Wednesday, 2 March 2016

CISA Question Bank-5




Below are some of the questions collated for easy reference of CISA aspirants. Please note that these questions are easily available from the net and collated  domain-wise for easy reference.

CISA Question Bank-5

1. An IS auditor conducting an access control review in a client-server environment
discovers that all printing options are accessible by all users. In this situation, the IS
auditor is MOST likely to conclude that:
A. exposure is greater, since information is available to unauthorized users.
B. operating efficiency is enhanced, since anyone can print any report at any time.
C. operating procedures are more effective, since information is easily available.
D. user friendliness and flexibility is facilitated, since there is a smooth flow of information
among users.
The correct answer is:
A. exposure is greater, since information is available to unauthorized users.
Explanation:
Information in all its forms needs to be protected from unauthorized access. Unrestricted access
to the report option results in an exposure. Efficiency and effectiveness are not relevant factors in
this situation. Greater control over reports will not be accomplished since reports need not be in a
printed form only. Information could be transmitted outside as electronic files, because print
options allow for printing in an electronic form as well.
.........................................................................................................
2. Security administration procedures require read-only access to:
A. access control tables.
B. security log files.
C. logging options.
D. user profiles.
The correct answer is:
B. security log files.
Explanation:
Security administration procedures require read-only access to security log files to ensure that,
once generated, the logs are not modified. Logs provide evidence and track suspicious
transactions and activities. Security administration procedures require write access to access
control tables to manage and update the privileges according to authorized business
requirements. Logging options require write access to allow the administrator to update the way
the transactions and user activities are monitored, captured, stored, processed and reported.
.........................................................................................................
3. Which of the following would MOST effectively reduce social engineering incidents?
A. Security awareness training
B. Increased physical security measures
C. E-mail monitoring policy
D. Intrusion detection systems
The correct answer is:
A. Security awareness training
Explanation:
Social engineering exploits human nature and weaknesses to obtain information and access
privileges. By increasing employee awareness of security issues, it is possible to reduce the
number of successful social engineering incidents. In most cases, social engineering incidents do
not require the physical presence of the intruder. Therefore, increased physical security measures
would not prevent the intrusion. An e-mail monitoring policy informs users that all e-mail in the
organization is subject to monitoring. It does not protect the users from potential security
incidents and intruders. Intrusion detection systems are used to detect irregular or abnormal
traffic patterns.
.........................................................................................................
4. Disabling which of the following would make wireless local area networks more secure
against unauthorized access?
A. MAC (Media Access Control) address filtering
B. WPA (Wi-Fi Protected Access Protocol)
C. LEAP (Lightweight Extensible Authentication Protocol)
D. SSID (service set identifier) broadcasting
The correct answer is:
D. SSID (service set identifier) broadcasting
Explanation:
Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to
find the name of the access point. Disabling MAC address filtering would reduce security. Using
MAC filtering makes it more difficult to access a WLAN, because it would be necessary to catch
traffic and forge the MAC address. Disabling WPA reduces security. Using WPA adds security
by encrypting the traffic. Disabling LEAP reduces security. Using LEAP adds security by
encrypting the wireless traffic.
.........................................................................................................
5. During an audit of a telecommunications system, the IS auditor finds that the risk of
intercepting data transmitted to and from remote sites is very high. The MOST effective
control for reducing this exposure is:
A. encryption.
B. callback modems.
C. message authentication.
D. dedicated leased lines.
The correct answer is:
A. encryption.
Explanation:
Encryption of data is the most secure method. The other methods are less secure, with leased
lines being possibly the least secure method.
.........................................................................................................
6. To ensure compliance within security policy requiring that passwords be a combination
of letters and numbers, the IS auditor should recommend that:
A. the company policy be changed.
B. passwords be periodically changed.
C. an automated password management tool be used.
D. security awareness training be delivered.
The correct answer is:
C. an automated password management tool be used.
Explanation:
The use of an automated password management tool is a preventive control measure. The
software would prevent repetition (semantic) and would enforce syntactic rules, thus making the
passwords robust. It would also provide a method for ensuring frequent changes and would
prevent the same user from reusing his/her old password for a designated period of time. Choices
A, B and D do not enforce compliance.
.........................................................................................................
7. The PRIMARY reason for using digital signatures is to ensure data:
A. confidentiality.
B. integrity.
C. availability.
D. timeliness.
The correct answer is:
B. integrity.
Explanation:
Digital signatures provide integrity because the digital signature of a signed message (file, mail,
document, etc.) changes every time a single bit of the document changes; thus, a signed
document cannot be altered. Depending on the mechanism chosen to implement a digital
signature, the mechanism might be able to ensure data confidentiality or even timeliness, but this
is not assured. Availability is not related to digital signatures.
.........................................................................................................
8. Accountability for the maintenance of appropriate security measures over information
assets resides with the:
A. security administrator.
B. systems administrator.
C. data and systems owners.
D. systems operations group.
The correct answer is:
C. data and systems owners.
Explanation:
Management should ensure that all information assets (data and systems) have an appointed
owner who makes decisions about classification and access rights. System owners typically
delegate day-to-day custodianship to the systems delivery/operations group and security
responsibilities to a security administrator. Owners, however, remain accountable for the
maintenance of appropriate security measures.
.........................................................................................................
9. During the review of a biometrics system operation, the IS auditor should FIRST review
the stage of:
A. enrollment.
B. identification.
C. verification.
D. storage.
The correct answer is:
A. enrollment.
Explanation:
The users of a biometrics device must first be enrolled in the device. The device captures a
physical or behavioral image of the human, identifies the unique features and uses an algorithm
to convert them into a string of numbers stored as a template to be used in the matching
processes.
.........................................................................................................
10. Which of the following environmental controls is appropriate to protect computer
equipment against short-term reductions in electrical power?
A. Power line conditioners
B. A surge protective device
C. An alternative power supply
D. An interruptible power supply
The correct answer is:
A. Power line conditioners
Explanation:
Power line conditioners are used to compensate for peaks and valleys in the power supply and
reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by
power stored in the equipment. Surge protection devices protect against high-voltage bursts.
Alternative power supplies are intended for computer equipment running for longer periods and
are normally coupled with other devices such as an uninterruptible power supply (UPS) to
compensate for the power loss until the alternate power supply becomes available. An
interruptible power supply would cause the equipment to come down whenever there was a
power failure.
.........................................................................................................
11. E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is
routed from the mail gateway, via firewall-2, to the mail recipients in the internal network.
Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the
Internet to the internal network. The intrusion detection system (IDS) detects traffic for the
internal network that did not originate from the mail gateway. The FIRST action triggered
by the IDS should be to:
A. alert the appropriate staff.
B. create an entry in the log.
C. close firewall-2.
D. close firewall-1.
The correct answer is:
C. close firewall-2.
Explanation:
Traffic for the internal network that did not originate from the mail gateway is a sign that
firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker.
Closing firewall-2 is the first thing that should be done, thus preventing damage to the internal
network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS
should trigger the closing of firewall-2 either automatically or by manual intervention. Between
the detection by the IDS and a response from the system administrator valuable time can be lost,
in which a hacker could also compromise firewall-2. An entry in the log is valuable for later
analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been
compromised by a hacker, it might not be possible for the IDS to close it.
.........................................................................................................
12. Which of the following message services provides the strongest evidence that a specific
action has occurred?
A. Proof of delivery
B. Nonrepudiation
C. Proof of submission
D. Message origin authentication
The correct answer is:
B. Nonrepudiation
Explanation:
Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation
services are similar to their weaker proof counterparts (i.e., proof of submission, proof of
delivery, and message origin authentication); however, nonrepudiation provides stronger
evidence because the proof can be demonstrated to a third party. Digital signatures are used to
provide nonrepudiation. Message origination authentication will only confirm the source of the
message and does not confirm the specific action that has been completed.
.........................................................................................................
13. The FIRST step in data classification is to:
A. establish ownership.
B. perform a criticality analysis.
C. define access rules.
D. create a data dictionary.
The correct answer is:
A. establish ownership.
Explanation:
Data classification is necessary to define access rules based on a need-to-do and need-to-know
basis. The data owner is responsible for defining the access rules; hence, establishing ownership
is the first step in data classification. The other choices are incorrect. A criticality analysis is
required for protection of data, which takes input from data classification. Access definition is
complete after data classification and input for a data dictionary is prepared from the data
classification process.
.........................................................................................................
14. An IS auditor performing a telecommunication access control review should be
concerned PRIMARILY with the:
A. maintenance of access logs of usage of various system resources.
B. authorization and authentication of the user prior to granting access to system
resources.
C. adequate protection of stored data on servers by encryption or other means.
D. accountability system and the ability to identify any terminal accessing system
resources.
The correct answer is:
B. authorization and authentication of the user prior to granting access to system
resources.
Explanation:
The authorization and authentication of users is the most significant aspect in a
telecommunications access control review, as it is a preventive control. Weak controls at this
level can affect all other aspects. The maintenance of access logs of usage of system resources is
a detective control. The adequate protection of data being transmitted to and from servers by
encryption or other means is a method of protecting information during transmission and is not
an access issue. The accountability system and the ability to identify any terminal accessing
system resources deal with controlling access through the identification of a terminal.
.........................................................................................................
15. Which of the following concerns associated with the World Wide Web would be
addressed by a firewall?
A. Unauthorized access from outside the organization
B. Unauthorized access from within the organization
C. A delay in Internet connectivity
D. A delay in downloading using File Transfer Protocol (FTP)
The correct answer is:
A. Unauthorized access from outside the organization
Explanation:
Firewalls are meant to prevent outsiders from gaining access to an organization's computer
systems through the Internet gateway. They form a barrier with the outside world, but are not
intended to address access by internal users, and are more likely to cause delays than address
such concerns.
.........................................................................................................
16. Which of the following ensures a sender's authenticity and an e-mail's confidentiality?
A. Encrypting the hash of the message with the sender's private key and thereafter
encrypting the hash of the message with the receiver's public key
B. The sender digitally signing the message and thereafter encrypting the hash of the
message with the sender's private key
C. Encrypting the hash of the message with the sender's private key and thereafter
encrypting the message with the receiver's public key
D. Encrypting the message with the sender's private key and encrypting the message hash
with the receiver's public key
The correct answer is:
C. Encrypting the hash of the message with the sender's private key and thereafter
encrypting the message with the receiver's public key
Explanation:
To ensure authenticity and confidentiality, a message must be encrypted twice—first with the
sender's private key and second with the receiver's public key. The receiver can decrypt the
message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be
decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the
message with the sender's private key enables anyone to decrypt it.
.........................................................................................................
17. The IS management of a multinational company is considering upgrading its existing
virtual private network (VPN) to support voice-over IP (VoIP) communications via
tunneling. Which of the following considerations should be PRIMARILY addressed?
A. Reliability and quality of service (QoS)
B. Means of authentication
C. Privacy of voice transmissions
D. Confidentiality of data transmissions
The correct answer is:
A. Reliability and quality of service (QoS)
Explanation:
The company currently has a VPN, hence, issues such as authentication and confidentiality have
been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the
VPN protocol. Reliability and QoS are, therefore, the primary considerations to be addressed.
.........................................................................................................
18. When conducting a penetration test of an organization's internal network, which of the
following approaches would BEST enable the conductor of the test to remain undetected on
the network?
