are effective in detecting fraud because they can: Incorrect A. discover new trends because they are inherently linear. B. solve problems where large and general sets of training data are not obtainable. C. attack problems that require consideration of a large number of input variables. D. make assumptions about the shape of any curve relating variables to the output.

You answered A. The correct answer is C. A. Neural networks are inherently nonlinear. B. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable. C. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends. D. Neural networks make no assumption about the shape of any curve relating variables to the output.

During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. Which of the following is the PRIMARY reason that this is a concern to the IS auditor? Without ownership there is no responsibility for: Incorrect A. updating group metadata. B. reviewing existing user access. C. approval of user access. D. removing terminated users.

You answered A. The correct answer is C. A. Updating data about the group is not a great concern when compared to unauthorized access. B. While the periodic review of user accounts is a good practice, this is a detective control and not as robust as preventing unauthorized access to the group in the first place. C. Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group. D. Revoking access to terminated users is a compensating control for the normal termination process and is also a detective control.

What method might an IS auditor utilize to test wireless security at branch office locations? Incorrect A. War dialing B. Social engineering C. War driving D. Password cracking

You answered A. The correct answer is C. A. War dialing is a technique for gaining access to a computer or a network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. B. Social engineering is a technique used to gather information that can assist an attacker in gaining logical or physical access to data or resources. Social engineering exploits human weaknesses. C. War driving is a technique for locating and gaining access to wireless networks by driving or walking around a building with a wireless-equipped computer. D. Password crackers are tools used to guess users' passwords by trying combinations and dictionary words. Once a wireless device has been identified, password crackers may be used to try to attack it.

An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? Incorrect A. The policy has not been updated in more than one year. B. The policy includes no revision history. C. The policy is approved by the security administrator. D. The company does not have an information security policy committee.

You answered A. The correct answer is C. A. While the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a good practice, the policy could be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. B. The lack of a revision history with respect to the IS policy document is an issue but not as significant as not having it approved by management. A new policy, for example, may not have been subject to any revisions yet. C. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore would not have the authority to approve the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. D. Although a policy committee drawn from across the company is a best practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.

An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern? Incorrect A. System unavailability B. Exposure to malware C. Unauthorized access D. System integrity

You answered A. The correct answer is C. A. While untested common gateway interfaces (CGIs) can cause the end-user web application to be compromised, this is not likely to make the system unavailable to other users. B. Untested CGI scripts do not inherently lead to malware exposures. C. Untested CGIs can have security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers. D. While untested CGIs can cause the end-user web application to be compromised, this is not likely to significantly impact system integrity.

Which of the following should be of MOST concern to an IS auditor reviewing the business continuity plan (BCP)? Incorrect A. The disaster levels are based on scopes of damaged functions but not on duration. B. The difference between low-level disaster and software incidents is not clear. C. The overall BCP is documented, but detailed recovery steps are not specified. D. The responsibility for declaring a disaster is not identified.

You answered A. The correct answer is D. A. Although failure to consider duration could be a problem, it is not as significant as scope, and neither is as critical as the need to identify someone with the authority to invoke the business continuity plan (BCP). B. The difference between incidents and low-level disasters is always unclear and frequently revolves around the amount of time required to correct the damage. C. The lack of detailed steps should be documented, but their absence does not mean a lack of recovery if, in fact, someone has invoked the BCP. D. If nobody declares the disaster, the BCP would not be invoked, making all other concerns less important.

An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: Incorrect A. IDS sensors are placed outside of the firewall. B. a behavior-based IDS is causing many false alarms. C. a signature-based IDS is weak against new types of attacks. D. the IDS is used to detect encrypted traffic.

You answered A. The correct answer is D. A. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. B. Causing many false alarms is normal for a behavior-based intrusion detection system (IDS), and should not be a matter of concern. C. Being weak against new types of attacks is expected from a signature-based IDS because it can only recognize attacks that have been previously identified. D. An IDS cannot detect attacks within encrypted traffic, and it would be a concern if someone were misinformed and thought that the IDS could detect attacks in encrypted traffic.

Which of the following is the MOST effective method for disposing of magnetic media that contains confidential information? Incorrect A. Degaussing B. Defragmenting C. Erasing D. Destroying

You answered A. The correct answer is D. A. Degaussing or demagnetizing is a good control, but not sufficient to fully erase highly confidential information from magnetic media. B. The purpose of defragmentation is to improve efficiency by eliminating fragmentation in file systems; it does not remove information. C. Erasing or deleting magnetic media does not remove the information; this method simply changes a file's indexing information. D. Destroying magnetic media is the only way to assure that confidential information cannot be recovered.

There is a concern that the risk of unauthorized access may increase after implementing a single sign-on (SSO) process. To prevent unauthorized access, the MOST important action is to: Incorrect A. ensure that all failed authentication attempts are monitored. B. review log files regularly. C. ensure that all unused accounts are deactivated. D. mandate a strong password policy.

You answered A. The correct answer is D. A. Ensuring that all failed authentication attempts are monitored is a good practice; however, a strong password policy is a better preventive control. B. Reviewing the log files can increase the probability of detecting unauthorized access but may not be effective in preventing unauthorized access. C. Ensuring that all unused accounts are deactivated is important; however, a strong password policy is a better preventive control. D. Single sign-on (SSO) is a great productivity boost for users and the IT organization because users do not need to enter user IDs and passwords repeatedly. SSO significantly reduces the number of IT help desk calls regarding lost passwords. For any authentication system, SSO or a strong password policy is crucial.

An online stock trading firm is in the process of implementing a system to provide secure email exchange with its customers. What is the BEST option to ensure confidentiality, integrity and nonrepudiation? Incorrect A. Symmetric key encryption B. Digital signatures C. Message digest algorithms D. Digital certificates

You answered A. The correct answer is D. A. Symmetric key encryption uses a single pass phrase to encrypt and decrypt the message. While this type of encryption is strong, it suffers from the inherent problem of needing to share the pass phrase in a secure manner and does not address integrity and nonrepudiation. B. Digital signatures provide message integrity and nonrepudiation; however, confidentiality is not provided. C. Message digest algorithms are a way to design hashing functions to verify the integrity of the message/data. Message digest algorithms do not provide confidentiality or nonrepudiation. D. A digital certificate contains the public key and identifying information about the owner of the public key. The associated private key pair is kept secret with the owner. These certificates are generally verified by a trusted authority, with the purpose of associating a person's identity with the public key. Email confidentiality and integrity are obtained by following the public key-private key encryption. With the digital certificate verified by the trusted third party, nonrepudiation of the sender is obtained.

The implementation of access controls FIRST requires: Incorrect A. a classification of IS resources. B. the labeling of IS resources. C. the creation of an access control list (ACL). D. an inventory of IS resources.

You answered A. The correct answer is D. A. The first step in implementing access controls is an inventory of IS resources, which is the basis for classification. B. Labeling resources cannot be done without first determining the resources' classifications. C. The access control list (ACL) would not be done without a meaningful classification of resources. D. The first step in implementing access controls is an inventory of IS resources, which is the basis for establishing ownership and classification.

An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following is the BEST recommendation to ensure proper security controls? A. Use of a point-to-point leased line Incorrect B. Use of a firewall rule to allow only the Internet Protocol (IP) address of the remote site C. Use of two-factor authentication D. Use of a nonstandard port for Telnet

You answered B. The correct answer is A. A. A leased line will effectively extend the local area network (LAN) of the headquarters to the remote site, and the mainframe Telnet connection would travel over the private line, which would be less of a security risk when using an insecure protocol such as Telnet. B. A firewall rule at the headquarters network to only allow Telnet connections from the Internet Protocol (IP) address assigned to the remote site would make the connection more secure; however, there is the possibility that the source address could be spoofed by an attacker, and therefore, a dedicated leased line would be more secure. C. While two-factor authentication would enhance the login security, it would not secure the transmission channel against eavesdropping, and, therefore, a leased line would be a better option. D. Attacks on network services start with the assumption that network services use the standard Transmission Control Protocol (TCP)/IP port number assigned for the service, which is port 23 for Telnet. By reconfiguring the host and client, a different port can be used. Assigning a nonstandard port for services is a good general security practice because it makes it more difficult to determine what service is using the port; however, in this case, creating a leased-line connection to the remote site would be a better solution.

Which of the following is the BEST control over a guest wireless ID that is given to vendor staff? A. Assignment of a renewable user ID which expires daily Incorrect B. A write-once log to monitor the vendor's activities on the system C. Utilization of a user ID format similar to that used by employees D. Ensuring that wireless network encryption is configured properly

You answered B. The correct answer is A. A. A renewable user ID which expires daily would be a good control because it would ensure that wireless access will automatically terminate daily and cannot be used without authorization. B. While it is recommended to monitor vendor activities while vendor staff are on the system, this is a detective control and thus is not as strong as a preventive control. C. The user ID format does not change the overall security of the wireless connection. D. Controls related to the encryption of the wireless network are important; however, the access to that network is a more critical issue.

Which of the following groups would create MOST concern to an IS auditor if they have direct full access to the production database? A. Application testers Incorrect B. System administrators C. The database owner D. The data recovery team

You answered B. The correct answer is A. A. Application testers should be restricted to the nonproduction environment and, if they have full access to the production database, the confidentiality and integrity of data become questionable. B. System administrators may require full production access to conduct their administration duties; however, they should be monitored for unauthorized activity. C. Database owners can have full access to the production database because they are owners and accountable for the database. D. The data recovery team will need full access to make sure the complete database is recoverable.

An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important? A. False-acceptance rate (FAR) Incorrect B. Equal-error rate (EER) C. False-rejection rate (FRR) D. False-identification rate (FIR)

You answered B. The correct answer is A. A. False-acceptance rate (FAR) is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, limiting the number of false acceptance is more important that the impact on the false reject rate. B. Equal-error rate (EER) (also called the crossover error rate) is the point where the FAR equals the false-rejection rate (FRR). This is the criteria used to measure the optimal accuracy of the biometric system, but in a highly secure environment, the FAR is more important that the EER. C. FRR denies an authorized person access, but this is less important than the FAR because it is better to deny access to an authorized individual than to grant access to an unauthorized individual. D. False-identification rate (FIR) is the probability that an authorized person is identified, but is assigned a false ID.

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: A. periodic review of user activity logs. Incorrect B. verification of user authorization at the field level. C. review of data communication access activity logs. D. periodic review of changing data files.

