Protection of Information Assets

A sender of an e-mail message applies a digital signature to the digest of the message. This action provides assurance of the: A. date and time stamp of the message. B. identity of the originating computer. C. confidentiality of the message's content. D. authenticity of the sender.

D. Authenticity of the sender. Answer: D Explanation: The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an e-mail message does not prevent access to its content and,therefore, does not assure confidentiality.

The responsibility for authorizing access to a business application system belongs to the: A. data owner. B. security administrator. C. IT security manager. D. requestor's immediate supervisor.

A. Data owner Answer: A Explanation: When a business application is developed, the best practice is to assign an information or data owner to the application. The Information owner should be responsible for authorizing access to the application itself or to back-end databases for queries. Choices B and C are not correct because the security administrator and manager normally do not have responsibility for authorizing access to business applications. The requestor's immediate supervisor may share the responsibility for approving user access to a business application system; however, the final responsibility should go to the information owner.

Which of the following virus prevention techniques can be implemented through hardware? A. Remote booting B. Heuristic scanners C. Behavior blockers D. Immunizers

A. Remote booting. Answer: A Explanation: Remote booting (e.g., diskless workstations) is a method of preventing viruses, and can be implemented through hardware. Choice C is a detection, not a prevention, although it is hardware-based. Choices B and D are not hard ware-based.

An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks? A. Denial-of-service B. Replay C. Social engineering D. Buffer overflow

A. Denial of service. Answer: A Explanation: Prior to launching a denial-of-service attack, hackers often use automatic port scanning software to acquire information about the subject of their attack. A replay attack is simply sending the same packet again. Social engineering exploits end-uservulnerabilities, and buffer overflow attacks exploit poorly written code.

An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? A. An application-level gateway B. A remote access server C. A proxy server D. Port scanning

A. An Application level gateway. Answer: A Explanation: An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted, it analyzes in detail each package, not only in layers one through four of the OSI model but also layers five through seven, which means that it reviews the commands of each higher-level protocol (HTTP, FTP, SNMP, etc.). For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet creating security exposure. Proxy servers can provide protection based on the IP address and ports. However, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning works when there is a very specific task to complete, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping.

Sending a message and a message hash encrypted by the sender's private key will ensure: A. authenticity and integrity. B. authenticity and privacy. C. integrity and privacy. D. privacy and nonrepudiation.

A. Authenticity and integrity Answer: A Explanation: If the sender sends both a message and a message hash encrypted by its private key, then the receiver can apply the sender's public key to the hash and get the message hash. The receiver can apply the hashing algorithm to the message received and generate a hash. By matching the generated hash with the one received, the receiver is ensured that the message has been sent by the specific sender, i.e., authenticity, and that the message has not been changed enroute. Authenticity and privacy will beensured by first using the sender's private key and then the receiver's public key to encrypt the message. Privacy and integrity can be ensured by using the receiver's public key to encrypt the message and sending a message hash/digest. Only nonrepudiation can be ensured by using the sender's private key to encrypt the message. The sender's public key, available to anyone, can decrypt a message; thus, it does not ensure privacy.

Which of the following is the GREATEST advantage of elliptic curve encryption over RSA encryption? A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Greater strength for a given key length

A. Computation speed. Answer: A Explanation: The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was first independently suggested by Neal Koblitz and Victor S. Miller. Both encryption methods support digital signatures and are used for public key encryption and distribution. However, a stronger key per se does not necessarily guarantee better performance, but rather the actual algorithm employed.

Which of the following would be BEST prevented by a raised floor in the computer machine room? A. Damage of wires around computers and servers B. A power failure from static electricity C. Shocks from earthquakes D. Water flood damage.

A. Damage of wires around computers and servers. Answer: A Explanation: The primary reason for having a raised floor is to enable power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risks posed when cables are placed in a spaghetti-like fashion on an open floor. Staticelectricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage.

An organization can ensure that the recipients of e-mails from its employees can authenticate the identity of the sender by: A. digitally signing all e-mail messages. B. encrypting all e-mail messages. C. compressing all e-mail messages. D. password protecting all e-mail messages.

A. Digitally signing all e-mail messages. Answer: A Answer: A Explanation: By digitally signing all e-mail messages, the receiver will be able to validate the authenticity of the sender. Encrypting all e-mail messages would ensure that only the intended recipient will be able to open the message; however, it would not ensure the authenticity of the sender. Compressing all e-mail messages would reduce the size of the message, but would not ensure the authenticity. Password protecting all e-mail messages would ensure that only those who have the password would be able toopen the message; however, it would not ensure the authenticity of the sender.

During the review of a biometrics system operation, an IS auditor should FIRST review the stage of: A. enrollment. B. identification. C. verification. D. storage.

A. Enrollment. Answer: A Explanation: The users of a biometrics device must first be enrolled in the device. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes.

An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important? A. False-acceptance rate (FAR) B. Equal-error rate (EER) C. False-rejection rate (FRR) D. False-identification rate (FIR)

A. False- Acceptance Rate (FAR) Answer: A Explanation: FAR is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied, in an organization with high security requirements, user annoyance with a higher FRR is less important, since it is better to deny access to an authorized individual than to grant access to an unauthorized individual. EER is the point where the FAR equals the FRR; therefore, it does not minimize the FAR. FIR is the probability that an authorized person is identified, but is assigned a false ID.

Which of the following is a feature of an intrusion detection system (IDS)? A. Gathering evidence on attack attempts B. Identifying weaknesses in the policy definition C. Blocking access to particular sites on the Internet D. Preventing certain users from accessing specific servers

A. Gathering evidence on attack attempts. Answer: A Explanation: An IDS can gather evidence on intrusive activity such as an attack or penetration attempt. Identifying weaknesses in the policy definition is a limitation of an IDS. Choices C and D are features of firewalls, while choice B requires a manual review, and therefore is outside the functionality of an IDS.

Validated digital signatures in an e-mail software application will: A. help detect spam. B. provide confidentiality. C. add to the workload of gateway servers. D. significantly reduce available bandwidth.

A. Help detect spam. Answer: A Explanation: Validated electronic signatures are based on qualified certificates that are created by a certification authority (CA), with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority (RA) after a proof of identity has been passed. Using strong signatures in e-mail traffic, nonrepudiation can be assured and a sender can be tracked. The recipient can configure their e-mail server or client to automatically delete e-mails from specific senders. For confidentiality issues, one must use encryption, not a signature, although both methods can be based on qualified certificates. Without any filters directly applied on mail gateway servers to block traffic without strong signatures, the workload will not increase. Using filters directly on a gateway server will result in an overhead less than antivirus software imposes. Digital signatures are only a few bytes in size and will not slash bandwidth. Even if gateway servers were to check CRLs, there is little overhead.