A. Use the IP address of an existing file server or domain controller.
B. Pause the scanning every few minutes to allow thresholds to reset.
C. Conduct the scans during evening hours when no one is logged-in.
D. Use multiple scanning tools since each tool has different characteristics.
The correct answer is:
B. Pause the scanning every few minutes to allow thresholds to reset.
Explanation:
Pausing the scanning every few minutes avoids overtaxing the network as well as exceeding
thresholds that may trigger alert messages to the network administrator. Using the IP address of a
server would result in an address contention that would attract attention. Conducting scans after
hours would increase the chance of detection, since there would be less traffic to conceal ones
activities. Using different tools could increase the likelihood that one of them would be detected
by an intrusion detection system.
.........................................................................................................
19. A virtual private network (VPN) provides data confidentiality by using:
A. Secure Sockets Layer (SSL)
B. Tunnelling
C. Digital signatures
D. Phishing
The correct answer is:
B. Tunnelling
Explanation:
VPNs secure data in transit by encapsulating traffic, a process known as tunnelling. SSL is a
symmetric method of encryption between a server and a browser. Digital signatures are not used
in the VPN process, and phishing is a form of a social engineering attack.
.........................................................................................................
20. Which of the following is the MOST effective technique for providing security during
data transmission?
A. Communication log
B. Systems software log
C. Encryption
D. Standard protocol
The correct answer is:
C. Encryption
Explanation:
Encryption provides security for data during transmission. The other choices do not provide
protection during data transmission.
.........................................................................................................
21. During an audit of an enterprise that is dedicated to e-commerce, the IS manager states
that digital signatures are used when receiving communications from customers. To
substantiate this, the IS auditor must prove that which of the following is used?
A. A biometric, digitalized and encrypted parameter with the customer's public key
B. A hash of the data that is transmitted and encrypted with the customer's private key
C. A hash of the data that is transmitted and encrypted with the customer's public key
D. The customer's scanned signature encrypted with the customer's public key
The correct answer is:
B. A hash of the data that is transmitted and encrypted with the customer's private key
Explanation:
The calculation of a hash or digest of the data that are transmitted and its encryption require the
public key of the client (receiver) and are called a signature of the message or digital signature.
The receiver performs the same process and then compares the received hash, once it has been
decrypted with his/her private key, to the hash that he/she calculates with the received data. If
they are the same, the conclusion would be that there is integrity in the data that have arrived and
the origin is authenticated. The concept of encrypting the hash with the private key of the
originator provides nonrepudiation, as it can only be decrypted with their public key and, as the
CD suggests, the private key would not be known to the recipient. Simply put, in a key-pair
situation, anything that can be decrypted by a sender's public key must have been encrypted with
his/her private key, so he/she must have been the sender, i.e., nonrepudiation. Choice C is wrong
because, if this were the case, the hash could not be decrypted by the recipient, so the benefit of
nonrepudiation would be lost and there could be no verification that the message had not been
intercepted and amended. A digital signature is created by encrypting with ones private key. The
person creating the signature uses its own private key, otherwise everyone would be able to
create a signature with any public key. Therefore, the signature of the client is created with the
clients private key, and this can be verified—by the enterprise—using the clients public key.
Choice B is the correct answer because, in this case, the customer uses his/her private key to sign
the hash data.
.........................................................................................................
22. An information security policy stating that "the display of passwords must be masked
or suppressed" addresses which of the following attack methods?
A. Piggybacking
B. Dumpster diving
C. Shoulder surfing
D. Impersonation
The correct answer is:
C. Shoulder surfing
Explanation:
If a password is displayed on a monitor, any person nearby could "look over the shoulder" of the
user to obtain the password. Piggybacking refers to unauthorized persons following, either
physically or virtually, authorized persons into restricted areas. Masking the display of
passwords would not prevent someone from tailgating an authorized person. This policy only
refers to "the display of passwords." If the policy referred to "the display and printing of
passwords" then it would address shoulder surfing and dumpster diving (looking through an
organization's trash for valuable information). Impersonation refers to someone acting as an
employee in an attempt to retrieve desired information.
.........................................................................................................
23. Which of the following should be a concern to an IS auditor reviewing a wireless
network?
A. 128-bit-static-key WEP (Wired Equivalent Privacy) encryption is enabled.
B. SSID (Service Set IDentifier) broadcasting has been enabled.
C. Antivirus software has been installed in all wireless clients.
D. MAC (Media Access Control) access control filtering has been deployed.
The correct answer is:
B. SSID (Service Set IDentifier) broadcasting has been enabled.
Explanation:
SSID broadcasting allows a user to browse for available wireless networks and to access them
without authorization. Choices A, C and D are used to strengthen a wireless network.
.........................................................................................................
24. Validated digital signatures in an e-mail software application will:
A. help detect spam.
B. provide confidentiality.
C. add to the workload of gateway servers.
D. significantly reduce available bandwidth.
The correct answer is:
A. help detect spam.
Explanation:
Validated electronic signatures are based on qualified certificates that are created by a
certification authority (CA) with the technical standards required to ensure the key can neither be
forced nor reproduced in a reasonable time. Such certificates are only delivered through a
registration authority (RA) after a proof of identity has been passed. Using strong signatures in email
traffic, nonrepudiation can be assured and a sender can be tracked. The recipient can
configure their e-mail server or client to automatically delete mails from specific senders. For
confidentiality issues, one must use encryption, not a signature, although both methods can be
based on qualified certificates. Without any filters directly applied on mail gateway servers to
block traffic without strong signatures, the workload will not increase. Using filters directly on a
gateway server will result in an overhead less than antivirus software imposes. Digital signatures
are only a few bytes in size and will not slash bandwidth. Even if gateway servers were to check
CRLs, there is little overhead.
.........................................................................................................
25. The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure:
A. only the sender and receiver are able to encrypt/decrypt the data.
B. the sender and receiver can authenticate their respective identities.
C. the alteration of transmitted data can be detected.
D. the ability to identify the sender by generating a one-time session key.
The correct answer is:
A. only the sender and receiver are able to encrypt/decrypt the data.
Explanation:
SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its
confidentiality. Although SSL allows the exchange of X509 certificates to provide for
identification and authentication, this feature along with choices C and D are not the primary
objectives.
.........................................................................................................
26. If inadequate, which of the following would be the MOST likely contributor to a denialof-
service attack?
A. Router configuration and rules
B. Design of the internal network
C. Updates to the router system software
D. Audit testing and review techniques
The correct answer is:
A. Router configuration and rules
Explanation:
Inadequate router configuration and rules would lead to an exposure to denial-of-service attacks.
Choices B and C would be lesser contributors. Choice D is incorrect because audit testing and
review techniques are applied after the fact.
.........................................................................................................
27. The MOST important difference between hashing and encryption is that hashing:
A. is irreversible.
B. output is the same length as the original message.
C. is concerned with integrity and security.
D. is the same at the sending and receiving end.
The correct answer is:
A. is irreversible.
Explanation:
Hashing works one way. By applying a hashing algorithm to a message, a message hash/digest is
created. If the same hashing algorithm is applied to the message digest, it will not result in the
original message. As such, hashing is irreversible, while encryption is reversible. This is the
basic difference between hashing and encryption. Hashing creates an output that is smaller than
the original message, and encryption creates an output of the same length as the original
message. Hashing is used to verify the integrity of the message and does not address security.
The same hashing algorithm is used at the sending and receiving ends to generate and verify the
massage hash/digest. Encryption will not necessarily use the same algorithm at the sending and
receiving end to encrypt and decrypt.
.........................................................................................................
28. Which of the following encrypt/decrypt steps provides the GREATEST assurance of
achieving confidentiality, message integrity and nonrepudiation by either sender or
recipient?
A. The recipient uses his/her private key to decrypt the secret key.
B The encrypted prehash code and the message are encrypted using a secret key.
C. The encrypted prehash code is derived mathematically from the message to be sent.
D. The recipient uses the sender's public key, verified with a certificate authority, to
decrypt the prehash code.
The correct answer is:
D. The recipient uses the sender's public key, verified with a certificate authority, to
decrypt the prehash code.
Explanation:
Most encrypted transactions use a combination of private keys, public keys, secret keys, hash
functions and digital certificates to achieve confidentiality, message integrity and nonrepudiation
by either sender or recipient. The recipient uses the sender's public key to decrypt the prehash
code into a posthash code, which when equaling the prehash code, verifies the identity of the
sender and that the message has not been changed in route; this would provide the greatest
assurance. Each sender and recipient has a private key known only to him/her and a public key,
which can be known by anyone. Each encryption/decryption process requires at least one public
key and one private key and both must be from the same party. A single, secret key is used to
encrypt the message, because secret key encryption requires less processing power than using
public and private keys. A digital certificate, signed by a certificate authority, validates senders'
and recipients' public keys.
.........................................................................................................
29. When planning an audit of a network setup, the IS auditor should give highest priority
to obtaining which of the following network documentation?
A. Wiring and schematic diagram
B. Users' lists and responsibilities
C. Application lists and their details
D. Backup and recovery procedures
The correct answer is:
A. Wiring and schematic diagram
Explanation:
The wiring and schematic diagram of the network is necessary to carry out a network audit. A
network audit may not be feasible if a network wiring and schematic diagram is not available.
All other documents are important but not necessary.
.........................................................................................................
30. For a discretionary access control to be effective, it must:
A. operate within the context of mandatory access controls.
B. operate independently of mandatory access controls.
C. enable users to override mandatory access controls when necessary.
D. be specifically permitted by the security policy.
The correct answer is:
A. operate within the context of mandatory access controls.
Explanation:
Mandatory access controls are prohibitive, anything that is not expressly permitted is forbidden.
Only within this context do discretionary controls operate, prohibiting still more access with the
same exclusionary principle. When systems enforce mandatory access control policies, they must
distinguish between these and the mandatory access policies, that offer more flexibility.
Discretionary controls do not override access controls and they do not have to be permitted in the
security policy to be effective.
.........................................................................................................
31. Which of the following would be of MOST concern to an IS auditor reviewing a VPN
implementation? Computers on the network that are located:
A. on the enterprise's facilities.
B. at the backup site.
C. in employees' homes.
D. at the enterprise's remote offices.
The correct answer is:
C. in employees' homes.
Explanation:
One risk of a VPN implementation is the chance of allowing high-risk computers onto the
enterprise's network. All machines that are allowed onto the virtual network should be subject to
the same security policy. Home computers are least subject to the corporate security policies and,
hence, are high-risk computers. Once a computer is hacked and "owned," any network that trusts
that computer is at risk. Implementation and adherence to corporate security policy is easier
when all computers on the network are on the enterprise's campus. Internally to an enterprise's
physical network, there should be security policies in place to detect and halt an outside attack
that uses an internal machine as a staging platform. Computers at the backup site are subject to
the corporate security policy and, hence, are not high-risk computers. Computers on the network
that are at the enterprise's remote offices, perhaps with different IS and security employees who
have different ideas about security, are more risky than choices A and B, but obviously less risky
than home computers.
.........................................................................................................
32. An organization can ensure that the recipients of e-mails from its employees can
authenticate the identity of the sender by:
A. digitally signing all e-mail messages.
B. encrypting all e-mail messages.
C. compressing all e-mail messages.
D. password protecting all e-mail messages.
The correct answer is:
A. digitally signing all e-mail messages.
Explanation:
By digitally signing all e-mail messages, the receiver will be able to validate the authenticity of
the sender. Encrypting all e-mail messages would ensure that only the intended recipient will be
able to open the message; however, it would not ensure the authenticity of the sender.
Compressing all e-mail messages would reduce the size of the message, but would not ensure the
authenticity. Password protecting all e-mail messages would ensure that only those who have the
password would be able to open the message; however, it would not ensure the authenticity of
the sender.