You answered B. The correct answer is A. A. General operating system access control functions include logging user activities, events, etc. Reviewing these logs may identify users performing activities that should not have been permitted. B. Verification of user authorization at the field level is a database- and/or an application-level access control function and not applicable to an operating system. C. Review of data communication access activity logs is a network control feature. D. Periodic review of changing data files is related to a change control process.

A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that: A. the users may not remember to manually encrypt the data before transmission. Incorrect B. the site credentials were sent to the financial services company via email. C. personnel at the consulting firm may obtain access to sensitive data. D. the use of a shared user ID to the FTP site does not allow for user accountability.

You answered B. The correct answer is A. A. If the data is not encrypted, an unauthorized external party may download sensitive company data. B. Even though the possibility exists that the logon information was captured from the emails, data should be encrypted, so the theft of the data would not allow the attacker to read it. C. Some of the employees at the consulting firm will have access to the sensitive data and the consulting firm must have procedures in place to protect the data. D. Tracing accountability is of minimal concern compared to the compromise of sensitive data.

An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol (VoIP) packet network. The organization believes it is a victim of eavesdropping. Which of the following could result in eavesdropping of VoIP traffic? A. Corruption of the Address Resolution Protocol (ARP) cache in Ethernet switches Incorrect B. Use of a default administrator password on the analog phone switch C. Deploying virtual local area networks (VLANs) without enabling encryption D. End users having access to software tools such as packet sniffer applications

You answered B. The correct answer is A. A. On an Ethernet switch there is a data table known as the Address Resolution Protocol (ARP) cache, which stores mappings between media access control (MAC) and IP addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in the conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply "flood" the directed traffic to all ports of the switch, which could allow an attacker to monitor traffic not normally visible to the port where the attacker was connected, and thereby eavesdrop on Voice-over Internet Protocol (VoIP) traffic. B. VoIP systems do not use analog switches and inadequate administrator security controls would not be an issue. C. VoIP data are not normally encrypted in a LAN environment because the controls regarding VLAN security are adequate. D. Most software tools such as packet sniffers cannot make changes to LAN devices, such as the VLAN configuration of an Ethernet switch used for VoIP. Therefore, the use of software utilities of this type is not a risk.

The BEST filter rule for protecting a network from being used as an amplifier in a denial-of-service (DoS) attack is to deny all: A. outgoing traffic with Internet Protocol (IP) source addresses external to the network. Incorrect B. incoming traffic with discernible spoofed IP source addresses. C. incoming traffic with IP options set. D. incoming traffic to critical hosts.

You answered B. The correct answer is A. A. Outgoing traffic with an Internet Protocol (IP) source address different than the internal IP range in the network is invalid. In most of the cases, it signals a denial-of-service (DoS) attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the infected machine from participating in the attack. B. Denying incoming traffic will not prevent an internal machine from participating in an attack on an outside target. C. Incoming traffic will have the IP options set according to the type of traffic. This is a normal condition. D. Denying incoming traffic to internal hosts will prevent legitimate traffic.

The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support Voice-over Internet Protocol (VoIP) communication via tunneling. Which of the following considerations should be PRIMARILY addressed? A. Reliability and quality of service (QoS) Incorrect B. Means of authentication C. Privacy of voice transmissions D. Confidentiality of data transmissions

You answered B. The correct answer is A. A. Reliability and quality of service (QoS) are the primary considerations to be addressed. Voice communications require consistent levels of service, which may be provided through QoS and class of service (CoS) controls. B. The company currently has a virtual private network (VPN); authentication has been implemented by the VPN using tunneling. C. Privacy of voice transmissions is provided by the VPN protocol. D. The company currently has a VPN; confidentiality of both data and Voice-over Internet Protocol (VoIP) traffic has been implemented by the VPN using tunneling.

Web and email filtering tools are PRIMARILY valuable to an organization because they: A. protect the organization from viruses and nonbusiness materials. Incorrect B. maximize employee performance. C. safeguard the organization's image. D. assist the organization in preventing legal issues

You answered B. The correct answer is A. A. The main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email. B. Maximizing employee performance could be true in some circumstances (i.e., it would need to be implemented along with an awareness program so that employee performance can be significantly improved). However, the primary benefit is protecting the organization from viruses and nonbusiness activity. C. Safeguarding the organization's image is a secondary benefit. D. Preventing legal issues is important, but not the primary reason for filtering.

A Transmission Control Protocol/Internet Protocol (TCP/IP)-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? A. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP). Incorrect B. A digital signature with RSA has been implemented. C. Digital certificates with RSA are being used. D. Work is being completed in TCP services.

You answered B. The correct answer is A. A. Tunnel mode with Internet Protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header (AH) and encapsulating security payload (ESP) services can be nested. This is known as IP Security (IPSec). B. A digital signature with RSA provides authentication and integrity but not confidentiality. C. Digital certificates with RSA provide authentication and integrity but do not provide encryption. D. Transmission Control Protocol (TCP) services do not provide encryption and authentication.

An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine (VM) management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor? A. Developers have the ability to create or de-provision servers. Incorrect B. Developers could gain elevated access to production servers. C. Developers can affect the performance of production servers with their applications. D. Developers could install unapproved applications to any servers.

You answered B. The correct answer is A. A. Virtualization offers the ability to create or destroy virtual machines (VMs) through the administrative interface with administrative access. While a developer would be unlikely to de-provision a production server, the administrative console would grant him/her the ability to do this, which would be a significant risk. B. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest operating system (OS) to access the server. In this case, while the developers could potentially start, stop or even de-provision a production VM, they could not gain elevated access to the OS of the guest through the administrative interface. C. While there could be instances where a software development team might use resource-intensive applications that could cause performance issues for the virtual host, the greater risk would be the ability to de-provision VMs. D. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest OS to access the server; therefore, the concern that unauthorized software could be installed is not valid.

Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce? A. Registration authority Correct B. Certificate authority (CA) C. Certification revocation list (CRL) D. Certification practice statement

You answered B. The correct answer is B. A. A registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the certificate authority (CA). B. The CA maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication. C. A CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility. A certificate that is put on a CRL can no longer be trusted. D. A certification practice statement is a detailed set of rules governing the certificate authority's operations.

During an IS audit of a global organization, the IS auditor discovers that the organization uses Voice-over Internet Protocol (VoIP) over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure? A. Network equipment failure Correct B. Distributed denial-of-service (DDoS) attack C. Premium-rate fraud (toll fraud) D. Social engineering attack

You answered B. The correct answer is B. A. The use of Voice-over Internet Protocol (VoIP) does not introduce any unique risk with respect to equipment failure, and redundancy can be used to address network failure. B. A distributed denial-of-service (DDoS) attack would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. In a traditional voice network, a DDoS attack would only affect the data network, not voice communications. C. Toll fraud occurs when someone compromises the phone system and makes unauthorized long-distance calls. While toll fraud may cost the business money, the more severe risk would be the disruption of service. D. Social engineering, which involves gathering sensitive information to launch an attack, can be exercised over any kind of telephony.

Which of the following types of penetration tests simulates a real attack and is used to test incident handling and response capability of the target? A. Blind testing Incorrect B. Targeted testing C. Double-blind testing D. External testing

You answered B. The correct answer is C. A. Blind testing is also known as black-box testing. This refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted. B. Targeted testing is also known as white-box testing. This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point. C. Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning—both parties are "blind" to the test. This is the best scenario for testing response capability because the target will react as if the attack were real. D. External testing refers to a test where an external penetration tester launches attacks on the target's network perimeter from outside the target network (typically from the Internet).

A human resources (HR) company offers wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST addresses the situation? A. The password for the wireless network is changed on a weekly basis. Incorrect B. A stateful inspection firewall is used between the public wireless and company networks. C. The public wireless network is physically segregated from the company network. D. An intrusion detection system (IDS) is deployed within the wireless network.

You answered B. The correct answer is C. A. Changing the password for the wireless network does not secure against unauthorized access to the company network, especially because a guest could gain access to the wireless local area network (WLAN) at any time prior to the weekly password change interval. B. A stateful inspection firewall will screen all packets from the wireless network into the company network; however, the configuration of the firewall would need to be audited and firewall compromises, although unlikely, are possible. C. Keeping the wireless network physically separate from the company network is the best way to secure the company network from intrusion. D. An intrusion detection system (IDS) will detect intrusions but will not prevent unauthorized individuals from accessing the network.

An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor? A. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network (VPN). Incorrect B. Biometric scanners are not installed in restricted areas. C. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel. D. Biometric system risk analysis was last conducted three years ago.

You answered B. The correct answer is C. A. Generally, virtual private network (VPN) software provides a secure tunnel so that remote administration functions can be performed. This is not a concern. B. Biometric scanners are best located in restricted areas to prevent tampering, but video surveillance is an acceptable mitigating control. The greatest concern is lack of a securely encrypted tunnel between the scanners and the access control system. C. Data transmitted between the biometric scanners and the access control system should use a securely encrypted tunnel to protect the confidentially of the biometric data. D. The biometric risk analysis should be reperformed periodically, but an analysis performed three years ago is not necessarily a cause for concern.

An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. The IS auditor should conclude that this is: A. an effective preventive control. Incorrect B. a valid detective control. C. not an adequate control. D. a corrective control.

You answered B. The correct answer is C. A. Generation of an activity log is not a preventive control because it cannot prevent inappropriate access. B. Generation of an activity log is not a detective control because it does not help in detecting inappropriate access unless it is reviewed by appropriate personnel. C. Generation of an activity log is not a control by itself. It is the review of such a log that makes the activity a control (i.e., generation plus review equals control). D. Generation of an activity log is not a corrective control because it does not correct the effect of inappropriate access.

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use: A. eavesdropping. Incorrect B. spoofing. C. traffic analysis. D. masquerading.

You answered B. The correct answer is C. A. In eavesdropping, which is a passive attack, the intruder gathers the information flowing through the network with the intent of acquiring message contents for personal analysis or for third parties. B. Spoofing is an active attack. In spoofing, a user receives an email that appears to have originated from one source when it actually was sent from another source. C. In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results. D. In masquerading, the intruder presents an identity other than the original identity. This is an active attack.