Which of the following functions is performed by a virtual private network (VPN)? A. Hiding information from sniffers on the net B. Enforcing security policies C. Detecting misuse or mistakes D. Regulating access

A. Hiding information from sniffers on the net. Answer: A Explanation: A VPN hides information from sniffers on the net using encryption. It works based on tunneling. A VPN does not analyze information packets and, therefore, cannot enforce security policies, it also does not check the content of packets, so it cannot detect misuse or mistakes. A VPN also does not perform an authentication function and, therefore, cannot regulate access.

Which of the following acts as a decoy to detect active internet attacks? A. Honeypots B. Firewalls C. Trapdoors D. Traffic analysis

A. Honeypots Answer: A Explanation: Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. A firewall is basically a preventive measure. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. Traffic analysis is a type of passive attack.

The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed? A. Reliability and quality of service (QoS) B. Means of authentication C. Privacy of voice transmissions D. Confidentiality of data transmissions

A. Reliability and quality of service (QoS) Answer: A Explanation: The company currently has a VPN; issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the VPN protocol. Reliability and QoS are, therefore, the primary considerations to be addressed.

The GREATEST risk when end users have access to a database at its system level, instead of through the application, is that the users can: A. make unauthorized changes to the database directly, without an audit trail. B. make use of a system query language (SQL) to access information. C. remotely access the database. D. update data without authentication.

A. Make unauthorized changes to the databse directly, without an audit trail. Answer: A Explanation: Having access to the database could provide access to database utilities, which can update the database without an audit trail and without using the application. Using SQL only provides read access to information, in a networked environment, accessing the database remotely does not make a difference. What is critical is what is possible or completed through this access. To access a database, it is necessary that a user is authenticated using a user ID.

What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? A. Malicious code could be spread across the network B. VPN logon could be spoofed C. Traffic could be sniffed and decrypted D. VPN gateway could be compromised

A. Malicious code could be spread across the network. Answer: A Explanation: VPN is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. Though choices B, C and D are security risks, VPN technology largely mitigates these risks.

Which of the following attacks targets the Secure Sockets Layer (SSL)? A. Man-in-the middle B. Dictionary C. Password sniffing D. Phishing

A. Man-in-the middle. Answer:A Explanation: Attackers can establish a fake Secure Sockets Layer (SSL) server to accept user's SSL traffic and then route to the real SSL server, so that sensitive information can be discovered. A dictionary attack that has been launched to discover passwords would not attack SSL since SSL does not rely on passwords. SSL traffic is encrypted, thus it is not possible to sniff the password. A phishing attack targets a user and not SSL Phishing attacks attempt to have the user surrender private information byfalsely claiming to be a trusted person or enterprise.

The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure: A. only the sender and receiver are able to encrypt/decrypt the data. B. the sender and receiver can authenticate their respective identities. C. the alteration of transmitted data can be detected. D. the ability to identify the sender by generating a one-time session key.

A. Only the sender and receiver are able to encrpyt/decrpyt the data. Answer: A Explanation: SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality. Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature along with choices C and D are not the primary objectives.

Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? A. Power line conditioners B. Surge protective devices C. Alternative power supplies D. Interruptible power supplies

A. Power line conditioners. Answer: A Explanation: Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. Surge protection devices protect against highvoltage bursts. Alternative power supplies are intended for computer equipment running for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. An interruptible power supply would cause the equipment to come down whenever there was a power failure.

Which of the following is a benefit of using a callback device? A. Provides an audit trail B. Can be used in a switchboard environment C. Permits unlimited user mobility D. Allows call forwarding

A. Privdes an audit trail. Answer: A A callback feature hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the follow-up and further review of potential breaches. Call forwarding (choice D) is a means of potentially bypassing callback control. By dialing through an authorized phone number from an unauthorized phone number, a perpetrator can gain computer access. This vulnerability can be controlled through callback systems that are available.

When installing an intrusion detection system (IDS), which of the following is MOST important? A. Properly locating it in the network architecture B. Preventing denial-of-service (DoS) attacks C. Identifying messages that need to be quarantined D. Minimizing the rejection errors

A. Properly locating it in the network architecture. Answer: A Explanation: Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. Choices B, C and D are concerns during the configuration of an IDS, but if the IDS is not placed correctly, none of them would be adequately addressed.

The human resources (HR) department has developed a system to allow employees to enroll in benefits via a web site on the corporate Intranet. Which of the following would protect the confidentiality of the data? A. SSL encryption B. Two-factor authentication C. Encrypted session cookies D. IP address verification

A. SSL encryption. Answer: A Explanation: The main risk in this scenario is confidentiality, therefore the only option which would provide confidentiality is Secure Socket Layer (SSL) encryption. The remaining options deal with authentication issues.

The difference between a vulnerability assessment and a penetration test is that a vulnerability assessment: A. searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities. B. and penetration tests are different names for the same activity. C. is executed by automated tools, whereas penetration testing is a totally manual process. D. is executed by commercial tools, whereas penetration testing is executed by public processes.

A. Searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities. Answer: A Explanation: The objective of a vulnerability assessment is to find the security holds in the computers and elements analyzed; its intent is not to damage the infrastructure. The intent of penetration testing is to imitate a hacker's activities and determine how far they could go into the network. They are not the same; they have different approaches. Vulnerability assessments and penetration testing can be executed by automated or manual tools or processes and can be executed by commercial or free tools.

E-mail message authenticity and confidentiality is BEST achieved by signing the message using the: ( A) sender's private key and encrypting the message using the receiver's public key. B. sender's public key and encrypting the message using the receiver's private key. C. receiver's private key and encrypting the message using the sender's public key. D. receiver's public key and encrypting the message using the sender's private key.

A. Senders private key and encrpyting the mssage using the receiver's public key. Answer: A Answer: A Explanation: By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. By encrypting the message with the receiver's public key, only the receiver can decrypt the message using their own private key. The receiver's private key is confidential and, therefore, unknown to the sender. Messages encrypted using the sender's private key can be read by anyone with the sender's public key.

A firm is considering using biometric fingerprint identification on all PCs that access critical datA. This requires: A. that a registration process is executed for all accredited PC users. B. the full elimination of the risk of a false acceptance. C. the usage of the fingerprint reader be accessed by a separate password. D. assurance that it will be impossible to gain unauthorized access to critical data.