.........................................................................................................
33. Which of the following is a general operating system access control function?
A. Creating database profiles
B. Verifying user authorization at a field level
C. Creating individual accountability
D. Logging database access activities for monitoring access violation
The correct answer is:
C. Creating individual accountability
Explanation:
Creating individual accountability is the function of the general operating system. Creating
database profiles, verifying user authorization at a field level and logging database access
activities for monitoring access violations are all database-level access control functions.
.........................................................................................................
34. Electromagnetic emissions from a terminal represent an exposure because they:
A. affect noise pollution.
B. disrupt processor functions.
C. produce dangerous levels of electric current.
D. can be detected and displayed.
The correct answer is:
D. can be detected and displayed.
Explanation:
Emissions can be detected by sophisticated equipment and displayed, thus giving unauthorized
persons access to data. They should not cause disruption of CPUs or effect noise pollution.
.........................................................................................................
35. To detect attack attempts that the firewall is unable to recognize, the IS auditor should
recommend placing a network intrusion detection system (IDS) between the:
A. firewall and the organization's network.
B. Internet and the firewall.
C. Internet and the web server.
D. web server and the firewall.
The correct answer is:
A. firewall and the organization's network.
Explanation:
Attack attempts that could not be recognized by the firewall will be detected if a network-based
intrusion detection system is placed between the firewall and the organization's network. A
network-based intrusion detection system placed between the Internet and the firewall will detect
attack attempts, whether they do or do not enter the firewall.
.........................................................................................................
36. Which of the following is BEST suited for secure communications within a small
group?
A. Key distribution center
B. Certification authority
C. Web of trust
D. Kerberos
The correct answer is:
C. Web of trust
Explanation:
Web of trust is a key distribution method suitable for communication in a small group. It ensures
pretty good privacy (PGP) and distributes the public keys of users within a group. Key
distribution center is a distribution method suitable for internal communication for a large group
within an institution, and it will distribute symmetric keys for each session. Certification
authority is a trusted third party that ensures the authenticity of the owner of the certificate. This
is necessary for large groups and formal communication. Kerberos Authentication System
extends the function of a key distribution center, by generating "tickets" to define the facilities on
networked machines, which are accessible to each user.
.........................................................................................................
37. An IS auditor doing penetration testing during an audit of Internet connections would:
A. evaluate configurations.
B. examine security settings.
C. ensure virus-scanning software is in use.
D. use tools and techniques that are available to a hacker.
The correct answer is:
D. use tools and techniques that are available to a hacker.
Explanation:
Penetration testing is a technique used to mimic an experienced hacker attacking a live site by
using tools and techniques available to a hacker. The other choices are procedures that an IS
auditor would consider undertaking during an audit of Internet connections, but are not aspects
of penetration testing techniques.
.........................................................................................................
38. E-mail message authenticity and confidentiality is BEST achieved by signing the
message using the:
A. sender's private key and encrypting the message using the receiver's public key.
B. sender's public key and encrypting the message using the receiver's private key.
C. receiver's private key and encrypting the message using the sender's public key.
D. receiver's public key and encrypting the message using the sender's private key.
The correct answer is:
A. sender's private key and encrypting the message using the receiver's public key.
Explanation:
By signing the message with the sender's private key, the receiver can verify its authenticity
using the sender's public key. By encrypting the message with the receiver's public key, only the
receiver can decrypt the message using his/her own private key. The receiver's private key is
confidential and, therefore, unknown to the sender. Messages encrypted using the sender's
private key can be read by anyone (with the sender's public key).
.........................................................................................................
39. Which of the following is the MOST effective type of antivirus software?
A. Scanners
B. Active monitors
C. Integrity checkers
D. Vaccines
The correct answer is:
C. Integrity checkers
Explanation:
Integrity checkers compute a binary number on a known virus-free program that is then stored in
a database file. The number is called a cyclical redundancy check (CRC). When that program is
called to execute, the checker computes the CRC on the program about to be executed and
compares it to the number in the database. A match means no infection; a mismatch means that a
change in the program has occurred. A change in the program could mean a virus. Scanners look
for sequences of bits called signatures that are typical of virus programs. They examine memory,
disk boot sectors, executables and command files for bit patterns that match a known virus.
Therefore, scanners need to be updated periodically to remain effective. Active monitors
interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like actions.
Active monitors can be misleading, because they cannot distinguish between a user request and a
program or virus request. As a result, users are asked to confirm actions like formatting a disk or
deleting a file or set of files. Vaccines are known to be good antivirus software. However, they
also need to be updated periodically to remain effective.
.........................................................................................................
40. Which of the following encryption techniques will BEST protect a wireless network
from a man-in-the-middle attack?
A. 128-bit wired equivalent privacy (WEP)
B. MAC-based pre-shared key (PSK)
C. Randomly generated pre-shared key (PSK)
D. Alphanumeric service set identifier (SSID)
The correct answer is:
C. Randomly generated pre-shared key (PSK)
Explanation:
A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a
computer is fixed and often accessible. WEP has been shown to be a very weak encryption
technique and can be cracked within minutes. The SSID is broadcast on the wireless network in
plaintext.
.........................................................................................................
41. Which of the following append themselves to files as a protection against viruses?
A. Behavior blockers
B. Cyclical redundancy checkers (CRCs)
C. Immunizers
D. Active monitors
The correct answer is:
C. Immunizers
Explanation:
Immunizers defend against viruses by appending sections of themselves to files. They
continuously check the file for changes and report changes as possible viral behavior. Behavior
blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or
the master boot record, or making changes to executable files. Cyclical redundancy checkers
compute a binary number on a known virus-free program that is then stored in a database file.
When that program is subsequently called to be executed, the checkers look for changes to the
files, compare it to the database and report possible infection if changes have occurred. Active
monitors interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like
actions.
.........................................................................................................
42. Transmitting redundant information with each character or frame to facilitate
detection and correction of errors is called a:
A. feedback error control.
B. block sum check.
C. forward error control.
D. cyclic redundancy check.
The correct answer is:
C. forward error control.
Explanation:
Forward error control involves transmitting additional redundant information with each character
or frame to facilitate detection and correction of errors. In feedback error control, only enough
additional information is transmitted so the receiver can identify that an error has occurred.
Choices B and D are both error detection methods but not error correction methods. Block sum
check is an extension of parity check wherein an additional set of parity bits is computed for a
block of characters. A cyclic redundancy check is a technique wherein a single set of check
digits is generated, based on the contents of the frame, for each frame transmitted.
.........................................................................................................
43. Which of the following is a technique that could be used to capture network user
passwords?
A. Encryption
B. Sniffing
C. Spoofing
D. Data destruction
The correct answer is:
B. Sniffing
Explanation:
Sniffing is an attack that can be used to capture sensitive pieces of information (password)
passing through the network. Encryption is a method of scrambling information to prevent
unauthorized individuals from understanding the transmission. Spoofing is forging an address
and inserting it into a packet to disguise the origin of the communication. Data destruction is
erasing information or removing it from its original location.
.........................................................................................................
44. Which of the following implementation modes would provide the GREATEST amount
of security for outbound data connecting to the Internet?
A. Transport mode with authentication header (AH) plus encapsulating security payload
(ESP)
B. Secure Sockets Layer (SSL) mode
C. Tunnel mode with AH plus ESP
D. Triple-DES encryption mode
The correct answer is:
C. Tunnel mode with AH plus ESP
Explanation:
Tunnel mode provides protection to the entire IP package. To accomplish this, AH and ESP
services can be nested. The transport mode provides primary protection for the higher layers of
the protocols by extending protection to the data fields (payload) of an IP package. The SSL
mode provides security to the higher communication layers (transport layer). The triple-DES
encryption mode is an algorithm that provides confidentiality.
.........................................................................................................
45. When a PC that has been used for the storage of confidential data is sold on the open
market, the:
A. hard disk should be demagnetized.
B. hard disk should be mid-level formatted.
C. data on the hard disk should be deleted.
D. data on the hard disk should be defragmented.
The correct answer is:
A. hard disk should be demagnetized.
Explanation:
The hard disk should be demagnetized, since this will cause all of the bits to be set to zero,
eliminating any chance of retrieving information that was previously stored on the disk. A midlevel
format does not delete information from the hard disk. It only resets the directory pointers.
While the deletion of data from the disk removes the pointer to the file, the data remains in place,
so with the proper tools, the information can be retrieved. The defragmentation of the disk does
not cause information to be deleted, but simply moves it around to make it more efficient to
access.
.........................................................................................................
46. Which of the following would BEST maintain the confidentiality of data transmitted
over a network?
A. Data are encrypted before transmission.
B. A hash is appended to all messages.
C. Network devices are hardened.
D. Cables are secured.
The correct answer is:
A. Data are encrypted before transmission.
Explanation:
Encrypted data cannot be read even when intercepted. Choices B, C and D do not affect
confidentiality, because the message is still readable. Hardening is the process of enforcing a
system's configuration.
.........................................................................................................
47. What method might an IS auditor utilize to test wireless security at branch office
locations?
A. War dialing
B. Social engineering
C. War driving
D. Password cracking
The correct answer is:
C. War driving
Explanation:
War driving is a technique for locating and gaining access to wireless networks by driving or
walking with a wireless equipped computer around a building. War dialing is a technique for
gaining access to a computer or a network through the dialing of defined blocks of telephone
numbers, with the hope of getting an answer from a modem. Social engineering is a technique
used to gather information that can assist an attacker in gaining logical or physical access to data
or resources. Social engineering exploits human weaknesses. Password crackers are tools used to
guess users' passwords by trying combinations and dictionary words.
.........................................................................................................
48. The review of router access control lists should be conducted during a(n):
A. environmental review.
B. network security review.
C. business continuity review.
D. data integrity review.
The correct answer is:
B. network security review.
Explanation:
Network security reviews include reviewing router access control lists, port scanning, internal
and external connections to the system, etc. Environmental reviews, business continuity reviews
and data integrity reviews do not require a review of the router access control lists.
.........................................................................................................
49. The feature of a digital signature that ensures the sender cannot later deny generating
and sending the message is:
A. data integrity.
B. authentication.
C. nonrepudiation.
D. replay protection.
The correct answer is:
C. nonrepudiation.
Explanation:
All of the above are features of a digital signature. Nonrepudiation ensures that the claimed
sender cannot later deny generating and sending the message. Data integrity refers to changes in
the plaintext message that would result in the recipient failing to compute the same message
hash. Since only the claimed sender has the key, authentication ensures that the message has
been sent by the claimed sender. Replay protection is a method that a recipient can use to check
that the message was not intercepted and replayed.
.........................................................................................................
50. An IS auditor reviewing wireless network security determines that the Dynamic Host
Configuration Protocol is disabled at all wireless access points. This practice:
A. reduces the risk of unauthorized access to the network.
B. is not suitable for small networks.
C. automatically provides an IP address to anyone.
D. increases the risks associated with Wireless Encryption Protocol (WEP).
The correct answer is:
A. reduces the risk of unauthorized access to the network.
Explanation:
Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone
connected to the network. With DHCP disabled, static IP addresses must be used and represent
less risk due to the potential for address contention between an unauthorized device and existing
devices on the network. Choice B is incorrect because DHCP is suitable for small networks.
Choice C is incorrect because DHCP does not provide IP addresses when disabled. Choice D is
incorrect because disabling of the DHCP makes it more difficult to exploit the well-known
weaknesses in WEP.
.........................................................................................................
51. Which of the following physical access controls would provide the highest degree of
security over unauthorized access?