Which of the following is the MOST effective type of antivirus software to detect an infected application? A. Scanners Incorrect B. Active monitors C. Integrity checkers D. Vaccines

You answered B. The correct answer is C. A. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executable files and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. B. Active monitors interpret disk operating system (DOS) and read-only memory (ROM) basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions such as formatting a disk or deleting a file or set of files. C. Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. D. Vaccines are known to be good antivirus software. However, they need to be updated periodically to remain effective.

Which of the following types of firewalls provide the GREATEST degree and granularity of control? A. Screening router Incorrect B. Packet filter C. Application gateway D. Circuit gateway

You answered B. The correct answer is C. A. Screening routers and packet filters work at the protocol, service and/or port level. This means that they analyze packets from layers 3 and 4 and not from higher levels. B. A packet filter works at too low of a level of the communication stack to provide granular control. C. The application gateway is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has a Hypertext Transmission Protocol (HTTP) proxy that acts as an intermediary between externals and internals, but is specifically for HTTP. This means that it not only checks the packet IP addresses (layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (layers 5 and 7). Therefore, it works in a more detailed (granularity) way than the other choices. D. A circuit gateway is based on a proxy or program that acts as an intermediary between external and internal accesses. This means that during an external access, instead of opening a single connection to the internal server, two connections are established-one from the external server to the proxy (which conforms the circuit-gateway) and one from the proxy to the internal server. Layers 3 and 4 (IP and transmission control protocol [TCP]) and some general features from higher protocols are used to perform these tasks.

An IS auditor has found that employees are emailing sensitive company information to public web-based email domains. Which of the following is the BEST remediation option for the IS auditor to recommend? A. Encrypted mail accounts Incorrect B. Training and awareness C. Activity monitoring D. Data loss prevention (DLP)

You answered B. The correct answer is D. A. Encrypted email accounts will secure the information being sent, but will not prevent an employee from sending the information to an unauthorized person. B. Training and awareness, while important to tailor employee behavior, are not as strong as an automated preventive control. C. Activity monitoring is a detective control and will not prevent data from leaving the network. D. Data loss prevention (DLP) is an automated preventive tool that can block sensitive information from leaving the network, while at the same time logging the offenders.

Which of the following is the MOST effective method for dealing with the spread of a network worm that exploits vulnerability in a protocol? A. Install the vendor's security fix for the vulnerability. Incorrect B. Block the protocol traffic in the perimeter firewall. C. Block the protocol traffic between internal network segments. D. Stop the service until an appropriate security fix is installed.

You answered B. The correct answer is D. A. If the service is not stopped, installing the fix is not the most effective method because the worm continues spreading until the fix becomes effective. B. Blocking the protocol on the perimeter does not stop the worm from spreading if it is introduced to the internal network(s) via a universal serial bus (USB) or other portable media. C. Blocking the protocol helps to slow the spread, but also prohibits any software that utilizes it from working between segments. D. Stopping the service and installing the security fix is the safest way to prevent the worm from spreading.

Which of the following is responsible for the approval of an information security policy? A. The IT department Incorrect B. The security committee C. The security administrator D. The board of directors

You answered B. The correct answer is D. A. The IT department is responsible for the execution of the policy, having no authority in framing the policy. B. The security committee also functions within the broad security policy framed by the board of directors. C. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. D. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors.

Which of the following is the BEST control to mitigate the risk of pharming attacks to an Internet banking application? A. User registration and password policies Incorrect B. User security awareness C. Use of intrusion detection/intrusion prevention systems (IDSs/IPSs) D. Domain name system (DNS) server security hardening

You answered B. The correct answer is D. A. User registration and password policies cannot mitigate pharming attacks because they do not prevent manipulation of domain name system (DNS) records. B. User security awareness cannot mitigate pharming attacks because it does not prevent manipulation of DNS records. C. The use of intrusion detection/intrusion prevention systems (IDSs/IPSs) cannot mitigate pharming attacks because they do not prevent manipulation of DNS records. D. The pharming attack redirects the traffic to an unauthorized web site by exploiting vulnerabilities of the DNS server. To avoid this kind of attack, it is necessary to eliminate any known vulnerability that could allow DNS poisoning. Older versions of DNS software are vulnerable to this kind of attack and should be patched.

A company determined that its web site was compromised and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident? A. A host-based intrusion prevention system (IPS) B. A network-based intrusion detection system (IDS) Incorrect C. A firewall D. Operating system (OS) patching

You answered C. The correct answer is A. A. A host-based intrusion prevention system (IPS) prevents unauthorized changes to the host. If a malware attack attempted to install a rootkit, the IPS would refuse to permit the installation without the consent of an administrator. B. A network-based intrusion detection system (IDS) relies on attack signatures based on known exploits and attack patterns. If the IDS is not kept up to date with the latest signatures, or the attacker is able to create or gain access to an exploit unknown to the IDS, it will go undetected. A web server exploit performed through the web application itself, such as a structured query language (SQL) injection attack, would not appear to be an attack to the network-based IDS. C. A firewall by itself does not protect a web server because the ports required for users to access the web server must be open in the firewall. Web server attacks are typically performed over the same ports that are open for normal web traffic. Therefore, a firewall does not protect the web server. D. Operating system (OS) patching will make exploitation of the server more difficult for the attacker and less likely. However, attacks on the web application and server OS may succeed based on issues unrelated to any unpatched server vulnerabilities, and the host-based IPS should detect any attempts to change files on the server, regardless of how access was obtained.

Which of the following is the BEST way to minimize unauthorized access to unattended end-user PC systems? A. Enforce use of a password-protected screen saver B. Implement proximity-based authentication system Incorrect C. Terminate user session at predefined intervals D. Adjust power management settings so the monitor screen is blank

You answered C. The correct answer is A. A. A password-protected screen saver with a proper time interval is the best measure to prevent unauthorized access to unattended end-user systems. It is important to ensure that users lock the workstation when they step away from the machine, which is something that could be reinforced via awareness training. B. There are solutions that will lock machines when users steps away from their desks, and those would be suitable here; however, those tools are a more expensive solution, which would normally include the use of smart cards and extra hardware. Therefore, the use of a password-protected screen saver would be a better solution. C. Terminating user sessions is often done for remote login (periodic re-authentication) or after a certain amount of inactivity on a web or server session. There is more risk related to leaving the workstation unlocked; therefore, this is not the correct answer. D. Switching off the monitor would not be a solution because the monitor could simply be switched on.

Which of the following is the BEST way to satisfy a two-factor user authentication? A. A smart card requiring the user's personal identification number (PIN) B. User ID along with password Incorrect C. Iris scanning plus fingerprint scanning D. A magnetic card requiring the user's PIN

You answered C. The correct answer is A. A. A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows (e.g., a keyboard password or personal identification number [PIN]). This is an example of two-factor authentication. B. An ID and password, what the user knows, is a single-factor user authentication. C. Using two of the same factors (in this case biometrics) is not a two-factor user authentication. D. This is an example of two-factor authentication; however, a magnetic card is much easier to copy than a smart card so the use of a smart card with a PIN is better.

With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? A. Core activities that provide a differentiated advantage to the organization have been outsourced. B. Periodic renegotiation is not specified in the outsourcing contract. Incorrect C. The outsourcing contract fails to cover every action required by the business. D. Similar activities are outsourced to more than one vendor.

You answered C. The correct answer is A. A. An organization's core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that should be concerned. B. An IS auditor should not be concerned about periodic renegotiation in the outsourcing contract because that is dependent on the term of the contract. C. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved, but should cover business requirements. D. Multisourcing is an acceptable way to reduce risk associated with a single point of failure.

Which of the following should an IS auditor recommend for the protection of specific sensitive information stored in the data warehouse? A. Implement column- and row-level permissions B. Enhance user authentication via strong passwords Incorrect C. Organize the data warehouse into subject matter-specific databases D. Log user access to the data warehouse

You answered C. The correct answer is A. A. Column- and row-level permissions control what information users can access. Column-level security prevents users from seeing one or more attributes on a table. With row-level security a certain grouping of information on a table is restricted (e.g., if a table held details of employee salaries, then a restriction could be put in place to ensure that, unless specifically authorized, users could not view the salaries of executive staff). Column- and row-level security can be achieved in a relational database by allowing users to access logical representations of data (views) rather than physical tables. This "fine-grained" security model is likely to offer the best balance between information protection while still supporting a wide range of analytical and reporting uses. B. Enhancing user authentication via strong passwords is a security control that should apply to all users of the data warehouse and does not specifically address protection of specific sensitive data. C. Organizing a data warehouse into subject-specific databases is a potentially useful practice but, in itself, does not adequately protect sensitive data. Database-level security is normally too "coarse" a level to efficiently and effectively protect information. For example, one database may hold information that needs to be restricted such as employee salary and customer profitability details while other information such as employee department may need to be legitimately accessed by a large number of users. Organizing the data warehouse into subject matter-specific databases is similar to user access in that this control should generally apply. Extra attention could be devoted to reviewing access to tables with sensitive data, but this control is not sufficient without strong preventive controls at the column and row level. D. Logging user access is important, but it is only a detective control that will not provide adequate protection to sensitive information.

The risk of dumpster diving is BEST mitigated by: A. implementing security awareness training. B. placing shred bins in copy rooms. Incorrect C. developing a media disposal policy. D. placing shredders in individual offices.

You answered C. The correct answer is A. A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. B. The shred bins may not be properly used if users are not aware of proper security techniques. C. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective. D. The shredders may not be properly used if users are not aware of proper security techniques.

Which of the following BEST encrypts data on mobile devices? A. Elliptical curve cryptography (ECC) B. Data encryption standard (DES) Incorrect C. Advanced encryption standard (AES) D. The Blowfish algorithm

You answered C. The correct answer is A. A. Elliptical curve cryptography (ECC) requires limited bandwidth resources and is suitable for encrypting mobile devices. B. Data encryption standard (DES) uses less processing power when compared with advanced encryption standard (AES), but ECC is more suitable for encrypting data on mobile devices. C. AES is a symmetric algorithm and has the problem of key management and distribution. ECC is an asymmetric algorithm and is better suited for a mobile environment. D. The use of the Blowfish algorithm consumes too much processing power.