A. That a registration process is executed for all accredited PC users. Answer: A Explanation: The fingerprints of accredited users need to be read, identified and recorded, i.e., registered, before a user may operate the system from the screened PCs. Choice B is incorrect, as the false-acceptance risk of a biometric device may be optimized, but will never be zero because this would imply an unacceptably high risk of false rejection. Choice C is incorrect, as the fingerprint device reads the token (the user's fingerprint) and does not need to be protected in itself by a password. Choice Dis incorrect because the usage of biometric protection on PCs does not guarantee that other potential security weaknesses in the system may not be exploited to access protected data.

To ensure message integrity, confidentiality and non repudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against: A. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key. B. any part of the message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key using the receiver's public key. C. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver's public key. D. the entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key.

A. The entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the reciever's public key. Answer: A Explanation: Applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. Enciphering the message digest using the sender's private key addresses non repudiation. Encrypting the message with a symmetric key, thereafter allowing the key to be enciphered using the receiver's public key, most efficiently addresses the confidentiality of the message as well as the receiver's non repudiation. The other choices would address only a portion of the requirements.

Which of the following is an example of a passive attack initiated through the Internet? A. Traffic analysis B. Masquerading C. Denial of service D. E-mail spoofing

A. Traffic Analysis Answer: A Explanation: Internet security threats/vulnerabilities are divided into passive and active attacks. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. Active attacks include brute force attacks, masquerading, packet replay, message modification, unauthorized access through the Internet or web-based services, denial-ofservice attacks, dial-in penetration attacks, e-mail bombing and spamming, and e-mail spoofing.

What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks? A. Unauthorized individuals wait for controlled doors to open and walk in behind those authorized. B. The contingency plan for the organization cannot effectively test controlled access practices. C. Access cards, keys and pads can be easily duplicated allowing easy compromise of the control. D. Removing access for those who are no longer authorized is complex.

A. Unauthroized individuals wait for controlled doors to open and walk in behind those authorized. Answer: A Explanation: The concept of piggybacking compromises all physical control established. Choice B would be of minimal concern in a disaster recovery environment. Items in choice C are not easily duplicated. Regarding choice D, while technology is constantly changing, card keys have existed for some time and appear to be a viable option for the foreseeable future.

Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? A. Virtual private network B. Dedicated line C. Leased line D. integrated services digital network

A. Virtual Private Network. Answer: A Explanation: The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the internet. Choices B, C and D are network connectivity options that are normally too expensive to be practical for small- to medium-sized organizations.

Which of the following is the MOST effective control over visitor access to a data center? A. Visitors are escorted. B. Visitor badges are required. C. Visitors sign in. D. Visitors are spot-checked by operators.

A. Vistors are escorted. Answer: A Explanation: Escorting visitors will provide the best assurance that visitors have permission to access the data processing facility. Choices B and C are not reliable controls. Choice D is incorrect because visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility.

What would be the MOST effective control for enforcing accountability among database users accessing sensitive information? A. implement a log management process B. implement a two-factor authentication C. Use table views to access sensitive data D. Separate database and application servers

Answer: A Explanation: Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour. Choice B, implementing a two-factor authentication, and choice C, using table views to access sensitive data, are controls that would limit access to the database to authorized users but would not resolve the accountability problem. Choice D may help in a better administration or even in implementing access controls but, again, does not address the accountability issues.

In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer? A. Nonrepudiation B. Encryption C. Authentication D. Integrity

Answer: A Explanation: Nonrepudiation, achieved through the use of digital signatures, prevents the claimed sender from later denying that they generated and sent the message. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. Authentication is necessary to establish the identification of all parties to a communication. Integrity ensures that transactions are accurate but does not provide the identification of the customer.

E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: A. alert the appropriate staff. B. create an entry in the log. C. close firewall-2. D. close firewall-1.

Answer: C Explanation: Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. Closing firewa!l-2 is the first thing that should be done, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator valuable time can be lost, in which a hacker could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might not be possible for the IDS to close it.

To determine who has been given permission to use a particular system resource, an IS auditor should review: A. activity lists. B. access control lists. C. logon ID lists. D. password lists.

B. Access control lists. Answer: B Answer: B Explanation: Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources.

When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor? A. Hard disks are overwritten several times at the sector level, but are not reformatted before leaving the organization. B. All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization. C. Hard disks are rendered unreadable by hole-punching through the platters at specific positions before leaving the organization. D. The transport of hard disks is escorted by internal security staff to a nearby metal recycling company, where the hard disks are registered and then shredded.

B. All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization. Answer: B Explanation: Deleting and formatting does not completely erase the data but only marks the sectors that contained files as being free. There are tools available over the Internet which allow one to reconstruct most of a hard disk's contents. Overwriting a hard disk at the sector level would completely erase data, directories, indices and master file tables. Reformatting is not necessary since all contents are destroyed. Overwriting several times makes useless some forensic measures which are able to reconstruct former contents of newly overwritten sectors by analyzing special magnetic features of the platter's surface. While hole-punching does not delete file contents, the hard disk cannot be used anymore, especially when head parking zones and track zero information are impacted. Reconstructing data would be extremely expensive since all analysis must be performed under a clean room atmosphere and is only possible within a short time frame or until the surface is corroded. Data reconstruction fromshredded hard disks is virtually impossible, especially when the scrap is mixed with other metal parts. If the transport can be secured and the destruction be proved as described in the option, this is a valid method of disposal.

A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization's data? A. Introduce a secondary authentication method such as card swipe B. Apply role-based permissions within the application system C. Have users input the ID and password for each database transaction D. Set an expiration period for the database password embedded in the program

B. Apply role-based permissions within the application system. Answer: B Answer: B Explanation: When a single ID and password are embedded in a program, the best compensating control would be a sound access control over the application layer and procedures to ensure access to data is granted based on a user's role. The issue is user permissions, not authentication, therefore adding a stronger authentication does not improve the situation. Having a user input the ID and password for access would provide a better control because a database log would identify the initiator of the activity. However, this may not be efficient because each transaction would require a separate authentication process. It is a good practice to set an expiration date for a password. However, this might not be practical for an ID automatically logged in from the program. Often, this type of password is set not to expire.

An IS auditor finds that a DBA has read and write access to production datA. The IS auditor should: A. accept the DBA access as a common practice. B. assess the controls relevant to the DBA function. C. recommend the immediate revocation of the DBA access to production data. D. review user access authorizations approved by the DBA.

B. Asses the controls relevant to the DBA function. Answer: B Explanation: It is good practice when finding a potential exposure to look for the best controls. Though granting the database administrator (DBA) access to production data might be a common practice, the IS auditor should evaluate the relevant controls. The DBAshould have access based on a need-to-know and need-to-do basis; therefore, revocation may remove the access required. The DBA, typically, may need to have access to some production datA. Granting user authorizations is the responsibility of the dataowner and not the DBA.