A. Bolting door lock
B. Cipher lock
C. Electronic door lock
D. Fingerprint scanner
The correct answer is:
D. Fingerprint scanner
Explanation:
All are physical access controls designed to protect the organization from unauthorized access.
However, biometric door locks, such as a fingerprint scanner, provide advantages, since they are
harder to duplicate, easier to deactivate and individually identified. Biometric door locks, using
an individual's unique body features, are used for access when extremely sensitive facilities must
be protected.
.........................................................................................................
52. A hacker could obtain passwords without the use of computer tools or programs
through the technique of:
A. social engineering.
B. sniffers.
C. back doors.
D. Trojan horses.
The correct answer is:
A. social engineering.
Explanation:
Social engineering is based on the divulgence of private information through dialogues,
interviews, inquiries, etc., in which a user may be indiscreet regarding his/her or other's personal
data. A sniffer is a computer tool to monitor the traffic in networks. Back doors are computer
programs left by hackers to exploit vulnerabilities. Trojan horses are computer programs that
pretend to supplant a real program; thus, the functionality of the program is not authorized and is
usually malicious in nature.
.........................................................................................................
53. A MAJOR risk of using single sign-on (SSO) is that it:
A. has a single authentication point.
B. represents a single point of failure.
C. causes an administrative bottleneck.
D. leads to a lockout of valid users.
The correct answer is:
A. has a single authentication point.
Explanation:
The primary risk associated with single sign-on is the single authentication point. If a password
is compromised, access to many applications can be obtained without further verification. A
single point of failure provides a similar redundancy to the single authentication point. However,
failure can occur at multiple points in resources, such as data, process or network. An
administrative bottleneck may result when the administration is centralized in a single-step entry
system. This is, therefore, an advantage. User lockout can occur with any password
authentication system and is normally remedied swiftly by the security administrator resetting
the account.
.........................................................................................................
54. An organization is considering connecting a critical PC-based system to the Internet.
Which of the following would provide the BEST protection against hacking?
A. An application-level gateway
B. A remote access server
C. A proxy server
D. Port scanning
The correct answer is:
A. An application-level gateway
Explanation:
An application-level gateway is the best way to protect against hacking because it can define
with detail rules that describe the type of user or connection that is or is not permitted. It
analyzes in detail each package, not only in layers one through four of the OSI model but also
layers five through seven, which means that it reviews the commands of each higher-level
protocol (HTTP, FTP, SNMP, etc.) For a remote access server, there is a device (server) that
asks for a username and password before entering the network. This is good when accessing
private networks, but it can be mapped or scanned from the Internet creating security exposure.
Proxy servers can provide protection based on the IP address and ports. However, an individual
is needed who really knows how to do this, and applications can use different ports for the
different sections of the program. Port scanning works when there is a very specific task to
complete, but not when trying to control what comes from the Internet (or when all the ports
available need to be controlled). For example, the port for Ping (echo request) could be blocked
and the IP addresses would be available for the application and browsing, but would not respond
to Ping.
.........................................................................................................
55. Which of the following controls would BEST detect intrusion?
A. User ids and user privileges are granted through authorized procedures.
B. Automatic logoff is used when a workstation is inactive for a particular period of time.
C. Automatic logoff of the system after a specified number of unsuccessful attempts.
D. Unsuccessful logon attempts are monitored by the security administrator.
The correct answer is:
D. Unsuccessful logon attempts are monitored by the security administrator.
Explanation:
Intrusion is detected by the active monitoring and review of unsuccessful logons. User ids and
the granting of user privileges defines a policy, not a control. Automatic logoff is a method of
preventing access on inactive terminals and is not a detective control. Unsuccessful attempts to
log on are a method for preventing intrusion, not detecting.
.........................................................................................................
56. The MOST effective control for addressing the risk of piggybacking is:
A. a single entry point with a receptionist.
B. the use of smart cards.
C. a biometric door lock.
D. a deadman door.
The correct answer is:
D. a deadman door.
Explanation:
Deadman doors are a system of using a pair of (two) doors. For the second door to operate, the
first entry door must close and lock with only one person permitted in the holding area. This
reduces the risk of an unauthorized person following an authorized person through a secured
entry (piggybacking). The other choices are all physical controls over entry to a secure area but
do not specifically address the risk of piggybacking.
.........................................................................................................
57. Which of the following is the MOST important objective of data protection?
A. Identifying persons who need access to information
B. Ensuring the integrity of information
C. Denying or authorizing access to the IS system
D. Monitoring logical accesses
The correct answer is:
B. Ensuring the integrity of information
Explanation:
Maintaining data integrity is the most important objective of data security. This is a necessity if
an organization is to continue as a viable and successful enterprise. The other choices are
important techniques for achieving the objective of data integrity.
.........................................................................................................
58. Which of the following is the MOST effective control over visitor access to a data
center?
A. Visitors are escorted.
B. Visitor badges are required.
C. Visitors sign in.
D. Visitors are spot-checked by operators.
The correct answer is:
A. Visitors are escorted.
Explanation:
Escorting visitors will provide the best assurance that visitors have permission to access the data
processing facility. Choices B and C are not reliable controls. Choice D is incorrect because
visitors should be accompanied at all times while they are on the premises, not only when they
are in the data processing facility.
.........................................................................................................
59. A TCP/IP-based environment is exposed to the Internet. Which of the following BEST
ensures that complete encryption and authentication protocols exist for protecting
information while transmitted?
A. Work is completed in tunnel mode with IP security using the nested services of
authentication header (AH) and encapsulating security payload (ESP).
B. A digital signature with RSA has been implemented.
C. Digital certificates with RSA are being used.
D. Work is being completed in TCP services.
The correct answer is:
A. Work is completed in tunnel mode with IP security using the nested services of
authentication header (AH) and encapsulating security payload (ESP).
Explanation:
Tunnel mode with IP security provides encryption and authentication of the complete IP
package. To accomplish this, the AH and ESP services can be nested. Choices B and C provide
authentication and integrity. TCP services do not provide encryption and authentication.
.........................................................................................................
60. A manufacturer has been purchasing materials and supplies for its business through an
e-commerce application. Which of the following should this manufacturer rely on to prove
that the transactions were actually made?
A. Reputation
B. Authentication
C. Encryption
D. Nonrepudiation
The correct answer is:
D. Nonrepudiation
Explanation:
Nonrepudiation may ensure that a transaction is enforceable. It involves creating proof of the
origin or delivery of data to protect the sender against false denial by the recipient of the data's
receipt, or vice versa. Choice A is incorrect because the company's reputation would not, of
itself, prove a deal was made via the Internet. Choice B is not correct as authentication controls
are necessary to establish the identification of all parties to a communication. Choice C is
incorrect since encryption may protect the data transmitted over the Internet, but may not prove
that the transactions were made.
.........................................................................................................
61. The PRIMARY goal of a web site certificate is:
A. authentication of the web site that will be surfed.
B. authentication of the user who surfs through that site.
C. preventing surfing of the web site by hackers.
D. the same purpose as that of a digital certificate.
The correct answer is:
A. authentication of the web site that will be surfed.
Explanation:
Authenticating the site to be surfed is the primary goal of a web certificate. Authentication of a
user is achieved through passwords and not by a web site certificate. The site certificate does not
prevent hacking nor does it authenticate a person.
.........................................................................................................
62. An IS auditor performing an independent classification of systems should consider a
situation where functions could be performed manually at a tolerable cost for an extended
period of time as:
A. critical.
B. vital.
C. sensitive.
D. noncritical.
The correct answer is:
C. sensitive.
Explanation:
Sensitive functions are best described as those that can be performed manually at a tolerable cost
for an extended period of time. Critical functions are those that cannot be performed unless they
are replaced by identical capabilities and cannot be replaced by manual methods. Vital functions
refer to those that can be performed manually but only for a brief period of time; this is
associated with lower costs of disruption than critical functions. Noncritical functions may be
interrupted for an extended period of time at little or no cost to the company, and require little
time or cost to restore.
.........................................................................................................
63. The use of residual biometric information to gain unauthorized access is an example of
which of the following attacks?
A. Replay
B. Brute-force
C. Cryptographic
D. Mimic
The correct answer is:
A. Replay
Explanation:
Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be
reused by an attacker to gain unauthorized access. A brute-force attack involves feeding the
biometric capture device numerous different biometric samples. A cryptographic attack targets
the algorithm or the encrypted data. In a mimic attack, the attacker reproduces characteristics
similar to those of the enrolled user, such as forging a signature or imitating a voice.
.........................................................................................................
64. Which of the following controls would be the MOST comprehensive in a remote access
network with multiple and diverse subsystems?
A. Proxy server
B. Firewall installation
C. Network administrator
D. Password implementation and administration
The correct answer is:
D. Password implementation and administration
Explanation:
The most comprehensive control in this situation is password implementation and administration.
While firewall installations are the primary line of defense, they cannot protect all access and,
therefore, an element of risk remains. A proxy server is a type of firewall installation and, thus,
the same rules apply. The network administrator may serve as a control, but typically this would
not be comprehensive enough to serve on multiple and diverse systems.
.........................................................................................................
65. Confidentiality of the data transmitted in a wireless LAN is BEST protected, if the
session is:
A. restricted to predefined MAC addresses.
B. encrypted using static keys.
C. encrypted using dynamic keys.
D. initiated from devices that have encrypted storage.
The correct answer is:
C. encrypted using dynamic keys.
Explanation:
When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of
the key being compromised and the message being decrypted. Limiting the number of devices
that can access the network does not address the issue of encrypting the session. Encryption with
static keys, using the same key for a long period of time, has the risk that the key would be
compromised. Encryption of the data on the connected device (laptop, PDA, etc.) addresses the
confidentiality of the data on the device, not the wireless session.
.........................................................................................................
66. An IS auditor has identified the lack of an authorization process for users of an
application. The IS auditor's main concern should be that:
A. more than one individual can claim to be a specific user.
B. there is no way to limit the functions assigned to users.
C. user accounts can be shared.
D. users have a need-to-know privilege.
The correct answer is:
B. there is no way to limit the functions assigned to users.
Explanation:
Without an appropriate authorization process, it will be impossible to establish functional limits
and accountability. The risk that more than one individual can claim to be a specific user is
associated with the authentication processes, rather than with authorization. The risk that user
accounts can be shared is associated with identification processes, rather than with authorization.
The need-to-know basis is the best approach to assigning privileges during the authorization
process.
.........................................................................................................
67. Which of the following cryptographic systems is MOST appropriate for bulk data
encryption and small devices such as smart cards?
A. DES
B. AES
C. Triple DES
D. RSA
The correct answer is:
B. AES
Explanation:
Advanced Encryption Standard (AES), a public algorithm that supports keys from 128 to 256
bits in size, not only provides good security, but provides speed and versatility across a variety of
computer platforms. AES runs securely and efficiently on large computers, desktop computers
and even small devices such as smart cards. DES is not considered a strong cryptographic
solution since its entire key space can be brute forced by large computer systems within a
relatively short period of time. Triple DES can take up to three times longer than DES to perform
encryption and decryption. RSA keys are large numbers that are suitable only for short messages,
such as the creation of a digital signature.
.........................................................................................................
68. The MOST important key success factor in planning a penetration test is:
A. the documentation of the planned testing procedure.
B. scheduling and deciding on the timed length of the test.
C. the involvement of the management of the client organization.
D. the qualifications and experience of staff involved in the test.
The correct answer is:
C. the involvement of the management of the client organization.
Explanation:
The most important part of planning any penetration test is the involvement of the management
of the client organization. Penetration testing without management approval could reasonably be
considered espionage and is illegal in many jurisdictions.