Which of the following is the MOST important action in recovering from a cyberattack? A. Activating an incident response team B. Hiring cyberforensic investigators Incorrect C. Executing a business continuity plan (BCP) D. Preserving evidence

You answered C. The correct answer is A. A. Hopefully the incident response team and procedures were set up prior to the cyberattack. The first step is to activate the team, contain the incident and keep the business operational. B. When a cyberattack is suspected, cyberforensic investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. The use of cyberforensic experts is only done after the incident has been identified. C. The most important objective in recovering from a cyberattack is to keep the business operational, but most attacks will not require the activation or use of the business continuity plan (BCP). D. The primary objective for the business is to stay in business. In a noncriminal investigation this may even mean that some evidence is lost.

To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet if: A. the source routing field is enabled. B. it has a broadcast address in the destination field. Incorrect C. a reset flag (RST) is turned on for the Transmission Control Protocol (TCP) connection. D. dynamic routing is used instead of static routing.

You answered C. The correct answer is A. A. IP spoofing takes advantage of the source-routing option in the Internet Protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing. B. If a packet has a broadcast destination address, it is definitely suspicious and if allowed to pass will be sent to all addresses in the subnet. This is not related to IP spoofing. C. Turning on the reset flag (RST) is part of the normal procedure to end a Transmission Control Protocol (TCP) connection. D. The use of dynamic or static routing will not represent a spoofing attack.

n IS auditor discovers that the configuration settings for password controls are more stringent for business users than for IT developers. Which of the following is the BEST action for the IS auditor to take? A. Determine whether this is a policy violation and document it. B. Document the observation as an exception. Incorrect C. Recommend that all password configuration settings be identical. D. Recommend that logs of IT developer access are reviewed periodically.

You answered C. The correct answer is A. A. If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed. B. This condition would not be considered an exception if procedures are followed according to approved policies. C. There may be valid reasons for these settings to be different; therefore, the auditor would not normally recommend changes before researching company policies and procedures. D. While reviewing logs may be a good compensating control, the more important course of action would be to determine if policies are being followed.

From a control perspective, the PRIMARY objective of classifying information assets is to: A. establish guidelines for the level of access controls that should be assigned. B. ensure access controls are assigned to all information assets. Incorrect C. assist management and auditors in risk assessment. D. identify which assets need to be insured against losses.

You answered C. The correct answer is A. A. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset. B. Not all information needs to be protected through access controls. Overprotecting data would be expensive. C. The classification of information is usually based on the risk assessment, not the other way around. D. Insuring assets is valid; however, this is not the primary objective of information classification.

In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer? A. Nonrepudiation B. Encryption Incorrect C. Authentication D. Integrity

You answered C. The correct answer is A. A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message. B. Encryption may protect the data transmitted over the Internet but may not prove that the transactions were made. C. Authentication is necessary to establish the identification of all parties to a communication. D. Integrity ensures that transactions are accurate but does not provide the identification of the customer.

A digital signature contains a message digest to: A. show if the message has been altered after transmission. B. define the encryption algorithm. Incorrect C. confirm the identity of the originator. D. enable message transmission in a digital format.

You answered C. The correct answer is A. A. The message digest is calculated and included in a digital signature to prove that the message has not been altered. The message digest sent with the message should have the same value as the recalculation of the digest of the received message. B. The message digest does not define the algorithm; it is there to ensure integrity. C. The message digest does not confirm the identity of the user; it is there to ensure integrity. D. The message digest does not enable the transmission in digital format; it is there to ensure integrity.

A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy B. Wavelength can be absorbed by the human body Incorrect C. RFID tags may not be removable D. RFID eliminates line-of-sight reading

You answered C. The correct answer is A. A. The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because radio frequency identification (RFID) can carry unique identifier numbers. If desired, it would be possible for a firm to track individuals who purchase an item containing an RFID. B. That wavelength can be absorbed by the human body is a concern of less importance. C. That RFID tags may not be removable is a concern of less importance than the violation of privacy. D. RFID eliminates line-of-sight reading. This is a benefit of RFID, not a concern.

Web application developers sometimes use hidden fields on web pages to save information about a client session. This technique is used, in some cases, to store session variables that enable persistence across web pages, such as maintaining the contents of a shopping cart on a retail web site application. The MOST likely web-based attack due to this practice is: A. parameter tampering. B. cross-site scripting. Incorrect C. cookie poisoning. D. stealth commanding.

You answered C. The correct answer is A. A. Web application developers sometimes use hidden fields to save information about a client session or to submit hidden parameters, such as the language of the end user, to the underlying application. Because hidden form fields do not display in the browser, developers may feel safe passing unvalidated data in the hidden fields (to be validated later). This practice is not safe because an attacker can intercept, modify and submit requests, which can discover information or perform functions that the web developer never intended. The malicious modification of web application parameters is known as parameter tampering. B. Cross-site scripting involves the compromise of the web page to redirect users to content on the attacker web site. The use of hidden fields has no impact on the likelihood of a cross-site scripting attack because these fields are static content that cannot ordinarily be modified to create this type of attack. Web applications use cookies to save session state information on the client machine so that the user does not need to log on every time a page is visited. C. Cookie poisoning refers to the interception and modification of session cookies to impersonate the user or steal logon credentials. The use of hidden fields has no relation to cookie poisoning. D. Stealth commanding is the hijacking of a web server by the installation of unauthorized code. While the use of hidden forms may increase the risk of server compromise, the most common server exploits involve vulnerabilities of the server operating system or web server.

Two-factor authentication can be circumvented through which of the following attacks? A. Denial-of-service B. Man-in-the-middle Incorrect C. Key logging D. Brute force

You answered C. The correct answer is B. A. A denial-of-service attack does not have a relationship to authentication. B. A man-in-the-middle attack is similar to piggybacking in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. This is done in many instances of bank fraud. C. Key logging could circumvent single-factor authentication but not two-factor authentication. D. Brute force could circumvent single-factor authentication but not two-factor authentication.

During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used? A. A biometric, digitalized and encrypted parameter with the customer's public key B. A hash of the data that is transmitted and encrypted with the customer's private key Incorrect C. A hash of the data that is transmitted and encrypted with the customer's public key D. The customer's scanned signature encrypted with the customer's public key

You answered C. The correct answer is B. A. Biometrics are not used in digital signatures or public key encryption. B. The calculation of a hash, or digest, of the data that are transmitted and its encryption require the private key of the client (sender) and is called a signature of the message, or digital signature. The receiver hashes the received message and compares the hash they compute with the received hash, after the digital signature has been decrypted with the sender's public key. If the hash values are the same, the conclusion would be that there is integrity in the data that have arrived and the origin is authenticated. The concept of encrypting the hash with the private key of the originator provides nonrepudiation because it can only be decrypted with their public key, and the private key would not be known to the recipient. Simply put, in a key-pair situation, anything that can be decrypted by a sender's public key must have been encrypted with their private key, so they must have been the sender (i.e., nonrepudiation). C. It would not be correct to encrypt the hash with the customer's public key because then the recipient would need access to the customer's private key to decrypt the digital signature. D. A scan of the customer's signature would be known as a digitized signature, not a digital signature, and would be of little or no value in this scenario.

Which of the following is the responsibility of information asset owners? A. Implementation of information security within applications B. Assignment of criticality levels to data Incorrect C. Implementation of access rules to data and programs D. Provision of physical and logical security for data

You answered C. The correct answer is B. A. Implementation of information security within an application is the responsibility of the data custodians based on the requirements set by the data owner. B. It is the responsibility of owners to define the criticality (and sensitivity) levels of information assets. C. Implementation of access rules is a responsibility of data custodians based on the requirements set by the data owner. D. Provision of physical and logical security for data is the responsibility of the security administrator.

An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? A. Risk reduction B. Risk transfer Incorrect C. Risk avoidance D. Risk mitigation

You answered C. The correct answer is B. A. Risk reduction is a term synonymous with risk mitigation. Risk reduction lowers risk to a level commensurate with the organization's risk appetite. Risk reduction treats the risk, while risk transfer does not always address compliance risk. B. Risk transfer typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist. C. Risk avoidance does not expose the organization to compliance risk because the business practice that caused the inherent risk to exist is no longer being pursued. D. Mitigating risk will still expose the organization to a certain amount of risk. Risk mitigation lowers risk to a level commensurate with the organization's risk appetite. However, risk transference is the best answer because risk mitigation treats the risk, while risk transfer does not necessarily address compliance risk.

Which of the following choices BEST helps information owners to properly classify data? A. Understanding of technical controls that protect data B. Training on organizational policies and standards Incorrect C. Use of an automated data leak prevention (DLP) tool D. Understanding which people need to access the data

You answered C. The correct answer is B. A. While understanding how the data are protected is important, these controls might not be applied properly if the data classification schema is not well understood. B. While implementing data classification, it is most essential that organizational policies and standards, including the data classification schema, are understood by the owner or custodian of the data so they can be properly classified. C. While an automated data leak prevention (DLP) tool may enhance productivity, the users of the application would still need to understand what classification schema was in place. D. In terms of protecting the data, the data requirements of end users are critical, but if the data owner does not understand what data classification schema is in place, it would be likely that inappropriate access to sensitive data might be granted by the data owner.

Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)? A. Analyzer B. Administration console Incorrect C. User interface D. Sensor

You answered C. The correct answer is D. A. Analyzers receive input from sensors and determine the presence of and type of intrusive activity. B. An administration console is the management interface component of an intrusion detection system (IDS). C. A user interface allows the administrators to interact with the IDS. D. Sensors are responsible for collecting data. Sensors may be attached to a network, server or other location and may gather data from many points for later analysis.

An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing Incorrect C. Parsing D. Steganography

You answered C. The correct answer is D. A. Digitalized signatures are the scans of a signature (not the same as a digital signature) and not related to digital rights management. B. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. C. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing. D. Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data (e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities).

When auditing a role-based access control system (RBAC), the IS auditor noticed that some IT security employees have system administrator privileges on some servers, which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make? A. Ensure that these employees are adequately supervised. B. Ensure that backups of the transaction logs are retained. Incorrect C. Implement controls to detect the changes. D. Ensure that transaction logs are written in real time to Write Once and Read Many (WORM) drives.