An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A. maintenance of access logs of usage of various system resources. B. authorization and authentication of the user prior to granting access to system resources. C. adequate protection of stored data on servers by encryption or other means. D. accountability system and the ability to identify any terminal accessing system resources.

B. Authorization and uathentication of the user prior to granting access to system resources. Answer: B Explanation: The authorization and authentication of users is the most significant aspect in a telecommunications access control review, as it is a preventive control. Weak controls at this level can affect all other aspects. The maintenance of access logs of usage of system resources is a detective control. The adequate protection of data being transmitted to and from servers by encryption or other means is a method of protecting information during transmission and is not an access issue. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal.

Inadequate programming and coding practices introduce the risk of: A. phishing. B. buffer overflow exploitation. C. SYN flood. D. brute force attacks.

B. Buffer overflow exploitation. Answer: B Buffer overflow exploitation may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and override part of the program with malicious code. The countermeasure is proper programming and good coding practices. Phishing, SYN flood and brute force attacks happen independently of programming and coding practices.

Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key? A. Certificate revocation list (CRL) B. Certification practice statement (CPS) C. Certificate policy (CP) D. PKI disclosure statement (PDS)

B. Certificate practice statement (CPS) Answer: B The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items.such as the warranties, limitations and obligations that legally bind each party.

Active radio frequency ID (RFID) tags are subject to which of the following exposures? A. Session hijacking B. Eavesdropping C. Malicious code D. Phishing

B. Eavesdropping. Asnwer: B Explanation: Like wireless devices, active RFID tags are subject to eavesdropping. They are by nature not subject to session hijacking, malicious code or phishing.

Which of the following is the BEST practice to ensure that access authorizations are still valid? A. information owner provides authorization for users to gain access B. identity management is integrated with human resource processes C. information owners periodically review the access controls D. An authorization matrix is used to establish validity of access

B. Identity management is integrated with human resource processes. Answer: B Explanation: Personnel and departmental changes can result in authorization creep and can impact the effectiveness of access controls. Many times when personnel leave an organization, or employees are promoted, transferred or demoted, their system access is not fully removed, which increases the risk of unauthorized access. The best practices for ensuring access authorization is still valid is to integrate identity management with human resources processes. When an employee transfers to a different function,access rights are adjusted at the same time.

Which of the following would MOST effectively enhance the security of a challengeresponse based authentication system? A. Selecting a more robust algorithm to generate challenge strings B. implementing measures to prevent session hijacking attacks C. increasing the frequency of associated password changes D. increasing the length of authentication strings

B. Implementing measures to prevent session hijacking attacks. Answer: B Explanation: Challenge response-based authentication is prone to session hijacking or man-in-themiddle attacks. Security management should be aware of this and engage in risk assessment and control design when they employ this technology. Selecting a more robust algorithm will enhance the security; however, this may not be as important in terms of risk when compared to man-in-the-middle attacks. Choices C and D are good security practices; however, they are not as effective a preventive measure. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk.

Which of the following BEST describes the role of a directory server in a public key infrastructure (PKI)? A. Encrypts the information transmitted over the network B. Makes other users' certificates available to applications C. Facilitates the implementation of a password policy D. Stores certificate revocation lists (CRLs)

B. Make other users' certifications available to applications. Answer: B Answer: B Explanation: A directory server makes other users' certificates available to applications. Encrypting the information transmitted over the network and storing certificate revocation lists (CRLs) are roles performed by a security server. Facilitating the implementation of a password policy is not relevant to public key infrastructure (PKl).

Two-factor authentication can be circumvented through which of the following attacks? A. Denial-of-service B. Man-in-the-middle C. Key logging D. Brute force

B. Man- in-the-middle Answer: B Explanation: A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. A denial-ofservice attack does not have a relationship to authentication. Key logging and brute force could circumvent a normal authentication but not a two-factor authentication.

Which of the following intrusion detection systems (IDSs) monitors the general patterns of activity and traffic on a network and creates a database? A. Signature-based B. Neural networks-based C. Statistical-based D. Host-based

B. Neural networks-based Answer: B Explanation: The neural networks-based IDS monitors the general patterns of activity and traffic on the network and creates a database. This is similar to the statistical model but has the added function of self-learning. Signature-based systems are a type of IDS in which the intrusive patterns identified are stored in the form of signatures. These IDS systems protect against detected intrusion patterns. Statistical-based systems need a comprehensive definition of the known and expected behavior of systems. Host-based systems are not a type of IDS, but a category of IDS, and are configured for a specific environment. They will monitor various internal resources of the operating system to warn of a possible attack.

Which of the following message services provides the strongest evidence that a specific action has occurred? A. Proof of delivery B. Nonrepudiation C. Proof of submission D. Message origin authentication

B. Nonrepudiation. Answer: B Explanation: Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts, i.e., proof of submission, proof of delivery and message origin authentication. However, nonrepudiationprovides stronger evidence because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation. Message origination authentication will only confirm the source of the message and does not confirm the specificaction that has been completed.

Which of the following results in a denial-of-service attack? A. Brute force attack B. Ping of death C. Leapfrog attack D. Negative acknowledgement (NAK) attack

B. Ping of death. Answer: B Explanation: The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. A brute force attack is typically a text attack that exhausts all possible key combinations. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host. A negative acknowledgement attack is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.

Over the long term, which of the following has the greatest potential to improve the security incident response process? A. A walkthrough review of incident response procedures B. Postevent reviews by the incident response team C. Ongoing security training for users D. Documenting responses to an incident

B. Postevent reviews by the incident response team. Answer: B Explanation: Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help to improve the process over time. Choices A, C and D are desirable actions, but postevent reviews are the most reliable mechanism for improving security incident response processes.

To protect a VoIP infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the: A. access control servers. B. session border controllers. C. backbone gateways. D. intrusion detection system (IDS).

B. Session border controllers Answer: B Answer: B Explanation: Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user's real address and provide a managed public address. This public address can be monitored, minimizing the opportunities forscanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall's effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users' real addresses. They can also monitor bandwidth and quality of service. Securing the access control server, backbone gateways and intrusion detection systems (IDSs) does not effectively protect against DoS attacks.

The MOST likely explanation for a successful social engineering attack is: A. that computers make logic errors. B. that people make judgment errors. C. the computer knowledge of the attackers. D. the technological sophistication of the attack method.

B. That people make judgement errors. Answer: B Explanation: Humans make errors in judging others; they may trust someone when, in fact, the person is untrustworthy. Driven by logic, computers make the same error every time they execute the erroneous logic; however, this is not the basic argument in designing a social engineering attack. Generally, social engineering attacks do not require technological expertise; often, the attacker is not proficient in information technology or systems. Social engineering attacks are human-based and generally do not involve complicated technology.