.........................................................................................................
69. Which of the following is the MOST reliable sender authentication method?
A. Digital signatures
B. Asymmetric cryptography
C. Digital certificates
D. Message authentication code
The correct answer is:
C. Digital certificates
Explanation:
Digital certificates are issued by a trusted third party. The message sender attaches the certificate
rather than the public key and can verify authenticity with the certificate repository. Asymmetric
cryptography is vulnerable to a man-in-the-middle attack. Digital certificates are used for
confidentiality. Message authentication code is used for message integrity verification.
.........................................................................................................
70. Applying a digital signature to data traveling in a network provides:
A. confidentiality and integrity.
B. security and nonrepudiation.
C. integrity and nonrepudiation.
D. confidentiality and nonrepudiation.
The correct answer is:
C. integrity and nonrepudiation.
Explanation:
The process of applying a mathematical algorithm to the data that travel in the network and
placing the results of this operation with the hash data is used for controlling data integrity, since
any unauthorized modification to this data would result in a different hash. The application of a
digital signature would accomplish the nonrepudiation of the delivery of the message. The term
security is a broad concept and not a specific one. In addition to a hash and a digital signature,
confidentiality is applied when an encryption process exists.
.........................................................................................................
71. Which of the following Internet security threats could compromise integrity?
A. Theft of data from the client
B. Exposure of network configuration information
C. A Trojan horse browser
D. Eavesdropping on the net
The correct answer is:
C. A Trojan horse browser
Explanation:
Internet security threats/vulnerabilities to integrity include a Trojan horse, which could modify
user data, memory and messages, found in client-browser software. The other options
compromise confidentiality.
.........................................................................................................
72. Which of the following is the MOST effective control when granting temporary access
to vendors?
A. Vendor access corresponds to the service level agreement (SLA).
B User accounts are created with expiration dates and are based on services provided.
C. Administrator access is provided for a limited period.
D. User IDs are deleted when the work is completed.
The correct answer is:
B User accounts are created with expiration dates and are based on services provided.
Explanation:
The most effective control is to ensure that the granting of temporary access is based on services
to be provided and that there is an expiration date (hopefully automated) associated with each id.
The SLA may have a provision for providing access, but this is not a control. It would merely
define the need for access. Vendors require access for a limited period during the time of service;
however, it is important to ensure that the access during this period is monitored. Deleting these
user IDs after the work is completed is necessary, but if not automated, the deletion could be
overlooked.
.........................................................................................................
73. Which of the following provides the GREATEST assurance of message authenticity?
A. The prehash code is derived mathematically from the message being sent.
B. The prehash code is encrypted using the sender's private key.
C. The prehash code and the message are encrypted using the secret key.
D. The sender attains the recipient's public key and verifies the authenticity of its digital
certificate with a certificate authority.
The correct answer is:
B. The prehash code is encrypted using the sender's private key.
Explanation:
Encrypting the prehash code using the sender's private key provides assurance of the authenticity
of the message. Mathematically deriving the prehash code provides integrity to the message.
Encrypting the prehash code and the message using the secret key provides confidentiality.
.........................................................................................................
74. Which of the following public key infrastructure (PKI) elements provides detailed
descriptions for dealing with a compromised private key?
A. Certificate revocation list (CRL)
B. Certification practice statement (CPS)
C. Certificate policy (CP)
D. PKI disclosure statement (PDS)
The correct answer is:
B. Certification practice statement (CPS)
Explanation:
The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been
revoked before their scheduled expiration date. The CP sets the requirements that are
subsequently implemented by the CPS. The PDS covers critical items, such as the warranties,
limitations and obligations that legally bind each party.
.........................................................................................................
75. An IS auditor should be MOST concerned with what aspect of an authorized honeypot?
A. The data collected on attack methods.
B. The information offered to outsiders on the honeypot.
C. The risk that the honeypot could be used to launch further attacks on the organization's
infrastructure.
D. The risk that the honeypot would be subject to a distributed denial-of-service attack.
The correct answer is:
C. The risk that the honeypot could be used to launch further attacks on the organization's
infrastructure.
Explanation:
Choice C represents the organizational risk that the honeypot could be used as a point of access
to launch further attacks on the enterprise's systems. Choices A and B are purposes for deploying
a honeypot, not a concern. Choice D, the risk that the honeypot would be subject to a distributed
denial-of-service (DDoS) attack, is not relevant, as the honeypot is not a critical device for
providing service.
.........................................................................................................
76. Which of the following BEST restricts users to those functions needed to perform their
duties?
A. Application level access control
B. Data encryption
C. Disabling floppy disk drives
D. Network monitoring device
The correct answer is:
A. Application level access control
Explanation:
The use of application-level access control programs is a management control that restricts
access by limiting users to only those functions needed to perform their duties. Data encryption
and disabling floppy disk drives can restrict users to specific functions, but are not the best of the
choices. A network monitoring device, is a detective control, not a preventive control.
.........................................................................................................
77. Which of the following satisfies a two-factor user authentication?
A. Iris scanning plus fingerprint scanning
B. Terminal ID plus global positioning system (GPS)
C. A smart card requiring the user's PIN
D. User ID along with password
The correct answer is:
C. A smart card requiring the user's PIN
Explanation:
A smart card addresses what the user has. This is generally used in conjunction with testing what
the user knows, e.g., a key board password or personal identification number (PIN). Proving who
the user is usually requires a biometrics method, such as fingerprint, iris scan or voice
verification, to prove biology. This is not a two-factor user authentication, because it proves only
who the user is. A global positioning system (GPS) receiver reports on where the user is. The use
of an ID and password (what the user knows) is a single-factor user authentication.
.........................................................................................................
78. Which of the following is the PRIMARY safeguard for securing software and data
within an information processing facility?
A. Security awareness
B. Reading the security policy
C. Security committee
D. Logical access controls
The correct answer is:
D. Logical access controls
Explanation:
To retain a competitive advantage and meet basic business requirements, organizations must
ensure that the integrity of the information stored on their computer systems preserve the
confidentiality of sensitive data and ensure the continued availability of their information
systems. To meet these goals, logical access controls must be in place. Awareness (choice A)
itself does not protect against unauthorized access or disclosure of information. Knowledge of an
information systems security policy (choice B), which should be known by the organization's
employees, would help to protect information, but would not prevent the unauthorized access of
information. A security committee (choice C) is key to the protection of information assets, but
would address security issues within a broader perspective.
.........................................................................................................
79. Which of the following functions is performed by a virtual private network (VPN)?
A. Hiding information from sniffers on the net
B. Enforcing security policies
C. Detecting misuse or mistakes
D. Regulating access
The correct answer is:
A. Hiding information from sniffers on the net
Explanation:
A VPN hides information from sniffers on the net, using encryption. It works based on tunneling.
A VPN does not analyze information packets and, therefore, cannot enforce security policies; it
does not check the content of packets and, therefore, cannot detect misuse or mistakes; and it
does not perform an authentication function and, hence, cannot regulate access.
.........................................................................................................
80. Two-factor authentication can be circumvented through which of the following attacks?
A. Denial-of-service
B. Man-in-the-middle
C. Key logging
D. Brute-force
The correct answer is:
B. Man-in-the-middle
Explanation:
A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the
legitimate destination and then merely retransmits whatever is sent by the authorized user along
with additional transactions after authentication has been accepted. A denial-of-service attack
does not have a relationship to authentication. Key logging and brute force could circumvent a
normal authentication but not a two-factor authentication.
.........................................................................................................
81. Sending a message and a message hash encrypted by the sender's private key will
ensure:
A. authenticity and integrity.
B. authenticity and privacy.
C. integrity and privacy.
D. privacy and nonrepudiation.
The correct answer is:
A. authenticity and integrity.
Explanation:
If the sender sends both a message and a message hash encrypted by its private key, then the
receiver can apply the sender's public key to the hash and get the message hash. The receiver can
apply the hashing algorithm to the message received and generate a hash. By matching the
generated hash with the one received, the receiver is ensured that the message has been sent by
the specific sender, i.e., authenticity, and that the message has not been changed enroute.
Authenticity and privacy will be ensured by using first the sender's private key and then the
receiver's public key to encrypt the message. Privacy and integrity can be ensured by using the
receiver's public key to encrypt the message and sending a message hash/digest. Only
nonrepudiation can be ensured by using the sender's private key to encrypt the message. The
sender's public key, available to anyone, can decrypt a message; thus, it does not ensure privacy.
.........................................................................................................
82. Digital signatures require the:
A. signer to have a public key and the receiver to have a private key.
B. signer to have a private key and the receiver to have a public key.
C. signer and receiver to have a public key.
D. signer and receiver to have a private key.
The correct answer is:
B. signer to have a private key and the receiver to have a public key.
Explanation:
Digital signatures are intended to verify to a recipient the integrity of the data and the identity of
the sender. The digital signature standard is a public key algorithm. This requires the signer to
have a private key, and the receiver to have a public key.
.........................................................................................................
83. The difference between a vulnerability assessment and a penetration test is that a
vulnerability assessment:
A. searches and checks the infrastructure to detect vulnerabilities, whereas penetration
testing intends to exploit the vulnerabilities to probe the damage that could result from the
vulnerabilities.
B. and penetration tests are different names for the same activity.
C is executed by automated tools, whereas penetration testing is a totally manual process.
D. is executed by commercial tools, whereas penetration testing is executed by public
processes.
The correct answer is:
A. searches and checks the infrastructure to detect vulnerabilities, whereas penetration
testing intends to exploit the vulnerabilities to probe the damage that could result from the
vulnerabilities.
Explanation:
The objective of a vulnerability assessment is to find the security holds in the computers and
elements analyzed, and its intent is not to damage the infrastructure. The intent of penetration
testing is to imitate a hacker's activities and determine how far they could go into the network.
They are not the same; they have different approaches. Vulnerability assessments and
penetration testing can be executed by automated or manual tools or processes and can be
executed by commercial or free tools.
.........................................................................................................
84. An efficient use of PKI should encrypt the:
A. entire message.
B. private key.
C. public key.
D. symmetric session key.
The correct answer is:
D. symmetric session key.
Explanation:
Public key (asymmetric) cryptographic systems require larger keys (1,024 bits) and involve
intensive and time-consuming computations. In comparison, symmetric encryption is
considerably faster, yet relies on the security of the process for exchanging the secret key. To
enjoy the benefits of both systems, a symmetric session key is exchanged using public key
methods, after which it serves as the secret key for encrypting/decrypting messages sent between
two parties.
.........................................................................................................
85. Naming conventions for system resources are important for access control because
they:
A. ensure that resource names are not ambiguous.
B. reduce the number of rules required to adequately protect resources.
C. ensure that user access to resources is clearly and uniquely identified.
D. ensure that internationally recognized names are used to protect resources.
The correct answer is:
B. reduce the number of rules required to adequately protect resources.
Explanation:
Naming conventions for system resources are important for the efficient administration of
security controls. The conventions can be structured, so resources beginning with the same highlevel
qualifier can be governed by one or more generic rules. This reduces the number of rules
required to adequately protect resources, which in turn facilitates security administration and
maintenance efforts. Reducing the number of rules required to protect resources allows for the
grouping of resources and files by application, which makes it easier to provide access. Ensuring
that resource names are not ambiguous cannot be achieved through the use of naming
conventions. Ensuring the clear and unique identification of user access to resources is handled
by access control rules, not naming conventions. Internationally recognized names are not
required to control access to resources. Naming conventions tend to be based on how each
organization wants to identify its resources.