You answered C. The correct answer is D. A. IT security employees cannot be supervised in the traditional sense unless the supervisor were to monitor each keystroke entered on a workstation, which is obviously not a realistic option. B. Retaining backups of the transaction logs does not prevent the files from unauthorized modification prior to backup. C. The log files themselves are the main evidence that an unauthorized change was made, which is a sufficient detective control. Protecting the log files from modification requires preventive controls such as securely writing the logs. D. Allowing IT security employees access to transaction logs is often unavoidable because having system administrator privileges is required for them to do their job. The best control in this case, to avoid unauthorized modifications of transaction logs, is to write the transaction logs to WORM drive media in real time. It is important to note that simply backing up the transaction logs to tape is not adequate because data could be modified prior (typically at night) to the daily backup job execution.

Distributed denial-of-service (DDoS) attacks on Internet sites are typically evoked by hackers using which of the following? A. Logic bombs B. Phishing Incorrect C. Spyware D. Trojan horses

You answered C. The correct answer is D. A. Logic bombs are programs designed to destroy or modify data at a specific event or time in the future. B. Phishing is an attack, normally via email, pretending to be an authorized person or organization requesting information. C. Spyware is a program that picks up information from PC drives by making copies of their contents. D. Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to coordinate distributed denial-of-service (DDoS) attacks that overload a site so that it may no longer be able to process legitimate requests.

During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern? A. Maximum acceptable downtime metrics have not been defined in the contract. B. The IT department does not manage the relationship with the cloud vendor. Incorrect C. The help desk call center is in a different country, with different privacy requirements. D. Company-defined security policies are not applied to the cloud application.

You answered C. The correct answer is D. A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (HR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario. B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department. C. A company-defined security policy would ensure that help desk personnel would not have access to personnel data, and this would be covered under the security policy. The more critical issue would be that the application complied with the security policy. D. Cloud applications should adhere to the company-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.

IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks? A. Port scanning B. Back door Incorrect C. Man-in-the-middle D. War driving

You answered C. The correct answer is D. A. Port scanning will often target the external firewall of the organization. Use of wireless will not affect this. B. A back door is an opening implanted into or left in software that enables an unauthorized entry into a system. C. Man-in-the-middle attacks intercept a message and can read, replace or modify it. D. A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside.

The role of the certificate authority (CA) as a third party is to: A. provide secured communication and networking services based on certificates. B. host a repository of certificates with the corresponding public and secret keys issued by that CA. Incorrect C. act as a trusted intermediary between two communication partners. D. confirm the identity of the entity owning a certificate issued by that CA.

You answered C. The correct answer is D. A. Providing a communication infrastructure is not a certificate authority (CA) activity. B. The secret keys belonging to the certificates would not be archived at the CA. C. The CA can contribute to authenticating the communicating partners to each other, but the CA is not involved in the communication stream itself. D. The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued.

An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to: A. recommend that mandatory access control (MAC) be implemented. B. report this as an issue. Incorrect C. report this issue to the data owners to determine whether it is an exception. D. not report this issue because discretionary access controls (DACs) are in place.

You answered C. The correct answer is D. A. Recommending mandatory access control (MAC) is not correct because it is more appropriate for data owners to have discretionary access controls (DAC) in a low-risk application. B. The use of DAC may not be an exception and, until confirmed, should not be reported as an issue. C. While an IS auditor may consult with data owners regarding whether this access is allowed normally, the IS auditor should not rely on the auditee to determine whether this is an issue. D. DAC allows data owners to modify access, which is a normal procedure and is a characteristic of DAC.

Which of the following is the MOST effective control for restricting access to unauthorized Internet sites in an organization? A. Routing outbound Internet traffic through a content-filtering proxy server B. Routing inbound Internet traffic through a reverse proxy server C. Implementing a firewall with appropriate access rules Incorrect D. Deploying client software utilities that block inappropriate content

You answered D. The correct answer is A. A. A content-filtering proxy server will effectively monitor user access to Internet sites and block access to unauthorized web sites. B. When a client web browser makes a request to an Internet site, those requests are outbound from the corporate network. A reverse proxy server is used to allow secure remote connection to a corporate site, not to control employee web access. C. A firewall exists to block unauthorized inbound and outbound network traffic. Some firewalls can be used to block or allow access to certain sites, but the term firewall is generic—there are many types of firewalls, and this is not the best answer. D. While client software utilities do exist to block inappropriate content, installing and maintaining additional software on a large number of PCs is less effective than controlling the access from a single, centralized proxy server.

In a public key infrastructure (PKI), a registration authority: A. verifies information supplied by the subject requesting a certificate. B. issues the certificate after the required attributes are verified and the keys are generated. C. digitally signs a message to achieve nonrepudiation of the signed message. Incorrect D. registers signed messages to protect them from future repudiation.

You answered D. The correct answer is A. A. A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestor's right to request a certificate on behalf of themselves or their organization. B. Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed. C. The sender who has control of his/her private key signs the message, not the registration authority. D. Registering signed messages is not a task performed by registration authorities.

The computer security incident response team (CSIRT) of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may: A. use this information to launch attacks. B. forward the security alert. C. implement individual solutions. Incorrect D. fail to understand the threat.

You answered D. The correct answer is A. A. An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. B. Forwarding the security alert is not harmful to the organization. C. Implementing individual solutions is unlikely and inefficient, but not a serious risk. D. Users failing to understand the threat would not be a serious concern.

The PRIMARY goal of a web site certificate is: A. authentication of the web site that will be surfed. B. authentication of the user who surfs through that site. C. preventing surfing of the web site by hackers. Incorrect D. the same purpose as that of a digital certificate.

You answered D. The correct answer is A. A. Authenticating the site to be surfed is the primary goal of a web certificate. B. Authentication of a user is achieved through passwords and not by a web site certificate. C. The site certificate does not prevent hacking nor does it authenticate a person. D. Web site certificates may serve the same purpose as a digital certificate, but the goal of certificates is authentication.

The MOST common problem in the operation of an intrusion detection system (IDS) is: A. the detection of false positives. B. receiving trap messages. C. reject-error rates. Incorrect D. denial-of-service (DoS) attacks.

You answered D. The correct answer is A. A. Because of the configuration and the way intrusion detection system (IDS) technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls (such as IDS tuning) and incident handling procedures (such as the screening process) to know if an event is a security incident or a false positive. B. Trap messages are generated by the Simple Network Management Protocol (SNMP) agents when an important event happens, but are not particularly related to security or IDSs. C. Reject-error rate is related to biometric technology and is not related to IDSs. D. Denial-of-service (DoS) is a type of attack and is not a problem in the operation of IDSs because an IDS only captures data and does not affect traffic.

An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol (DHCP) is disabled at all wireless access points. This practice: A. reduces the risk of unauthorized access to the network. B. is not suitable for small networks. C. automatically provides an IP address to anyone. Incorrect D. increases the risk associated with Wireless Encryption Protocol (WEP).

You answered D. The correct answer is A. A. Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access. B. DHCP is suitable for networks of all sizes from home networks to large complex organizations. C. DHCP does not provide IP addresses when disabled. D. Disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in Wireless Encryption Protocol (WEP).

The information security policy that states "each individual must have his/her badge read at every controlled door" addresses which of the following attack methods? A. Piggybacking B. Shoulder surfing C. Dumpster diving Incorrect D. Impersonation

You answered D. The correct answer is A. A. Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. If every employee must have their badge read at every controlled door, no unauthorized person could enter the sensitive area. B. Shoulder surfing (looking over the shoulder of a person to view sensitive information on a screen or desk) would not be prevented by the implementation of this policy. C. Dumpster diving, looking through an organization's trash for valuable information, could be done outside the company's physical perimeter; therefore, this policy would not address this attack method. D. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack.

Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? A. Power line conditioners B. Surge protective devices C. Alternative power supplies Incorrect D. Interruptible power supplies

You answered D. The correct answer is A. A. Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. B. Surge protection devices protect against high-voltage bursts. C. Alternative power supplies are intended for power failures that last for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. D. An interruptible power supply would cause the equipment to come down whenever there was a power failure.

The use of residual biometric information to gain unauthorized access is an example of which of the following attacks? A. Replay B. Brute force C. Cryptographic Incorrect D. Mimic

You answered D. The correct answer is A. A. Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access. B. A brute force attack involves feeding the biometric capture device numerous different biometric samples. C. A cryptographic attack targets the algorithm or the encrypted data. D. In a mimic attack, the attacker reproduces characteristics similar to those of the enrolled user, such as forging a signature or imitating a voice.

An organization has requested that an IS auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following would meet this objective? A. VoIP infrastructure needs to be segregated using virtual local area networks (VLANs). B. Buffers need to be introduced at the VoIP endpoints. C. Ensure that end-to-end encryption is enabled in the VoIP system. Incorrect D. Ensure that emergency backup power is available for all parts of the VoIP infrastructure.

You answered D. The correct answer is A. A. Segregating the Voice-over Internet Protocol (VoIP) traffic using virtual local area networks (VLANs) would best protect the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure uptime). B. The use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security method. C. Encryption is used when VoIP calls use the Internet (not the local LAN) for transport because the assumption is that the physical security of the building as well as the Ethernet switch and VLAN security is adequate. D. The design of the network and the proper implementation of VLANs are more critical than ensuring that all devices are protected by emergency power.

Which of the following would be the BEST access control procedure? A. The data owner formally authorizes access and an administrator implements the user authorization tables. B. Authorized staff implements the user authorization tables and the data owner sanctions them. C. The data owner and an IS manager jointly create and update the user authorization tables. Incorrect D. The data owner creates and updates the user authorization tables.

You answered D. The correct answer is A. A. The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables at the direction of the owner. B. The owner sets the rules and conditions for access. It is best to obtain approval before implementing the tables. C. The data owner may consult with the IS manager to set out access control rules, but the responsibility for appropriate access remains with the data owner. The IT department should set up the access control tables at the direction of the owner. D. The data owner would not usually manage updates to the authorization tables.

The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: A. duration of the outage. B. type of outage. C. probability of the outage. Incorrect D. cause of the outage.

You answered D. The correct answer is A. A. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives. B. The type of outage is not as important to the activation of the plan as the length or duration of the outage. C. The probability of the outage would be relevant to the frequency of incidents, not the need to activate the plan. The plan is designed to be activated after an event of a certain duration occurs. D. The cause of the outage may affect the response plan to be activated, but not the decision to activate the plan. The plan will be activated any time an event of a predetermined duration occurs.