When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk? A. There is no registration authority (RA) for reporting key compromises. B. The certificate revocation list (CRL) is not current. C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures. D. Subscribers report key compromises to the certificate authority (CA).

B. The certificate revocation list (CRL) is not current. Answer: B Explanation: If the certificate revocation list (CRL) is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities. The certificate authority (CA) can assume the responsibility if there is no registration authority (RA). Digital certificates containing a public key that is used to encrypt messages and verifying digital signatures is not a risk. Subscribers reporting key compromises to the CA is not a risk since reporting this to the CA enables the CA to take appropriate action.

An IS auditor finds that conference rooms have active network ports. Which of the following is MOST important to ensure? A. The corporate network is using an intrusion prevention system (IPS) B. This part of the network is isolated from the corporate network C. A single sign-on has been implemented in the corporate network D. Antivirus software is in place to protect the corporate network

B. This part of the network is isolated from the corporate network. Answer: B Explanation: If the conference rooms have access to the corporate network, unauthorized users may be able to connect to the corporate network; therefore, both networks should be isolated either via a firewall or being physically separated. An I PS would detect possible attacks, but only after they have occurred. A single sign-on would ease authentication management. Antivirus software would reduce the impact of possible viruses; however, unauthorized users would still be able to access the corporate network, which is the biggest risk.

A virtual private network (VPN) provides data confidentiality by using: A. Secure Sockets Layer (SSL) B. Tunnelling C. Digital signatures D. Phishing

B. Tunnelling. Answer: B Answer: B Explanation: VPNs secure data in transit by encapsulating traffic, a process known as tunnelling. SSL is a symmetric method of encryption between a server and a browser. Digital signatures are not used in the VPN process, while phishing is a form of a social engineering attack.

Which of the following is an example of the defense in-depth security principle? A. Using two firewalls of different vendors to consecutively check the incoming network traffic B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic C. Having no physical signs on the outside of a computer center building D. Using two firewalls in parallel to check different types of incoming traffic

B. Using a firewall as well as logical access controls on the hosts to control incoming network traffic. Answer: B Explanation: Defense in-depth means using different security mechanisms that back each other up. When network traffic passes the firewall unintentionally, the logical access controls form a second line of defense. Using two firewalls of different vendors to consecutively check the incoming network traffic is an example of diversity in defense. The firewalls are the same security mechanisms. By using two different products the probability of both products having the same vulnerabilities is diminished. Havingno physical signs on the outside of a computer center building is a single security measure. Using two firewalls in parallel to check different types of incoming traffic is a single security mechanism and therefore no different than having a single firewall checking all traffic.

Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? A. Server antivirus software B. Virus walls C. Workstation antivirus software D. Virus signature updating

B. Virus walls Answer: B Explanation: An important means of controlling the spread of viruses is to detect the virus at the point of entry, before it has an opportunity to cause damage. In an interconnected corporate network, virus scanning software, used as an integral part of firewall technologies, is referred to as a virus wall. Virus walls scan incoming traffic with the intent of detecting and removing viruses before they enter the protected network. The presence of virus walls does not preclude the necessity for installing virus detection software on servers and workstations within the network, but network-level protection is most effective the earlier the virus is detected. Virus signature updating is a must in all circumstances, networked or not.

An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy? A. Stateful inspection firewall B. Web content filter C. Web cache server D. Proxy server

B. Web content filter. Answer: B Answer: B Explanation: A web content filter accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available URL blacklists and classifications for millions of web sites. A stateful inspection firewall is of little help in filtering web traffic since it does not review the content of the web site nor does it take into consideration the sites classification. A web cache server is designed to improve the speed of retrieving the most common or recently visited web pages. A proxy server is incorrect because a proxy server is a server which services the request of its clients by forwarding requests to other servers. Many people incorrectly use proxy server as a synonym of web proxy server even though not all web proxy servers have content filtering capabilities.

The MOST effective biometric control system is the one: A. which has the highest equal-error rate (EER). B. which has the lowest EER. C. for which the false-rejection rate (FRR) is equal to the false-acceptance rate (FAR). D. for which the FRR is equal to the failure-to-enroll rate (FER).

B. Which has the lowest EER Answer: B Explanation: The equal-error rate (EER) of a biometric system denotes the percent at which the false- acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the lowest EER is the most effective. The biometric that has the highestEER is the most ineffective. For any biometric, there will be a measure at which the FRR will be equal to the FAR. This is the EER. FER is an aggregate measure of FRR.

Which of the following would provide the BEST protection against the hacking of a computer connected to the Internet? A. A remote access server B. A proxy server C. A personal firewall D. A password-generating token

C. A personel firewall. Answer: C Explanation: A personal firewall is the best way to protect against hacking, because it can be defined with rules that describe the type of user or connection that is or is not permitted. A remote access server can be mapped or scanned from the Internet, creating security exposures. Proxy servers can provide protection based on the IP address and ports; however, an individual would need to have in-depth knowledge to do this, and applications can use different ports for the different sections of their program. A password-generating token may help to encrypt the session but does not protect a computer against hacking.

Which of the following satisfies a two-factor user authentication? A. Iris scanning plus fingerprint scanning B. Terminal ID plus global positioning system (GPS) C. A smart card requiring the user's PIN D. User ID along with password

C. A smart card requring the user's PIN Answer: C Explanation: A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, e.g., a keyboard password or personal identification number (PIN). Proving who the user is usually requires a biometrics method, such as fingerprint, iris scan or voice verification, to prove biology. This is not a two-factor user authentication, because it proves only who the user is. A global positioning system (GPS) receiver reports on where the user is. The use of an ID and password (what the user knows) is a singlefactor user authentication.

When using a digital signature, the message digest is computed: A. only by the sender. B. only by the receiver. C. by both the sender and the receiver. D. by the certificate authority (CA).

C. By both the sender and the receiver. Answer: C Explanation: A digital signature is an electronic identification of a person or entity. It is created by using asymmetric encryption. To verify integrity of data, the sender uses a cryptographic hashing algorithm against the entire message to create a message digest to be sent along with the message. Upon receipt of the message, the receiver will recompute the hash using the same algorithm and compare results with what was sent to ensure the integrity of the message.

Accountability for the maintenance of appropriate security measures over information assets resides with the: A. security administrator. B. systems administrator. C. data and systems owners. D. systems operations group.