.........................................................................................................
86. The PKI element that manages the certificate life cycle, including certificate directory
maintenance and certificate revocation list (CRL) maintenance and publication, is the:
A. certificate authority (CA).
B. digital certificate.
C. certification practice statement (CPS).
D. registration authority.
The correct answer is:
A. certificate authority (CA).
Explanation:
The certificate authority manages the certificate life cycle, including certificate directory
maintenance and CRL maintenance and publication. The CA attests, as a trusted provider of the
public/private key pairs, to the authenticity of the owner to whom a public/private key pair has
been given. The digital certificate is composed of a public key and identifying information about
the owner of the public key. It associates a public key with an individual's identity. Certificates
are e-documents, digitally signed by a trusted entity and containing information on individuals.
The process entails the sender, who is digitally signing a document with the digital certificate
attached issued by a trusted entity where the receiver relies on the public key that is included in
the digital certificate, to authenticate the message. The certification practice statement is the
governance process for CA operations. A CPS documents the high-level practices, procedures
and controls of a CA. The registration authority attests, as a trusted provider of the public/private
key pairs, to the authenticity of the owner to whom a public/private key pair has been provided.
In other words, the registration authority performs the process of identification and
authentication by establishing a link between the identity of the requesting person or
organization and the public key. As a brief note, a CA manages and issues certificates, whereas a
RA is responsible for identifying and authenticating subscribers, but does not sign or issue
certificates. Definitions can be found in a glossary posted at:
http://sig.nfc.usda.gov/pki/glossary/glossary.html and http://www.cio-dpi.gc.ca/pkiicp/
beginners/glossary/ glossary_e.asp?format=print and in "Auditing and Certification of a
Public Key Infrastructure," by Ronald Koorn, Peter Walsen, Mark Lund, Information Systems
Control Journal, vol. 5, 2002, p. 28-29.
.........................................................................................................
87. Which of the following should concern an IS auditor when reviewing security in a
client-server environment?
A. Protecting data using an encryption technique
B. Preventing unauthorized access using a diskless workstation
C. The ability of users to access and modify the database directly
D. Disabling floppy drives on the users' machines
The correct answer is:
C. The ability of users to access and modify the database directly
Explanation:
For the purpose of data security in a client-server environment, an IS auditor should be
concerned with the users ability to access and modify a database directly. This could affect the
integrity of the data in the database. Data protected by encryption aid in securing the data.
Diskless workstations prevent copying of data into local disks and thus help to maintain the
integrity and confidentiality of data. Disabling floppy drives is a physical access control, which
helps to maintain the confidentiality of data by preventing it from being copied onto a disk.
.........................................................................................................
88. The implementation of access controls FIRST requires:
A. a classification of IS resources.
B. the labeling of IS resources.
C. the creation of an access control list.
D. an inventory of IS resources.
The correct answer is:
D. an inventory of IS resources.
Explanation:
The first step in implementing access controls is an inventory of IS resources, which is the basis
for classification. Labeling of resources cannot be done without first determining the resources'
classifications. The access control list (ACL) would not be done without a meaningful
classification of resources.
.........................................................................................................
89. An IS auditor observed that some data entry operators leave their computers in the
midst of data entry without logging off. Which of the following controls should be
suggested to prevent unauthorized access?
A. Encryption
B. Switch off the computer when leaving
C. Password control
D. Screen saver password
The correct answer is:
D. Screen saver password
Explanation:
Since data entry operators have to attend to other assignments in the midst of data entry and the
nature of the assignments are such that they do not log off the computer, a screen saver password
is the only effective control to guard against unauthorized access. Encryption does not prevent
access to the computer, it only guards against disclosure of the confidential contents of the files.
Switching off the computer without properly shutting it down is not advisable. Password control
takes place when logging on to an application and is not effective in this scenario.
.........................................................................................................
90. A firm is considering using biometric fingerprint identification on all PCs that access
critical data. This requires:
A. that a registration process be executed for all accredited PC users.
B. the full elimination of the risk of a false acceptance.
C. that the usage of the fingerprint reader be accessed by a separate password.
D. assurance that it will be impossible to gain unauthorized access to critical data.
The correct answer is:
A. that a registration process be executed for all accredited PC users.
Explanation:
The fingerprints of accredited users need to be read, identified and recorded, i.e., registered,
before a user may operate the system from the screened PCs. Choice B is incorrect, as the falseacceptance
risk of a biometric device may be optimized, but will never be zero because this
would imply an unacceptably high risk of false rejection. Choice C is incorrect, as the fingerprint
device reads the token (the user's fingerprint) and does not need to be protected in itself by a
password. Choice D is incorrect because the usage of biometric protection on PCs does not
guarantee that other potential security weaknesses in the system may not be exploited to access
protected data.
.........................................................................................................
91. Which of the following presents an inherent risk, with no distinct identifiable
preventive controls?
A. Piggybacking
B. Viruses
C. Data diddling
D. Unauthorized application shutdown
The correct answer is:
C. Data diddling
Explanation:
Data diddling involves changing data before they are entered into the computer. It is one of the
most common abuses, because it requires limited technical knowledge and occurs before
computer security can protect the data. There are only compensating controls for data diddling.
Piggybacking is the act of following an authorized person through a secured door and can be
prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access
through someone who has the rights, e.g., electronically attaching to an authorized
telecommunication link to possibly intercept transmissions. This could be prevented by
encrypting the message. Viruses are malicious program code inserted into another executable
code that can self-replicate and spread from computer to computer via sharing of computer
diskettes, transfer of logic over telecommunication lines or direct contact with an infected
machine. Antiviral software can be used to protect the computer against viruses. The shutdown
of an application can be initiated through terminals or microcomputers connected directly
(online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level
logon ID and password can initiate the shutdown process, which is effective if there are proper
access controls.
.........................................................................................................
92. A callback system requires that a user with an id and password call a remote server
through a dial-up line, then the server disconnects and:
A. dials back to the user machine based on the user id and password and using a telephone
number from its database.
B. dials back to the user machine based on the user id and password and using a telephone
number provided by the user during the original connection.
C. waits for a redial from the user machine for confirmation and then verifies the user id
and password using its database.
D. waits for a redial from the user machine for confirmation and then verifies the user id
and password using the sender's database.
The correct answer is:
A. dials back to the user machine based on the user id and password and using a telephone
number from its database.
Explanation:
A callback system in a net centric environment would mean that a user with an id and password
calls a remote server through a dial-up line first, and then the server disconnects and dials back to
the user machine based on the user id and password using a telephone number from its database.
Although the server can depend upon its own database, it cannot know the authenticity of the
dialer when the user dials again. The server cannot depend upon the sender's database to dial
back as the same could be manipulated.
.........................................................................................................
93. An IS auditor notes that IDS log entries related to port scanning are not being
analyzed. This lack of analysis will MOST likely increase the risk of success of which of the
following attacks?
A. Denial-of-service
B. Replay
C. Social engineering
D. Buffer overflow
The correct answer is:
A. Denial-of-service
Explanation:
Prior to launching a denial-of-service attack, hackers often use automatic port scanning software
to acquire information about the subject of their attack. A replay attack is simply sending the
same packet again. Social engineering exploits end-user vulnerabilities, and buffer overflow
attacks exploit poorly written code.
.........................................................................................................
94. Which of the following provides the MOST relevant information for proactively
strengthening security settings?
A. Bastion host
B. Intrusion detection system
C. Honeypot
D. Intrusion prevention system
The correct answer is:
C. Honeypot
Explanation:
The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's
methods and strategies and the resources required to address such attacks. A bastion host does
not provide information about an attack. Intrusion detection systems and intrusion prevention
systems are designed to detect and address an attack in progress and stop it as soon as possible.
A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy
and methods.
.........................................................................................................
95. Which of the following methods of suppressing a fire in a data center is the MOST
effective and environmentally friendly?
A. Halon gas
B. Wet-pipe sprinklers
C. Dry-pipe sprinklers
D. Carbon dioxide gas
The correct answer is:
C. Dry-pipe sprinklers
Explanation:
Water sprinklers, with an automatic power shutoff system, are accepted as efficient, because they
can be set to automatic release without threat to life and water is environmentally friendly.
Sprinklers must be dry pipe to prevent the risk of leakage. Halon is efficient and effective as it
does not threaten human life and, therefore, can be set to automatic release, but it is
environmentally damaging and very expensive. Water is an acceptable medium but the pipes
should be empty to avoid leakage, so a full system is not a viable option. Carbon dioxide is
accepted as an environmentally acceptable gas, but it is less efficient because it cannot be set to
automatic release in a staffed site since it threatens life.
.........................................................................................................
96. Which of the following acts as a decoy to detect active Internet attacks?
A. Honeypots
B. Firewalls
C. Trapdoors
D. Traffic analysis
The correct answer is:
A. Honeypots
Explanation:
Honeypots are computer systems that are expressly set up to attract and trap individuals who
attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn
from intruder's actions. A properly designed and configured honeypot provides data on methods
used to attack systems. The data are then used to improve measures that could curb future
attacks. A firewall is basically a preventive measure. Trapdoors create a vulnerability that
provides an opportunity for the insertion of unauthorized code into a system. Traffic analysis is a
type of passive attack.
.........................................................................................................
97. To ensure message integrity, confidentiality and nonrepudiation between two parties,
the MOST effective method would be to create a message digest by applying a
cryptographic hashing algorithm against:
A. the entire message, enciphering the message digest using the sender's private key,
enciphering the message with a symmetric key and enciphering the key by using the
receiver's public key.
B. any part of the message, enciphering the message digest using the sender's private key,
enciphering the message with a symmetric key and enciphering the key using the receiver's
public key.
C. the entire message, enciphering the message digest using the sender's private key,
enciphering the message with a symmetric key and enciphering the symetric key using the
receiver's public key.
D. the entire message, enciphering the message digest using the sender's private key and
enciphering the message using the receiver's public key.
The correct answer is:
A. the entire message, enciphering the message digest using the sender's private key,
enciphering the message with a symmetric key and enciphering the key by using the
receiver's public key.
Explanation:
Applying a cryptographic hashing algorithm against the entire message addresses the message
integrity issue. Enciphering the message digest using the sender's private key addresses
nonrepudiation. Encrypting the message with a symmetric key and, thereafter, the key is
enciphered using the receiver's public key addresses the confidentiality of the message as well as
the receiver's nonrepudiation most efficiently. The other choices would address only a portion of
the requirements.
.........................................................................................................
98. The potential for unauthorized system access by way of terminals or workstations
within an organization's facility is increased when:
A. connecting points are available in the facility to connect laptops to the network.
B. users take precautions to keep their passwords confidential.
C. terminals with password protection are located in insecure locations.
D. terminals are located within the facility in small clusters under the supervision of an
administrator.
The correct answer is:
A. connecting points are available in the facility to connect laptops to the network.
Explanation:
Any person with wrongful intentions can connect a laptop to the network. The insecure
connecting points make unauthorized access possible if the individual has knowledge of a valid
user id and password. The other choices are controls for preventing unauthorized network access.
If system passwords are not readily available for intruders to use, they must guess, introducing
an additional factor and requires time. System passwords provide protection against unauthorized
use of terminals located in insecure locations. Supervision is a very effective control when used
to monitor access to a small operating unit or production resources.
.........................................................................................................