Which of the following would be an indicator of the effectiveness of a computer security incident response team (CSIRT)? A. Financial impact per security incident B. Number of security vulnerabilities that were patched C. Percentage of business applications that are being protected Incorrect D. Number of successful penetration tests

You answered D. The correct answer is A. A. The most important indicator is the financial impact per security incident. The team should be able to limit the cost of incidents through effective prevention, detection and response to incidents. B. Patching of security vulnerabilities is important but not a direct responsibility of the computer security incident response team (CSIRT). C. The CSIRT is not responsible for the protection of systems. That is the responsibility of the security team. D. The number of penetration tests measures the effectiveness of the security team and the patch management process, but not the effectiveness of the CSIRT.

The PRIMARY benefit of an enterprise architecture (EA) initiative would be to: A. enable the organization to invest in the most appropriate technology. B. ensure that security controls are implemented on critical platforms. C. allow development teams to be more responsive to business requirements. Incorrect D. provide business units with greater autonomy to select IT solutions that fit their needs.

You answered D. The correct answer is A. A. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective. B. Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA would not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. C. While the EA process may enable development teams to be more efficient, because they are creating solutions based on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development. D. A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology would need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case.

Which of the following would be BEST prevented by a raised floor in the computer machine room? A. Damage of wires around computers and servers B. A power failure from static electricity C. Shocks from earthquakes Incorrect D. Water flood damage

You answered D. The correct answer is A. A. The primary reason for having a raised floor is to enable ventilation systems, power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risk posed when cables are placed in a spaghetti-like fashion on an open floor. B. Static electricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. C. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. D. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage.

The GREATEST benefit of having well-defined data classification policies and procedures is: A. a more accurate inventory of information assets. B. a decreased cost of controls. C. a reduced risk of inappropriate system access. Incorrect D. an improved regulatory compliance.

You answered D. The correct answer is B. A. A more accurate inventory of information assets is a benefit but would not be the greatest benefit of the choices listed. B. An important benefit of a well-defined data classification process would be to lower the cost of protecting data by ensuring that the appropriate controls are applied with respect to the sensitivity of the data. Without a proper classification framework, some security controls may be greater and, therefore, more costly than is required based on the data classification. C. Classifying the data may assist in reducing the risk of inappropriate system access, but that would not be the greatest benefit. D. Improved regulatory compliance would be a benefit; however, achieving a cost reduction would be a greater benefit.

While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus on collecting evidence to show that: A. quality management systems (QMSs) comply with good practices. B. continuous improvement targets are being monitored. C. standard operating procedures of IT are updated annually. Incorrect D. key performance indicators (KPIs) are defined.

You answered D. The correct answer is B. A. Generally, good practices are adopted according to business requirements, and therefore, conforming to good practices may or may not be a requirement of the business. B. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). C. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. D. Key performance indicators (KPIs) may be defined in a QMS, but they are of little value if they are not being monitored.

Inadequate programming and coding practices introduce the risk of: A. phishing. B. buffer overflow exploitation. C. synchronize (SYN) flood. Incorrect D. brute force attacks.

You answered D. The correct answer is B. A. Phishing is a social engineering attack that attempts to gather sensitive information from a customer—often via email. This is not a programming or coding problem. B. Buffer overflow exploitation may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and override part of the program with malicious code. The countermeasure is proper programming and good coding practices. C. A synchronize (SYN) flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target system. A SYN flood is not related to programming and coding practices. D. Brute force attacks are used against passwords and are not related to programming and coding practices.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. Incorrect D. potential crisis recognition might be delayed.

You answered D. The correct answer is B. A. Problem and severity assessment would provide information necessary in declaring a disaster, but the lack of a crisis declaration point would not delay the assessment. B. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis. C. After a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying the declaration of a disaster would impact or negate the effect of having response teams, but this is only one part of the larger impact. D. Potential crisis recognition is the first step in recognizing or responding to a disaster and would occur prior to the declaration of a disaster.

Which of the following is the BEST criterion for evaluating the adequacy of an organization's security awareness program? A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B. Job descriptions contain clear statements of accountability for information security. C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. Incorrect D. No actual incidents have occurred that have caused a loss or a public embarrassment.

You answered D. The correct answer is B. A. Senior management's level of awareness and concern for information assets is a criterion for evaluating the importance that they attach to those assets and their protection, but it is not as meaningful as having job descriptions that require all staff to be responsible for information security. B. The inclusion of security responsibilities in job descriptions is a key factor in demonstrating the maturity of the security program and helps ensure that staff and management are aware of their roles with respect to information security. C. Funding is important, but having funding does not ensure that the security program is effective or adequate. D. The number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program, but it is not a criterion for evaluating a security program.

This question refers to the following diagram. Email traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: A. alert the appropriate staff. B. create an entry in the log. C. close firewall-2. Incorrect D. close firewall-1.

You answered D. The correct answer is B. A. The first action taken by an intrusion detection system (IDS) will be to create a log entry and then alert the appropriate staff. B. Creating an entry in the log is the first step taken by a network IDS. The IDS may also be configured to send an alert to the administrator, send a note to the firewall and may even be configured to record the suspicious packet. C. Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. After the IDS has logged the suspicious traffic, it may signal firewall-2 to close, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator, valuable time can be lost, in which a hacker could also compromise firewall-2. D. The IDS will usually only protect the internal network by closing firewall-2 and will not close the externally facing firewall-1.

A development team has developed and is currently maintaining a customer-facing web application which is hosted at their regional office versus at the central data center. The GREATEST risk in this scenario is that the: A. additional traffic of the web site would slow down Internet access for the regional office. B. development team may lack the expertise and staffing to manage and maintain a hosted application environment. C. regional office may not have the same level of fire detection and suppression that exists at the main data center. Incorrect D. regional office may not have a firewall or network that is sufficiently secure for a web server.

You answered D. The correct answer is B. A. The risk of an impact on Internet access from the regional office is not as serious as the risk related to improper configuration or maintenance of the web application. B. Maintaining a critical web application requires continuous monitoring and maintenance that is normally performed by data center operations personnel, not by a development team. While system developers may be capable of performing computer operations tasks, they would not normally be on site 24/7 as would computer operations staff. C. The physical security of a data center in a regional office should be sufficient to protect its systems, many of which may be more critical than a web application. D. While it may be true that the regional office may not have a network architecture and infrastructure suitable for hosting a web application, this is just one risk associated with a development team attempting to operate a web application.

Which of the following provides the MOST relevant information for proactively strengthening security settings? A. Bastion host B. Intrusion detection system (IDS) C. Honeypot Incorrect D. Intrusion prevention system

You answered D. The correct answer is C. A. A bastion host is a hardened system used to host services. It does not provide information about an attack. B. Intrusion detection systems (IDSs) are designed to detect and address an attack in progress and stop it as soon as possible. C. The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies, and the resources required to address such attacks. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods. D. Intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible.

Which of the following is BEST suited for secure communications within a small group? A. Key distribution center B. Certificate authority (CA) C. Web of trust Incorrect D. Kerberos Authentication System

You answered D. The correct answer is C. A. A key distribution center is a part of a Kerberos implementation suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. B. Certificate authority (CA) is a trusted third party that ensures the authenticity of the owner of the certificate. This is necessary for large groups and formal communication. C. Web of trust is a key distribution method suitable for communication in a small group. It is used by tools such as pretty good privacy (PGP) and distributes the public keys of users within a group. D. A Kerberos Authentication System extends the function of a key distribution center by generating "tickets" to define the facilities on networked machines, which are accessible to each user.

Which control is the BEST way to ensure that the data in a file have not been changed during transmission? A. Reasonableness check B. Parity bits C. Hash values Incorrect D. Check digits

You answered D. The correct answer is C. A. A reasonableness check is used to ensure that input data is within expected values, not to ensure integrity of data transmission. B. Parity bits are a weak form of data integrity checks used to detect errors in transmission, but they are not as good as using a hash. C. Hash values are calculated on the file and are very sensitive to any changes in the data values in the file. D. Check digits are used to detect an error in an account number—usually related to a transposition or transcribing error.

A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident? A. Dump the volatile storage data to a disk. B. Run the server in a fail-safe mode. C. Disconnect the web server from the network. Incorrect D. Shut down the web server.

You answered D. The correct answer is C. A. Dumping the volatile storage data to a disk may be used at the investigation stage, but does not contain an attack in progress. B. To run the server in a fail-safe mode, the server needs to be shut down. C. The first action is to disconnect the web server from the network to secure the device for investigation, contain the damage and prevent more actions by the attacker. D. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.

Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them? A. Overwriting the tapes B. Initializing the tape labels C. Degaussing the tapes Incorrect D. Erasing the tapes

You answered D. The correct answer is C. A. Overwriting the tapes is a good practice, but if the tapes have contained sensitive information then it is necessary to degauss them. B. Initializing the tape labels would not remove the data on the tape and could lead to compromise of the data on the tape. C. The best way to handle obsolete magnetic tapes is to degauss them. Degaussing is the application of a coercive magnetic force to the tape media. This action leaves a very low residue of magnetic induction, essentially erasing the data completely from the tapes. D. Erasing the tapes will make the data unreadable except for sophisticated attacks; therefore, tapes containing sensitive data should be degaussed.

An organization is developing a new web-based application to process orders from customers. Which of the following security measures should be taken to protect this application from hackers? A. Ensure that ports 80 and 443 are blocked at the firewall. B. Inspect file and access permissions on all servers to ensure that all files have read-only access. C. Perform a web application security review. Incorrect D. Make sure that only the IP addresses of existing customers are allowed through the firewall.

You answered D. The correct answer is C. A. Port 80 must be open for a web application to work and port 443 for a Secured Hypertext Transmission Protocol (HTTPS) to operate. B. For customer orders to be placed, some data must be saved to the server. No customer orders could be placed on a read-only server. C. Performing a web application security review is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers. D. Restricting IP addresses might be appropriate for some types of web applications but is not the best solution because a new customer could not place an order until the firewall rules were changed to allow the customer to connect.

Which of the following is the MOST important security consideration to an organization that wants to reduce its IS infrastructure by using servers provided by a platform as a service (PaaS) vendor? A. Require users of the new application to adopt specific, minimum-length passwords. B. Implement a firewall that monitors incoming traffic using the organization's standard settings. C. Review the need for encryption of stored and transmitted application data. Incorrect D. Make the service vendor responsible for application security through contractual terms.