C. Data and systems owners Answer: C Explanation: Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures.

Which of the following physical access controls effectively reduces the risk of piggybacking? A. Biometric door locks B. Combination door locks C. Deadman doors D. Bolting door locks

C. Deadman doors Answer: C Explanation: Deadman doors use a pair of doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding areA. This effectively reduces the risk of piggybacking. An individual's unique body features such as voice, retina, fingerprint or signature activate biometric door locks; however, they do not prevent or reduce the risk of piggybacking. Combination door locks, also known as cipher locks, use a numeric key pad or dial to gain entry. They do notprevent or reduce the risk of piggybacking since unauthorized individuals may still gain access to the processing center. Bolting door locks require the traditional metal key to gain entry. Unauthorized individuals could still gain access to the processing center along with an authorized individual.

The sender of a public key would be authenticated by a: A. certificate authority, B. digital signature. C. digital certificate. D. registration authority.

C. Digital certificate Answer: C Explanation: A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message. A certificate authority issues the digital certificates, and distributes, generates and manages public keys. A digital signature is used to ensure integrity of the message being sent and solve the nonrepudiation issue of message origination. The registration authority would perform most of the administrative tasks of a certificate authority, i.e., registration of the users of a digital signature plus authenticating the information that is put in the digital certificate.

A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident? A. Dump the volatile storage data to a disk. B. Run the server in a fail-safe mode. C. Disconnect the web server from the network. D. Shut down the web server.

C. Disconnect the web server from the network. Answer: C Explanation: The first action is to disconnect the web server from the network to contain the damage and prevent more actions by the attacker. Dumping the volatile storage data to a disk may be used at the investigation stage but does not contain an attack in progress. To run the server in a fail-safe mode, the server needs to be shut down. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.

Which of the following ensures a sender's authenticity and an e-mail's confidentiality? A. Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key B. The sender digitally signing the message and thereafter encrypting the hash of the message with the sender's private key C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key D. Encrypting the message with the sender's private key and encrypting the message hash with the receiver's public key.

C. Encrpyting the hash of the message with the sender's private key and thereafter encrpyting the message with the receiver's private key. Answer: C Explanation: To ensure authenticity and confidentiality, a message must be encrypted twice: first with the sender's private key, and then with the receiver's public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the sender's private key enables anyone to decrypt it.

The BEST overall quantitative measure of the performance of biometric control devices is: A. false-rejection rate. B. false-acceptance rate. C. equal-error rate. D. estimated-error rate.

C. Equal-error rate Answer: C Explanation: A low equal-error rate (EER) is a combination of a low false-rejection rate and a low falseacceptance rate. EER, expressed as a percentage, is a measure of the number of times that the false-rejection and false-acceptance rates are equal. A low EERis the measure of the more effective biometrics control device. Low false-rejection rates or low falseacceptance rates alone do not measure the efficiency of the device. Estimated-error rate is nonexistent and therefore irrelevant..

Which of the following provides the MOST relevant information for proactively strengthening security settings? A. Bastion host B. Intrusion detection system C. Honeypot D. Intrusion prevention system

C. Honeypot Answer: C Explanation: The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies and the resources required to address such attacks. A bastion host does not provide information about an attack. Intrusion detection systems and intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods.

Which of the following potentially blocks hacking attempts? A. intrusion detection system B. Honeypot system C. Intrusion prevention system D. Network security scanner

C. Intrusion prevention system. Answer: C Explanation: An intrusion prevention system (IPS) is deployed as an in-line device that can detect and block hacking attempts. An intrusion detection system (IDS) normally is deployed in sniffing mode and can detect intrusion attempts, but cannot effectively stopthem. A honeypot solution traps the intruders to explore a simulated target. A network security scanner scans for the vulnerabilities, but it will not stop the intrusion.

Which of the following aspects of symmetric key encryption influenced the development of asymmetric encryption? A. Processing power B. Volume of data C. Key distribution D. Complexity of the algorithm

C. Key Distribution Answer: C Explanation: Symmetric key encryption requires that the keys be distributed. The larger the user group, the more challenging the key distribution. Symmetric key cryptosystems are generally less complicated and, therefore, use less processing power than asymmetrictechniques, thus making it ideal for encrypting a large volume of datA. The major disadvantage is the need to get the keys into the hands of those with whom you want to exchange data, particularly in e-commerce environments, where customers are unknown, untrusted entities.

Which of the following encryption techniques will BEST protect a wireless network from a man-in-the-middle attack? A. 128-bit wired equivalent privacy (WEP) B. MAC-basedpre-sharedkey(PSK) C. Randomly generated pre-shared key (PSKJ D. Alphanumeric service set identifier (SSID)

C. Randomly generated pre-shared key (PSKJ) Explanation: A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a computer is fixed and often accessible. WEP has been shown to be a very weak encryption technique and can be cracked within minutes. The SSID is broadcast on the wireless network in plaintext.

When conducting a penetration test of an IT system, an organization should be MOST concerned with: A. the confidentiality of the report. B. finding all possible weaknesses on the system. C. restoring all systems to the original state. D. logging all changes made to the production system.

C. Restoring all systems to the original state. Answer: C Explanation: All suggested items should be considered by the system owner before agreeing to penetration tests, but the most important task is to be able to restore all systems to their original state. Information that is created and/or stored on the tested systems should be removed from these systems. If for some reason, at the end of the penetration test, this is not possible, all files (with their location) should be identified in the technical report so that the client's technical staff will be able to remove these after the report has been received.

Which of the following should concern an IS auditor when reviewing security in a clientserver environment? A. Protecting data using an encryption technique B. Preventing unauthorized access using a diskless workstation C. The ability of users to access and modify the database directly D. Disabling floppy drives on the users' machines

C. The ability of users to access and modify the database directly. Answer: C Explanation: For the purpose of data security in a client-server environment, an IS auditor should be concerned with the users ability to access and modify a database directly. This could affect the integrity of the data in the database. Data protected by encryption aid in securing the datA. Diskless workstations prevent copying of data into local disks and thus help to maintain the integrity and confidentiality of datA. Disabling floppy drives is a physical access control, which helps to maintain the confidentiality of data by preventing it from being copied onto a disk.

A perpetrator looking to gain access to and gather information about encrypted data being transmitted over the network would use: A. eavesdropping. B. spoofing. C. traffic analysis. D. masquerading.

C. Traffic analysis Answer: C Explanation: In traffic analysis, which is a passive attack, an intruder determines the nature of the traffic flow between defined hosts and through an analysis of session length, frequency and message length, and the intruder is able to guess the type of communication taking place. This typically is used when messages are encrypted and eavesdropping would not yield any meaningful results, in eavesdropping, which also is a passive attack, the intruder gathers the information flowing through the network withthe intent of acquiring and releasing message contents for personal analysis or for third parties. Spoofing and masquerading are active attacks, in spoofing, a user receives an e-mail that appears to have originated from one source when it actually was sent from another source. In masquerading, the intruder presents an identity other than the original identity.