99. The information security policy that states "each individual must have their badge read
at every controlled door" addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
The correct answer is:
A. Piggybacking
Explanation:
Piggybacking refers to unauthorized persons, following authorized persons, either physically or
virtually, into restricted areas. This policy addresses the "polite behavior" problem of holding
doors open for a stranger. If every employee must have his/her badge read at every controlled
door no unauthorized person could enter the sensitive area. Looking over the shoulder of a user
to obtain sensitive information, could be done by an unauthorized person, who has gained access
to areas using piggybacking, but this policy specifically refers to physical access control.
Shoulder surfing would not be prevented by the implementation of this policy. Dumpster diving,
looking through an organization's trash for valuable information, could be done outside the
company's physical perimeter; therefore, this policy would not address this attack method.
Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired
information. Some forms of social engineering attacks could join an impersonation attack and
piggybacking, but this information security policy does not address the impersonation attack.
.........................................................................................................
100. The PRIMARY objective of a logical access control review is to:
A. review access controls provided through software.
B. ensure access is granted per the organization's authorities.
C. walk through and assess the access provided in the IT environment.
D. provide assurance that computer hardware is adequately protected against abuse.
The correct answer is:
B. ensure access is granted per the organization's authorities.
Explanation:
The scope of a logical access control review is primarily to determine whether or not access is
granted per the organization's authorizations. Choices A and C relate to procedures of a logical
access control review, rather than objectives. Choice D is relevant to a physical access control
review.
.........................................................................................................
101. A dry-pipe fire extinguisher system is a system that uses:
A. water, but in which water does not enter the pipes until a fire has been detected.
B. water, but in which the pipes are coated with special water-tight sealants.
C. carbon dioxide instead of water.
D. halon instead of water.
The correct answer is:
A. water, but in which water does not enter the pipes until a fire has been detected.
Explanation:
The dry-pipe sprinkler is an effective and environmentally friendly method of suppressing fire.
Water sprinklers with an automatic power shutoff system can be set to automatic release without
threat to life. Sprinklers must be dry-pipe to prevent the risk of leakage. Halon or carbon dioxide
are also used to extinguish fire, but are not used through a dry pipe.
.........................................................................................................
102. When auditing security for a data center, an IS auditor should look for the presence of
a voltage regulator to ensure that the:
A. hardware is protected against power surges.
B. integrity is maintained if the main power is interrupted.
C. immediate power will be available if the main power is lost.
D. hardware is protected against long-term power fluctuations.
The correct answer is:
A. hardware is protected against power surges.
Explanation:
A voltage regulator protects against short-term power fluctuations. It normally does not protect
against long-term surges, nor does it maintain the integrity if power is interrupted or lost.
.........................................................................................................
103. Which of the following is a passive attack to a network?
A. Message modification
B. Masquerading
C. Denial of service
D. Traffic analysis
The correct answer is:
D. Traffic analysis
Explanation:
The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts
and is able to guess the type of communication taking place. Message modification involves the
capturing of a message and making unauthorized changes or deletions, changing the sequence or
delaying transmission of captured messages. Masquerading is an active attack in which the
intruder presents an identity other than the original identity. Denial of service occurs when a
computer connected to the Internet is flooded with data and/or requests that must be processed.
.........................................................................................................
104. Distributed denial-of-service (DDOS) attacks on Internet sites are typically evoked by
hackers using which of the following?
A. Logic bombs
B. Phishing
C. Spyware
D. Trojan horses
The correct answer is:
D. Trojan horses
Explanation:
Trojans horses are malicious or damaging code hidden within an authorized computer program.
Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same
Internet site at the same moment, resulting in overloaded site servers that may no longer be able
to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a
specific time in the future. Phishing is an attack, normally via e-mail, pretending to be an
authorized person or organization requesting information. Spyware is a program that picks up
information from PC drives by making copies of their contents.
.........................................................................................................
105. A digital signature contains a message digest to:
A. show if the message has been altered after transmission.
B. define the encryption algorithm.
C. confirm the identity of the originator.
D. enable message transmission in a digital format.
The correct answer is:
A. show if the message has been altered after transmission.
Explanation:
The message digest is calculated and included in a digital signature to prove that the message has
not been altered. It should be the same value as a recalculation performed upon receipt. It does
not define the algorithm or enable the transmission in digital format and has no effect on the
identity of the user; it is there to ensure integrity rather than identity.
.........................................................................................................
106. Which of the following would be the BEST overall control for an Internet business
looking for confidentiality, reliability and integrity of data?
A. Secure Sockets Layer (SSL)
B. Intrusion detection system (IDS)
C. Public key infrastructure (PKI)
D. Virtual private network (VPN)
The correct answer is:
C. Public key infrastructure (PKI)
Explanation:
PKI would be the best overall technology because cryptography provides for encryption, digital
signatures and nonrepudiation controls for confidentiality and reliability. SSL can provide
confidentiality. IDS is a detective control. A VPN would provide confidentiality and
authentication (reliability).
.........................................................................................................
107. Which of the following is the MOST effective control procedure for security of a
stand-alone small business computer environment?
A. Supervision of computer usage
B. Daily management review of the trouble log
C. Storage of computer media in a locked cabinet
D. Independent review of an application system design
The correct answer is:
A. Supervision of computer usage
Explanation:
Since small, stand-alone business computer environments normally lack basic controls, such as
access control software and a strict segregation of duties, strong compensating controls should be
applied. In this situation, supervision of computer usage must be relied upon. This takes the form
of monitoring office activity, reviewing key control reports, and sampling employee work to
ensure it is appropriate and authorized.
.........................................................................................................
108. To prevent unauthorized entry to the data maintained in a dial-up, fast response
system, an IS auditor should recommend:
A. online terminals be placed in restricted areas.
B. online terminals be equipped with key locks.
C. ID cards be required to gain access to online terminals.
D. online access be terminated after a specified number of unsuccessful attempts.
The correct answer is:
D. online access be terminated after a specified number of unsuccessful attempts.
Explanation:
The most appropriate control to prevent unauthorized entry is to terminate connection after a
specified number of attempts. This will deter access through the guessing of ids and passwords.
The other choices are physical controls, which are not effective in deterring unauthorized
accesses via telephone lines.
.........................................................................................................
109. Which of the following can identify attacks and penetration attempts to a network?
A. Firewall
B. Packet filters
C. Stateful inspection
D. Intrusion detection system (IDs)
The correct answer is:
D. Intrusion detection system (IDs)
Explanation:
An IDS has a large database of attack signatures, which is used to ward off attacks. Packet filter
and stateful inspection are types of firewalls. A firewall is a fence around a network designed to
block certain types of communications routed or passing through specific ports. It is not designed
to discover someone bypassing or going under the firewall.
.........................................................................................................
110. When reviewing an organization's logical access security, which of the following
should be of MOST concern to an IS auditor?
A. Passwords are not shared.
B. Password files are not encrypted.
C. Redundant logon IDs are deleted.
D. The allocation of logon IDs is controlled.
The correct answer is:
B. Password files are not encrypted.
Explanation:
When evaluating the technical aspects of logical security, unencrypted files represent the greatest
risk. The sharing of passwords, checking for the redundancy of logon ids, and proper logon ID
procedures are essential, but they are less important than ensuring that the password files are
encrypted.
.........................................................................................................
111. During a logical access controls review, the IS auditor observes that user accounts are
shared. The GREATEST risk resulting from this situation is that:
A. an unauthorized user may use the id to gain access.
B. user access management is time-consuming.
C. passwords are easily guessed.
D. user accountability may not be established.
The correct answer is:
D. user accountability may not be established.
Explanation:
The use of a single user id by more than one individual precludes knowing who in fact used that
id to access a system; therefore, it is literally impossible to hold anyone accountable. All user ids,
not just shared ids, can be used by unauthorized individuals. Access management would not be
any different with shared ids, and shared user ids do not necessarily have easily guessed
passwords.
.........................................................................................................
112. The most common problem in the operation of an intrusion detection system (IDS) is:
A. the detection of false positives.
B. receiving trap messages.
C. reject-error rates.
D. denial-of-service attacks.
The correct answer is:
A. the detection of false positives.
Explanation:
Because of the configuration and the way IDS technology operates, the main problem in
operating IDSs is the recognition (detection) of events that are not really security incidents—
false positives (equivalent of a false alarm). The IS auditor needs to be aware of this and should
check for implementation of related controls, such as IDS tuning, incident handling procedures
(such as the screening process to know if an event is a security incident or a false positive). Trap
messages are generated by the Simple Network Management Protocol (SNMP) agents when an
important event happens, but are not particularly related to security or IDSs. Reject-error rate is
related to biometric technology and is not related to IDSs. Denial of service is a type of attack
and is not a problem in the operation of IDSs.
.........................................................................................................
113. In a public key infrastructure, a registration authority:
A. verifies information supplied by the subject requesting a certificate.
B. issues the certificate after the required attributes are verified and the keys are
generated.
C. digitally signs a message to achieve nonrepudiation of the signed message.
D. registers signed messages to protect them from future repudiation
The correct answer is:
A. verifies information supplied by the subject requesting a certificate.
Explanation:
A registration authority is responsible for verifying information supplied by the subject
requesting a certificate and verifies the requestor's right to request certificate attributes and that
the requestor actually possesses the private key corresponding to the public key being sent.
Certification authorities, not registration authorities, actually issue certificates, once verification
of the information has been completed, because of this, choice B is wrong. On the other hand,
the sender who has control of his/her private key, signs the message, not the registration
authority and registering signed messages is not a task performed by registration authorities.
.........................................................................................................
114. The role of the certificate authority (CA) as a third party is to:
A. provide secured communication and networking services based on certificates.
B. host a repository of certificates with the corresponding public and secret keys issued by
that CA.
C. act as a trusted intermediary between two communication partners.
D. confirm the identity of the entity owning a certificate issued by that CA.
The correct answer is:
D. confirm the identity of the entity owning a certificate issued by that CA.
Explanation:
The primary activity of a CA is to issue certificates. The primary role of the CA is to check the
identity of the entity owning a certificate and to confirm the integrity of any certificate it issued.
Providing a communication infrastructure is not a CA activity. The secret keys belonging to the
certificates would not be archived at the CA. The CA can contribute to authenticating the
communicating partners to each other, but the CA is not involved in the communication stream
itself.
.........................................................................................................
115. Which of the following virus prevention techniques can be implemented through
hardware?
A. Remote booting
B. Heuristic scanners
C. Behavior blockers
D. Immunizers
The correct answer is:
A. Remote booting
Explanation:
Remote booting (e.g., diskless workstations) is a method of preventing viruses, and can be
implemented through hardware. Choice C is a detection, not a prevention, although it is
hardware-based. Choices B and D are not hardware-based.
.........................................................................................................
116. Over the long term, which of the following has the greatest potential to improve the
security incident response process?
A. A walk-through review of incident response procedures
B. Postevent reviews by the incident response team
C. Ongoing security training for users
D. Documenting responses to an incident
The correct answer is:
B. Postevent reviews by the incident response team
Explanation:
Postevent reviews to find the gaps and shortcomings in the actual incident response processes
will help to improve the process over time. Choices A, C and D are desirable actions, but
postevent reviews are the most reliable mechanism for improving security incident response
processes.
.........................................................................................................
117. Sign-on procedures include the creation of a unique user ID and password. However,
an IS auditor discovers that in many cases the username and password are the same. The
BEST control to mitigate this risk is to:
A. change the company's security policy.
B. educate users about the risk of weak passwords.
C. build in validations to prevent this during user creation and password change.
D. require a periodic review of matching user ID and passwords for detection and
correction.
The correct answer is:
C. build in validations to prevent this during user creation and password change.
Explanation:
The compromise of the password is the highest risk. The best control is a preventive control
through validation at the time the password is created or changed. Changing the company's
security policy and educating users about the risks of weak passwords only provides information
to users, but does little to enforce this control. Requiring a periodic review of matching user ID
and passwords for detection and ensuring correction is a detective control.