You answered D. The correct answer is C. A. Requiring application users to maintain another password may not be popular. A more fundamental reason is that many cloud service providers expose their services via application programming interfaces (APIs). These APIs are designed to accept tokens, not passwords. Ideally, they use an open standard such as Security Assertion Markup Language (SAML) or WS-Federation for exchanging authentication and authorization information. An authentication scheme needs to take into account the type of application users—organization employees, employees of partner organizations, customers or a combination of user types. Additionally, the increasing trend is for web applications to be accessible by multiple device types. Therefore, the organization may need to employ a "bring your own identity" scheme of authentication. An appropriate mechanism (such as a security token, smart card, one-time password via short message service [SMS] or telephone) based on assessed risk should be used to confirm user identity. B. In a platform as a service (PaaS) cloud computing model, network security remains the responsibility of the cloud service provider. Because multiple tenants use the cloud service provider's infrastructure, insisting on a specific firewall configuration is not practical, although it may be possible to agree to some arrangements when negotiating the service contract. The "deperimeterized" nature of cloud computing enhances the need for strong application security controls to be designed, tested and implemented. C. With cloud computing, an application does not run on an organization's trusted environment. Instead, it runs on infrastructure shared by other tenants and administered by people not employed by the organization. Therefore, depending on the nature of the data, there may be a greater need to rely on encryption to protect privacy. This may apply not just to data when they are stored in the cloud but also during transmission. However, careful consideration must be given to the nature of the data to understand what degree of protection is needed. Using encryption can increase complexity and have performance implications. The possibility of using compensating controls (e.g., protecting stored data through database access controls, should also be considered). D. In a PaaS cloud computing model, the service provider supplies the computing infrastructure and development frameworks. While requirements for basic infrastructure security can be discussed and possibly included as contract terms, responsibility for building a secure application rests with the customer organization. Given that cloud computing enhances some threats present with traditional in-house hosted systems as well as introducing some new threats, it is particularly important that application security controls be given strong focus during application development.

A certificate authority (CA) can delegate the processes of: A. revocation and suspension of a subscriber's certificate. B. generation and distribution of the CA public key. C. establishing a link between the requesting entity and its public key. Incorrect D. issuing and distributing subscriber certificates.

You answered D. The correct answer is C. A. Revocation and suspension of the subscriber certificate are functions of the subscriber certificate life cycle management, which the certificate authority (CA) must perform. B. Generation and distribution of the CA public key is a part of the CA key life cycle management process and, as such, cannot be delegated. C. Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. D. Issuance and distribution of the subscriber certificate are functions of the subscriber certificate life cycle management, which the CA must perform.

Which of the following types of firewalls would BEST protect a network from an Internet attack? Correct A. Screened subnet firewall B. Application filtering gateway C. Packet filtering router D. Circuit-level gateway

You are correct, the answer is A. A. A screened subnet firewall would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network. B. Application-level gateways are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not just at a packet level. This would be the best solution to protect an application but not a network. C. A packet filtering router examines the header of every packet or data traveling between the Internet and the corporate network. This is a low-level control. D. A circuit level gateway, such as a Socket Secure (SOCKS) server, will protect users by acting as a proxy but is not the best defense for a network.

Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: Correct A. is driven by an IT department's objectives. B. is published, but users are not required to read the policy. C. does not include information security procedures. D. has not been updated in over a year.

You are correct, the answer is A. A. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals. B. Policies should be written so that users can understand each policy, and employees should be able to easily access the policies. The fact that users have not read the policy is not the greatest concern because they still may be compliant with the policy. C. Policies should not contain procedures. Procedures are established to assist with policy implementation and compliance. D. Policies should be reviewed annually, but they might not necessarily be updated annually unless there are significant changes in the environment such as new laws, rules or regulations.

The MOST important difference between hashing and encryption is that hashing: Correct A. is irreversible. B. output is the same length as the original message. C. is concerned with integrity and security. D. is the same at the sending and receiving end.

You are correct, the answer is A. A. Hashing works one way—by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. B. Hashing creates a fixed-length output that is usually smaller than the original message, and encryption creates an output that is usually the same length as the original message. C. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. D. Encryption may use different keys or a reverse process at the sending and receiving ends to encrypt and decrypt.

An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation? Correct A. Physically secure wireless access points to prevent tampering. B. Use service set identifiers (SSIDs) that clearly identify the organization. C. Encrypt traffic using the Wired Equivalent Privacy (WEP) mechanism. D. Implement the Simple Network Management Protocol (SNMP) to allow active monitoring.

You are correct, the answer is A. A. Physically securing access points such as wireless routers, as well as preventing theft, addresses the risk of malicious parties tampering with device settings. If access points can be physically reached, it is often a simple matter to restore weak default passwords and encryption keys, or to totally remove authentication and encryption from the network. B. Service set identifiers (SSIDs) should not be used to identify the organization because hackers can associate the wireless local area network (WLAN) with a known organization and this increases both their motivation to attack and, potentially, the information available to do so. C. The original Wired Equivalent Privacy (WEP) security mechanism has been demonstrated to have a number of exploitable weaknesses. The more recently developed Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) standards represent considerably more secure means of authentication and encryption. D. Installing Simple Network Management Protocol (SNMP) on wireless access points can actually open up security vulnerabilities. If SNMP is required at all, then SNMP v3, which has stronger authentication mechanisms than earlier versions, should be deployed.

When installing an intrusion detection system (IDS), which of the following is MOST important? Correct A. Properly locating it in the network architecture B. Preventing denial-of-service (DoS) attacks C. Identifying messages that need to be quarantined D. Minimizing the rejection errors

You are correct, the answer is A. A. Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. B. A network IDS will monitor network traffic and a host-based IDS will monitor activity on the host but it has no capability of preventing a denial-of-service (DoS) attack. C. Configuring an IDS can be a challenge because it may require the IDS to "learn" what normal activity is, but the most important part of the installation is to install it in the right places. D. An IDS is only a monitoring device and does not reject traffic. Rejection errors would apply to a biometric device.

Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? Correct A. Virtual private network (VPN) B. Dedicated line C. Leased line D. Integrated services digital network (ISDN)

You are correct, the answer is A. A. The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet. B. A dedicated line is quite expensive and only needed when there are specific confidentiality and availability needs. C. A leased line is an expensive but private option, but rarely a good option today. D. Integrated services digital network (ISDN) is not encrypted and would need additional security to be a valid option.

During a review of intrusion detection logs, an IS auditor notices traffic coming from the Internet, which appears to originate from the internal IP address of the company payroll server. Which of the following malicious activities would MOST likely cause this type of result? A. A denial-of-service (DoS) attack Correct B. Spoofing C. Port scanning D. A man-in-the-middle attack

You are correct, the answer is B. A. A denial-of-service (DoS) attack is designed to limit the availability of a resource and is characterized by a high number of requests that require response from the resource (usually a web site). The target spends so many resources responding to the attack requests that legitimate requests are not serviced. These attacks are most commonly launched from networks of compromised computers (botnets) and may involve attacks from multiple computers at once. B. Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources. C. Port scanning is a reconnaissance technique that is designed to gather information about a target before a more active attack. Port scanning might be used to determine the internal address of the payroll server, but would not normally create a log entry that indicated external traffic from an internal server address. D. A man-in-the-middle attack is a form of active eavesdropping where the attacker intercepts a computerized conversation between two parties and then allows the conversation to continue by relaying the appropriate data to both parties, while simultaneously monitoring the same data passing through the attacker's conduit. This type of attack would not register as an attack originating from the payroll server, but instead it might be designed to hijack an authorized connection between a workstation and the payroll server.

An IS auditor reviewing a network log discovers that an employee ran elevated commands on his/her PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack? A. A race condition Correct B. A privilege escalation C. A buffer overflow D. An impersonation

You are correct, the answer is B. A. A race condition exploit involves the timing of two events and an action that causes one event to happen later than expected. The scenario given is not an example of a race condition exploit. B. A privilege escalation is a type of attack where higher-level system authority is obtained by various methods. In this example, the task scheduler service runs with administrator permissions, and a security flaw allows programs launched by the scheduler to run at the same permission level. C. Buffer overflows involve applications of actions that take advantage of a defect in the way an application or system uses memory. By overloading the memory storage mechanism, the system will perform in unexpected ways. The scenario given is not an example of a buffer overflow exploit. D. Impersonation attacks involve an error in the identification of a privileged user. The scenario given is not an example of this exploit.

Which of the following would be the MOST secure firewall system? A. Screened-host firewall Correct B. Screened-subnet firewall C. Dual-homed firewall D. Stateful-inspection firewall

You are correct, the answer is B. A. A screened-host firewall utilizes a packet filtering router and a bastion host. This approach implements basic network layer security (packet filtering) and application server security (proxy services). B. A screened-subnet firewall, also used as a demilitarized zone (DMZ), utilizes two packet filtering routers and a bastion host. This provides the most secure firewall system because it supports both network- and application-level security while defining a separate DMZ network. C. A dual-homed firewall system is a more restrictive form of a screened-host firewall system, configuring one interface for information servers and another for private network host computers. D. A stateful inspection firewall working at the transport layer keeps track of the destination Internet Protocol (IP) address of each packet that leaves the organization's internal network and allows a reply from the recorded IP addresses.

Which of the following cryptography options would increase overhead/cost? A. The encryption is symmetric rather than asymmetric. Correct B. A long asymmetric encryption key is used. C. The hash is encrypted rather than the message. D. A secret key is used.

You are correct, the answer is B. A. An asymmetric algorithm requires more processing time than symmetric algorithms. B. Computer processing time is increased for longer asymmetric encryption keys, and the increase may be disproportionate. For example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold. C. A hash is usually shorter than the original message; therefore, a smaller overhead is required if the hash is encrypted rather than the message. D. Use of a secret key, as a symmetric encryption key, is generally small and used for the purpose of encrypting user data.

An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application that is hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR-related testing. What is the NEXT course of action for the IS auditor to pursue? A. Plan an audit of the cloud vendor. Correct B. Review the vendor contract to determine its DR capabilities. C. Review an independent auditor's report of the cloud vendor. D. Request a copy of the DRP from the cloud vendor.