Which of the following implementation modes would provide the GREATEST amount of security for outbound data connecting to the internet? A. Transport mode with authentication header (AH) plus encapsulating security payload (ESP) B. Secure Sockets Layer (SSL) mode C. Tunnel mode with AH plus ESP D. Triple-DES encryption mode

C. Tunnel mode with AH plus ESP Answer: C Answer: C Explanation: Tunnel mode provides protection to the entire IP package. To accomplish this, AH and ESP services can be nested. The transport mode provides primary protection for the higher layers of the protocols by extending protection to the data fields (payload) of an IP package. The SSL mode provides security to the higher communication layers (transport layer). The triple-DES encryption mode is an algorithm that provides confidentiality

In an online banking application, which of the following would BEST protect against identity theft? A. Encryption of personal password B. Restricting the user to a specific terminal C. Two-factor authentication D. Periodic review of access logs

C. Two-factor authentication. Answer: C Answer: C Explanation: Two-factor authentication requires two independent methods for establishing identity and privileges. Factors include something you know, such as a password; something you have, such as a token; and something you are, which is biometric. Requiring twoof these factors makes identity theft more difficult. A password could be guessed or broken. Restricting the user to a specific terminal is not a practical alternative for an online application. Periodic review of access logs is a detective controland does not protect against identity theft.

The use of digital signatures: A. requires the use of a one-time password generator. B. provides encryption to a message. C. validates the source of a message. D. ensures message confidentiality

C. Validates the source of the message. Answer: C Explanation: The use of a digital signature verifies the identity of the sender, but does not encrypt the whole message, and hence is not enough to ensure confidentiality. A one-time password generator is an option, but is not a requirement for using digital signatures.

An IS auditor should be MOST concerned with what aspect of an authorized honeypot? A. The data collected on attack methods B. The information offered to outsiders on the honeypot C. The risk that the honeypot could be used to launch further attacks on the organization's infrastructure D. The risk that the honeypot would be subject to a distributed denial-of-service attack

C. the riskthat the honeypot could be used to launch further attacks on the organization's infrastructure. Answer: C Explanation: Choice C represents the organizational risk that the honeypot could be used as a point of access to launch further attacks on the enterprise's systems. Choices A and B are purposes for deploying a honeypot, not a concern. Choice D, the risk that thehoneypot would be subject to a distributed denial-of-service (DDoS) attack, is not relevant, as the honeypot is not a critical device for providing service.

After observing suspicious activities in a server, a manager requests a forensic analysis. Which of the following findings should be of MOST concern to the investigator? A. Server is a member of a workgroup and not part of the server domain B. Guest account is enabled on the server C. Recently, 100 users were created in the server D. Audit logs are not enabled for the server

D. Audit logs are not enabled for the server. Answer: D Explanation: Audit logs can provide evidence which is required to proceed with an investigation and should not be disabled. For business needs, a server can be a member of a workgroup and, therefore, not a concern. Having a guest account enabled on a system is apoor security practice but not a forensic investigation concern. Recently creating 100 users in the server may have been required to meet business needs and should not be a concern.

Minimum password length and password complexity verification are examples of: A. detection controls. B. control objectives. C. audit objectives. D. control procedures.

D. Control procedures. Answer: D Explanation: Control procedures are practices established by management to achieve specific control objectives. Password controls are preventive controls, not detective controls. Control objectives are declarations of expected results from implementing controls and audit objectives are the specific goals of an audit.

An IS auditor should expect the responsibility for authorizing access rights to production data and systems to be entrusted to the: A. process owners. B. system administrators. C. security administrator. D. data owners.

D. Data owners. Answer: D Explanation: Data owners are primarily responsible for safeguarding the data and authorizing access to production data on a need-to-know basis.

Which of the following is the MOST robust method for disposing of magnetic media that contains confidential information? A. Degaussing B. Defragmenting C. Erasing D. Destroying

D. Destroying Answer: D Explanation: Destroying magnetic media is the only way to assure that confidential information cannot be recovered. Degaussing or demagnetizing is not sufficient to fully erase information from magnetic mediA. The purpose of defragmentation is to eliminate fragmentation in file systems and does not remove information. Erasing or deleting magnetic media does not remove the information; this method simply changes a file's indexing information.

An accuracy measure for a biometric system is: A. system response time. B. registration time. C. input file size. D. false-acceptance rate.

D. False- acceptance rate Answer: D Explanation: For a biometric solution three main accuracy measures are used: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate. Choices A and B are performance measures.

An organization is planning to replace its wired networks with wireless networks. Which of the following would BEST secure the wireless network from unauthorized access? A. Implement Wired Equivalent Privacy (WEP) B. Permit access to only authorized Media Access Control (MAC) addresses C. Disable open broadcast of service set identifiers (SSID) D. Implement Wi-Fi Protected Access (WPA) 2

D. Implement Wi-Fi Protected Access (WPA) 2 Answer: D Explanation: Wi-Fi Protected Access (WPA) 2 implements most of the requirements of the IEEE 802.11i standard. The Advanced Encryption Standard (AESJ used in WPA2 provides better security. Also, WPA2 supports both the Extensible Authentication Protocol and the preshared secret key authentication model. Implementing Wired Equivalent Privacy (WEP) is incorrect since it can be cracked within minutes. WEP uses a static key which has to be communicated to all authorized users, thus management is difficult. Also, there is a greater vulnerability if the static key is not changed at regular intervals. The practice of allowing access based on Media Access Control (MAC) is not a solution since MAC addresses can be spoofed by attackers to gain access to the network. Disabling open broadcast of service set identifiers (SSID) is not the correct answer as they cannot handle access control.

To prevent unauthorized entry to the data maintained in a dial-up, fast response system, an IS auditor should recommend: A. online terminals are placed in restricted areas. B. online terminals are equipped with key locks. C. ID cards are required to gain access to online terminals. D. online access is terminated after a specified number of unsuccessful attempts.

D. Online access is terminated after a specified number of unsuccessful attempts. Answer: d Explanation: The most appropriate control to prevent unauthorized entry is to terminate connection after a specified number of attempts. This will deter access through the guessing of IDs and passwords. The other choices are physical controls, which are not effective in deterring unauthorized accesses via telephone lines.