You are correct, the answer is B. A. Auditing the cloud vendor would be useful; however, this would only be useful if the vendor is contractually required to provide disaster recovery (DR) services. B. DR services can only be expected from the vendor when explicitly listed in the contract with well-defined recovery time objectives (RTOs) and recovery point objectives (RPOs). Without the contractual language, the vendor is not required to provide DR services. C. An independent auditor's report, such as Statements on Standards for Attestation Engagements (SSAE) 16, on DR capabilities can be reviewed to ascertain the vendor's DR capabilities; however, this will only be fruitful if the vendor is contractually required to provide DR services. D. A copy of DR policies can be requested to review their adequacy; however, this will only be useful if the vendor is contractually required to provide DR services.

Which of the following findings would be of GREATEST concern to an IS auditor during a review of logical access to an application? A. Some developers have update access to production data. Correct B. The file storing the application ID password is in cleartext in the production code. C. The change control team has knowledge of the application ID password. D. The application does not enforce the use of strong passwords.

You are correct, the answer is B. A. Developers might need limited update access to production data to perform their jobs and this access, when approved and reviewed by management, is acceptable even though it does pose a risk. B. Compromise of the application ID password can result in untraceable, unauthorized changes to production data; storing the password in cleartext poses the greatest risk. While the production code may be protected from update access, it is viewable by development teams. C. Knowledge of the application ID password by the change control team does not pose a great concern if adequate separation of duties exists between change control and development activities. There may be occasions when the application ID needs to be utilized by change control in the production environment. D. While the lack of a strong password policy and configuration can result in compromised accounts, the risk is lower than if the application ID password is compromised because the application ID password does not allow for traceability.

Which of the following is an effective preventive control to ensure that a database administrator (DBA) complies with the custodianship of the enterprise's data? A. Exception reports Correct B. Segregation of duties (SoD) C. Review of access logs and activities D. Management supervision

You are correct, the answer is B. A. Exception reports are detective controls used to indicate when the activities of the database administrator (DBA) were performed without authorization. B. Adequate segregation of duties (SoD) can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task. C. Reviews of access logs are used to detect the activities performed by the DBA. D. Management supervision of DBA activities is used to detect which DBA activities were not authorized.

To protect a Voice-over Internet Protocol (VoIP) infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the: A. access control servers. Correct B. session border controllers. C. backbone gateways. D. intrusion detection system (IDS).

You are correct, the answer is B. A. Securing the access control server may prevent account alteration or lockout, but is not the primary protection against denial-of-service (DoS) attacks. B. Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and DoS attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service. C. Backbone gateways are isolated and not readily accessible to hackers so this is not a location of DoS attacks. D. Intrusion detection systems (IDSs) monitor traffic, but do not protect against DoS attacks.

Which of the following is an example of the defense in-depth security principle? A. Using two firewalls to consecutively check the incoming network traffic Correct B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic C. Having no physical signs on the outside of a computer center building D. Using two firewalls in parallel to check different types of incoming traffic

You are correct, the answer is B. A. Use of two firewalls would not represent an effective defense in-depth strategy because the same attack could circumvent both devices. By using two different products, the probability of both products having the same vulnerabilities is diminished. B. Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. C. Having no physical signs on the outside of a computer center building is a single security measure known as security by obscurity. D. Using two firewalls in parallel to check different types of incoming traffic provides redundancy but is only a single security mechanism and, therefore, no different than having a single firewall checking all traffic.

An IS auditor performing a data center review for a large company discovers that the data center has a lead-acid battery room to provide power to its uninterruptable power supply (UPS) during short-term outages and a diesel generator to provide long-term power backup. Which of the following items would cause the IS auditor the GREATEST concern? A. The service contract on the diesel generator is not current. Correct B. The battery room does not contain hydrogen sensors. C. The door to the battery room is kept locked. D. The battery room is next to the diesel generator yard.

You are correct, the answer is B. A. While a valid service contract is important, the bigger risk would be from a hydrogen explosion. B. Lead-acid batteries emit hydrogen, which is a highly explosive gas. Hydrogen detectors are a compensating control for ventilation system failure. All battery rooms should have hydrogen sensors as well as adequate ventilation systems. C. It is good practice to keep the door to the battery room locked to prevent entry by unauthorized personnel. D. With the generators located outdoors, the risk of a hydrogen explosion caused by the generators is negligible. Hydrogen sensors would notify data center personnel of a potential gas buildup so they could take the appropriate measures.

Which of the following is the GREATEST concern associated with the use of peer-to-peer computing? A. Virus infection Correct B. Data leakage C. Network performance issues D. Unauthorized software usage You are correct, the answer is B. A. While peer-to-peer computing does increase the risk of virus infection, the risk of data leakage is more severe, especially if it contains proprietary data or intellectual property. B. Peer-to-peer computing can share the contents of a user hard drive over the Internet. The risk that sensitive data could be shared with others is the greatest concern. C. Peer-to-peer computing may utilize more network bandwidth and therefore may create performance issues. However, data leakage is a more severe risk. Which of the following is the GREATEST concern associated with the use of peer-to-peer computing? A. Virus infection Correct B. Data leakage C. Network performance issues D. Unauthorized software usage

You are correct, the answer is B. A. While peer-to-peer computing does increase the risk of virus infection, the risk of data leakage is more severe, especially if it contains proprietary data or intellectual property. B. Peer-to-peer computing can share the contents of a user hard drive over the Internet. The risk that sensitive data could be shared with others is the greatest concern. C. Peer-to-peer computing may utilize more network bandwidth and therefore may create performance issues. However, data leakage is a more severe risk. D. Peer-to-peer computing may be used to download or share unauthorized software, which users could install on their PCs unless other controls prevent it. However, data leakage is a more severe risk.

The MOST important factor in planning a black box penetration test is: A. the documentation of the planned testing procedure. B. a realistic evaluation of the environment architecture to determine scope. Correct C. knowledge by the management staff of the client organization. D. scheduling and deciding on the timed length of the test.

You are correct, the answer is C. A. A penetration test should be carefully planned and executed, but the most important factor is proper approvals. B. In a black box penetration test, the environment is not known to the testing organization. C. Black box penetration testing assumes no prior knowledge of the infrastructure to be tested. Testers simulate an attack from someone who is unfamiliar with the system. It is important to have management knowledge of the proceedings so that if the test is identified by the monitoring systems, the legality of the actions can be determined quickly. D. A test must be scheduled so as to minimize the risk of affecting critical operations; however, this is part of working with the management of the organization.

An IT auditor is reviewing an organization's information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure? A. Data Encryption Standard (DES) B. Message digest 5 (MD5) Correct C. Advanced Encryption Standard (AES) D. Secure Shell (SSH)

You are correct, the answer is C. A. Data Encryption Standard (DES) is susceptible to brute force attacks and has been broken publicly; therefore, it does not provide assurance that data encrypted using DES will be protected from unauthorized disclosure. B. Message digest 5 (MD5) is an algorithm used to generate a one-way hash of data (a fixed-length value) to test and verify data integrity. MD5 does not encrypt data but puts data through a mathematical process that cannot be reversed. As a result, MD5 could not be used to encrypt data on a universal serial bus (USB) drive. C. Advanced Encryption Standard (AES) provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data. D. Secure Shell (SSH) is a protocol that is used to establish a secure, encrypted, command-line shell session, typically for remote logon. Although SSH encrypts data transmitted during a session, SSH cannot encrypt data at rest, including data on USB drives. As a result, SSH is not appropriate for this scenario.

Which of the following presents an inherent risk with no distinct identifiable preventive controls? A. Piggybacking B. Viruses Correct C. Data diddling D. Unauthorized application shutdown

You are correct, the answer is C. A. Piggybacking is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights (e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions). This could be prevented by encrypting the message. B. Viruses are malicious program code inserted into another executable code that can self-replicate and spread from computer to computer via sharing of computer disks, transfer of logic over telecommunication lines or direct contact with an infected machine. Antivirus software can be used to protect the computer against viruses. C. Data diddling involves changing data before they are entered into the computer. It is one of the most common abuses because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. D. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls.

A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed? A. On the local network B. Outside the firewall Correct C. In the demilitarized zone (DMZ) D. On the server that hosts the web site

You are correct, the answer is C. A. While an intrusion detection system (IDS) can be installed on the local network to ensure that systems are not subject to internal attacks, a company's public web server would not normally be installed on the local network, but rather in the demilitarized zone (DMZ). B. It is not unusual to place a network IDS outside of the firewall just to watch the traffic that is reaching the firewall, but this would not be used to specifically protect the web application. C. Network-based IDSs detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the demilitarized zone (DMZ). An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to take action. D. A host-based IDS would be installed on the web server, but a network-based IDS would not.

A company is implementing a Dynamic Host Configuration Protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern? A. Most employees use laptops. B. A packet filtering firewall is used. C. The IP address space is smaller than the number of PCs. Correct D. Access to a network port is not restricted.

You are correct, the answer is D. A. Dynamic Host Configuration Protocol (DHCP) provides convenience (an advantage) to the laptop users. B. The existence of a firewall can be a security measure. C. A limited number of IP addresses can be addressed through network address translation (NAT). D. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.

Which of the following antispam filtering techniques would BEST prevent a valid, variable-length email message containing a heavily-weighted spam keyword from being labeled as spam? A. Heuristic (rule-based) B. Signature-based C. Pattern matching Correct D. Bayesian (statistical)

You are correct, the answer is D. A. Heuristic filtering is less effective because new exception rules may need to be defined when a valid message is labeled as spam. B. Signature-based filtering is useless against variable-length messages because the calculated message-digest algorithm 5 (MD5) hash changes all the time. C. Pattern matching is actually a degraded rule-based technique where the rules operate at the word level using wildcards and not at higher levels. D. Bayesian filtering applies statistical modeling to messages by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds.

Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure (PKI) with digital certificates for its business-to-consumer transactions via the Internet? A. Customers are widely dispersed geographically, but the certificate authorities (CAs) are not. B. Customers can make their transactions from any computer or mobile device. C. The CA has several data processing subcenters to administer certificates. Correct D. The organization is the owner of the CA.

You are correct, the answer is D. A. It is common to use a single certificate authority (CA). They do not need to be geographically dispersed. B. The use of public key infrastructure (PKI) and certificates allows flexible secure communications from many devices. C. The CA will often have redundancy and failover capabilities to alternate data centers. D. If the CA belongs to the same organization, this would pose a risk. The management of a CA must be based on trusted and secure procedures. If the organization has not set in place the controls to manage the registration, distribution and revocation of certificates this could lead to a compromise of the certificates and loss of trust.