An organization is disposing of a number of laptop computers. Which of the following data destruction methods would be the MOST effective? A. Run a low-level data wipe utility on all hard drives B. Erase all data file directories C. Format all hard drives D. Physical destruction of the hard drive

D. Physcial destruction of the hard drive. Answer: D Explanation: The most effective method is physical destruction. Running a low-level data wipe utility may leave some residual data that could be recovered; erasing data directories and formatting hard drives are easily reversed, exposing all data on the drive to unauthorized individuals.

A hard disk containing confidential data was damaged beyond repair. What should be done to the hard disk to prevent access to the data residing on it? A. Rewrite the hard disk with random Os and Is. B. Low-level format the hard disk. C. Demagnetize the hard disk. D. Physically destroy the hard disk.

D. Physcially destory the hard disk. Answer: D Explanation: Physically destroying the hard disk is the most economical and practical way to ensure that the data cannot be recovered. Rewriting data and low-level formatting are impractical, because the hard disk is damaged. Demagnetizing is an inefficient procedure, because it requires specialized and expensive equipment to be fully effective.

An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing C. Parsing D. Steganography

D. Steganography. Answer: D Explanation: Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing.

Which of the following would prevent unauthorized changes to information stored in a server's log? A. Write-protecting the directory containing the system log B. Writing a duplicate log to another server C. Daily printing of the system log D. Storing the system log in write-once media

D. Storing the system log in write- once media. Answer: D Explanation: Storing the system log in write-once media ensures the log cannot be modified. Writeprotecting the system log does not prevent deletion or modification, since the superuser or users that have special permission can override the write protection. Writing a duplicate log to another server or daily printing of the system log cannot prevent unauthorized changes.

An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: A. IDS sensors are placed outside of the firewall. B. a behavior-based IDS is causing many false alarms. C. a signature-based IDS is weak against new types of attacks. D. the IDS is used to detect encrypted traffic.

D. The IDS is used to detect encrpyted traffic. Answer: D Explanation: An intrusion detection system (IDS) cannot detect attacks within encrypted traffic, and it would be a concern if someone was misinformed and thought that the IDS could detect attacks in encrypted traffic. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. Causing many false alarms is normal for a behavior-based IDS, and should not be a matter of concern. Being weak against new types of attacks is also expected from a signaturebased IDS, because it can only recognize attacks that have been previously identified.

An IS auditor doing penetration testing during an audit of internet connections would: A. evaluate configurations. B. examine security settings. C. ensure virus-scanning software is in use. D. use tools and techniques available to a hacker.

D. Use tools and techniques available to a hacker. Answer: D Explanation: Penetration testing is a technique used to mimic an experienced hacker attacking a live site by using tools and techniques available to a hacker. The other choices are procedures that an IS auditor would consider undertaking during an audit of Internet connections, but are not aspects of penetration testing techniques.

Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the internet? A. Customers are widely dispersed geographically, but the certificate authorities are not. B. Customers can make their transactions from any computer or mobile device. C. The certificate authority has several data processing subcenters to administer certificates. D. The organization is the owner of the certificate authority.

D. The organization is the owner of the certificate authority. Answer: D Explanation: If the certificate authority belongs to the same organization, this would generate a conflict of interest. That is, if a customer wanted to repudiate a transaction, they could allege that because of the shared interests, an unlawful agreement exists between the parties generating the certificates, if a customer wanted to repudiate a transaction, they could argue that there exists a bribery between the parties to generate the certificates, as shared interests exist. The other options are not weaknesses.

Which of the following encrypt/decrypt steps provides the GREATEST assurance of achieving confidentiality, message integrity and nonrepudiation by either sender or recipient? A. The recipient uses their private key to decrypt the secret key. B. The encrypted prehash code and the message are encrypted using a secret key. C. The encrypted prehash code is derived mathematically from the message to be sent. D. The recipient uses the sender's public key, verified with a certificate authority, to decrypt the prehash code.

D. The recipient uses the sender's public key, verified with a certificate authority, to decrpyt the prehas code. Answer: D Explanation: Most encrypted transactions use a combination of private keys, public keys, secret keys, hash functions and digital certificates to achieve confidentiality, message integrity and nonrepudiation by either sender or recipient. The recipient uses the sender's public key to decrypt the prehash code into a posthash code, which when equaling the prehash code, verifies the identity of the sender and that the message has not been changed in route; this would provide the greatest assurance. Each sender and recipient has a private key known only to themselves and a public key, which can be known by anyone. Each encryption/decryption process requires at least one public key and one private key, and both must be from the same party. A single, secret key is used to encrypt the message, because secret key encryption requires less processing power than using public and private keys. A digital certificate, signed by a certificate authority, validates senders' and recipients' public keys.

Which of the following is a passive attack to a network? A. Message modification B. Masquerading C. Denial of service D. Traffic analysis

D. Traffic Analysis Answer: D Explanation: The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts and is able to guess the type of communication taking place. Message modification involves the capturing of a message and making unauthorized changes or deletions, changing the sequence or delaying transmission of captured messages. Masquerading is an active attack in which the intruder presents an identity other than the original identity. Denial of service occurs when a computer connected to thelnternet is flooded with data and/or requests that must be processed

Distributed denial-of-service (DDOS) attacks on Internet sites are typically evoked by hackers using which of the following? A. Logic bombs B. Phishing C. Spyware D. Trojan horses

D. Trojan Horse Answer: D Explanation: Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future. Phishing is an attack, normally via e-mail, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents.

Which of the following controls would BEST detect intrusion? A. User IDs and user privileges are granted through authorized procedures. B. Automatic logoff is used when a workstation is inactive for a particular period of time. C. Automatic logoff of the system occurs after a specified number of unsuccessful attempts. D. Unsuccessful logon attempts are monitored by the security administrator.

D. Unsuccessful logon attempts are monitored by the security administrator. Answer: D Explanation: Intrusion is detected by the active monitoring and review of unsuccessful logons. User IDs and the granting of user privileges define a policy, not a control. Automatic logoff is a method of preventing access on inactive terminals and is not a detective control. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting.

The reliability of an application system's audit trail may be questionable if: A. user IDs are recorded in the audit trail. B. the security administrator has read-only rights to the audit file. C. date and time stamps are recorded when an action occurs. D. users can amend audit trail records when correcting system errors.

D. Users can amend audit trails when corecting system errors. Answer: D Explanation: An audit trail is not effective if the details in it can be amended.

Users are issued security tokens to be used in combination with a PIN to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy? A. Users should not leave tokens where they could be stolen B. Users must never keep the token in the same bag as their laptop computer C. Users should select a PIN that is completely random, with no repeating digits D. Users should never write down their PIN

D. Users should never write down their PIN Answer: D Explanation: If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method. Access to the token is of no value with out the PIN; one cannot work without the other. The PIN does not need to be random as long as it is secret.