.........................................................................................................
118. The technique used to ensure security in virtual private networks (VPNs) is:
A. encapsulation.
B. wrapping.
C. transform.
D. encryption.
The correct answer is:
A. encapsulation.
Explanation:
Encapsulation or tunneling is a technique used to carry the traffic of one protocol over a network
that does not support that protocol directly. The original packet is wrapped in another packet.
The other choices are not security techniques specific to VPNs.
.........................................................................................................
119. Confidential data residing on a PC are BEST protected by:
A. a password.
B. file encryption.
C. removable diskettes.
D. a key-operated power source.
The correct answer is:
B. file encryption.
Explanation:
File encryption is the best means of protecting confidential data in a PC. A key-operated power
source, password or removable diskettes will only restrict access, and the data will still be
viewable using electronic eavesdropping techniques. Only encryption provides confidentiality. A
password also may not be the best method of protection since passwords can be compromised.
Removable diskettes do provide some security for information if they are locked away so only
authorized individuals can gain access. However, if obtained by unauthorized individuals,
information can be easily accessed. A key-operated power source can be bypassed by obtaining
power from another source.
.........................................................................................................
120. Which of the following user profiles should be of MOST concern to the IS auditor,
when performing an audit of an EFT system?
A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own messages
D. Three users with the ability to capture and verify the messages of other users and to
send their own messages
The correct answer is:
A. Three users with the ability to capture and verify their own messages
Explanation:
The ability of one individual to capture and verify messages represents an inadequate
segregation, since messages can be taken as correct and as if they had already been verified.
.........................................................................................................
121. IS auditors in performing detailed network assessments and access control reviews
should FIRST:
A. determine the points of entry.
B. evaluate users' access authorization.
C. assess users' identification and authorization.
D. evaluate the domain-controlling server configuration.
The correct answer is:
A. determine the points of entry.
Explanation:
In performing detailed network assessments and access control reviews, IS auditors should first
determine the points of entry to the system and accordingly review the points of entry for
appropriate controls. Evaluation of user access authorization, assessment of user identification
and authorization, and evaluation of the domain-controlling server configuration are all
implementation issues for appropriate controls for the points of entry.
.........................................................................................................
122. The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message
through:
A. symmetric encryption.
B. message authentication code.
C. hash function.
D. digital signature certificates.
The correct answer is:
A. symmetric encryption.
Explanation:
SSL uses a symmetric key for message encryption. A message authentication code is used for
ensuring data integrity. Hash function is used for generating a message digest; it does not use
public key encryption for message encryption. Digital signature certificates are used by SSL for
server authentication.
.........................................................................................................
123. Which of the following intrusion detection systems (IDSs) monitors the general
patterns of activity and traffic on a network and creates a database?
A. Signature-based
B. Neural networks
C. Statistical-based
D. Host-based
The correct answer is:
B. Neural networks
Explanation:
The neural networks-based IDS monitors the general patterns of activity and traffic on the
network and creates a database. This is similar to the statistical model but has the added function
of self-learning. Signature-based systems are a type of IDS in which the intrusive patterns
identified are stored in the form of signatures. These IDS systems protect against detected
intrusion patterns. Statistical-based systems need a comprehensive definition of the known and
expected behavior of systems. Host-based systems are not a type of IDS, but a category of IDS
and are configured for a specific environment. They will monitor various internal resources of
the operating system to warn of a possible attack.
.........................................................................................................
124. IS management recently replaced its existing wired local area network (LAN) with a
wireless infrastructure to accommodate the increased use of mobile devices within the
organization. This will increase the risk of which of the following attacks?
A. Port scanning
B. Back door
C. Man-in-the-middle
D. War driving
The correct answer is:
D. War driving
Explanation:
A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful
antenna to penetrate wireless systems from outside. Port scanning will often target the external
firewall of the organization. A back door is an opening left in software that enables an unknown
entry into a system. Man-in-the-middle attacks intercept a message and either replace or modify
it.
.........................................................................................................
125. Which of the following is an example of a passive attack initiated through the
Internet?
A. Traffic analysis
B. Masquerading
C. Denial of service
D. E-mail spoofing
The correct answer is:
A. Traffic analysis
Explanation:
Internet security threats/vulnerabilities are divided into passive and active attacks. Examples of
passive attacks include network analysis, eavesdropping and traffic analysis. Active attacks
include brute-force attacks, masquerading, packet replay, message modification, unauthorized
access through the Internet or web-based services, denial-of-service attacks, dial-in penetration
attacks, e-mail bombing and spamming, and e-mail spoofing.
.........................................................................................................
126. An investment advisor e-mails periodic newsletters to clients and wants reasonable
assurance that no one has modified the newsletter. This objective can be achieved by:
A. encrypting the hash of the newsletter using the advisor's private key.
B. encrypting the hash of the newsletter using the advisor's public key.
C. digitally signing the document using the advisor's private key.
D. encrypting the newsletter using the advisor's private key.
The correct answer is:
A. encrypting the hash of the newsletter using the advisor's private key.
Explanation:
There is no attempt on the part of the investment advisor to prove his/her identity or to keep the
newsletter confidential. The objective is to assure the receivers that it came to them without any
modification (i.e., it has message integrity). Answer A is correct because the hash is encrypted
using the advisor's private key. The recipients can open the newsletter, recompute the hash,
decrypt the received hash using the advisor's public key and, if the two hashes are equal, the
newsletter was not modified in transit. Choice B is not feasible, for no one other than the
investment advisor can open it. Choice C addresses sender authentication but not message
integrity. Choice D addresses confidentiality, but not message integrity, because anyone can
obtain the investment advisor's public key, decrypt the newsletter, modify it and send it to others.
The interceptor will not be able to use the advisor's private key, because he/she does not have it.
Anything encrypted using the interceptor's private key can be decrypted by the receiver only by
using their public key.
.........................................................................................................
127. Which of the following would be the BEST access control procedure?
A. The data owner formally authorizes access and an administrator implements the user
authorization tables.
B. Authorized staff implement the user authorization tables and the data owner sanctions
them.
C. The data owner and an IS manager jointly create and update the user authorization
tables.
D. The data owner creates and updates the user authorization tables.
The correct answer is:
A. The data owner formally authorizes access and an administrator implements the user
authorization tables.
Explanation:
The data owner holds the privilege and responsibility for formally establishing the access rights.
An IS administrator should then implement or update user authorization tables. Choice B alters
the desirable order. Choice C is not a formal procedure for authorizing access.
.........................................................................................................
128. Which of the following is a benefit of using a callback device?
A. Provides an audit trail.
B. Can be used in a switchboard environment.
C. Permits unlimited user mobility.
D. Allows call forwarding.
The correct answer is:
A. Provides an audit trail.
Explanation:
A callback feature hooks into the access control software and logs all authorized and
unauthorized access attempts, permitting the follow-up and further review of potential breaches.
Call forwarding (choice D) is a means of potentially bypassing callback control. By dialing
through an authorized phone number from an unauthorized phone number, a perpetrator can gain
computer access. This vulnerability can be controlled through callback systems that are
available.
.........................................................................................................
129. Which of the following antivirus software implementation strategies would be the
MOST effective in an interconnected corporate network?
A. Server antivirus software
B. Virus walls
C. Workstation antivirus software
D. Virus signature updating
The correct answer is:
B. Virus walls
Explanation:
An important means of controlling the spread of viruses is to detect the virus at the point of
entry, before it has an opportunity to cause damage. In an interconnected corporate network,
virus scanning software, used as an integral part of firewall technologies, is referred to as a virus
wall. Virus walls scan incoming traffic with the intent of detecting and removing viruses before
they enter the protected network. The presence of virus walls does not preclude the necessity for
installing virus detection software on servers and workstations within the network, but networklevel
protection is most effective the earlier the virus is detected. Virus signature updating is a
must in all circumstances, be it networked or not.
.........................................................................................................
130. The MOST effective method of preventing unauthorized use of data files is:
A. automated file entry.
B. tape librarian.
C. access control software.
D. locked library.
The correct answer is:
C. access control software.
Explanation:
Access control software is an active control designed to prevent unauthorized access to data.
.........................................................................................................
131. An organization with extremely high security requirements is evaluating the
effectiveness of biometric systems. Which of the following performance indicators is MOST
important?
A. False-acceptance rate (FAR)
B. Equal-error rate (EER)
C. False-rejection rate (FRR)
D. False-identification rate (FIR)
The correct answer is:
A. False-acceptance rate (FAR)
Explanation:
FAR is the frequency of accepting an unauthorized person as authorized, thereby granting access
when it should be denied. In an organization with high security requirements, user annoyance
with a higher FRR is less important, since it is better to deny access to an authorized individual
than to grant access to an unauthorized individual. EER is the point where the FAR equals the
FRR; therefore, it does not minimize the FAR. FIR is the probability that an authorized person is
identified, but is assigned a false ID.
.........................................................................................................
132. Which of the following manages the digital certificate life cycle to ensure adequate
security and controls exist in digital signature applications related to e-commerce?
A. Registration authority
B. Certificate authority (CA)
C. Certification relocation list
D. Certification practice statement
The correct answer is:
B. Certificate authority (CA)
Explanation:
The certificate authority maintains a directory of digital certificates for the reference of those
receiving them. It manages the certificate life cycle, including certificate directory maintenance
and certificate revocation list maintenance and publication. Choice A is not correct because a
registration authority is an optional entity that is responsible for the administrative tasks
associated with registering the end entity that is the subject of the certificate issued by the CA.
Choice C is incorrect since a CRL is an instrument for checking the continued validity of the
certificates for which the CA has responsibility. Choice D is incorrect because a certification
practice statement is a detailed set of rules governing the certificate authority's operations.
.........................................................................................................
133. Passwords should be:
A. assigned by the security administrator for first time logon.
B. changed every 30 days at the discretion of the user.
C. reused often to ensure the user does not forget the password.
D. displayed on the screen so that the user can ensure that it has been entered properly.
The correct answer is:
A. assigned by the security administrator for first time logon.
Explanation:
Initial password assignment should be done discretely by the security administrator. Passwords
should be changed often (e.g., every 30 days); however, changing should not be voluntary, it
should be required by the system. Systems should not permit previous passwords to be used
again; old passwords may have been compromised and would thus permit unauthorized access.
Passwords should not be displayed in any form.
.........................................................................................................
134. Which of the following functions should be performed by the application owners to
ensure an adequate segregation of duties between IS and end users?
A. System analysis
B. Authorization of access to data
C. Application programming
D. Data administration
The correct answer is:
B. Authorization of access to data
Explanation:
The application owner is responsible for authorizing access to data. Application development
and programming are functions of the IS department. Similarly, system analysis should be
performed by qualified persons in IS who have knowledge of IS and user requirements. Data
administration is a specialized function related to database management systems and should be
performed by qualified database administrators.
.........................................................................................................
135. The GREATEST risk when end users have access to a database at its system level,
instead of through the application, is that the users can:
A. make unauthorized changes to the database directly, without an audit trail.
B. make use of a system query language (SQL) to access information.
C. remotely access the database.
D. update data without authentication.
The correct answer is:
A. make unauthorized changes to the database directly, without an audit trail.
Explanation:
Having access to the database could provide access to database utilities, which can update the
database without an audit trail and without using the application. Using SQL only provides read
access to information. In a networked environment, accessing the database remotely does not
make a difference. What is critical is what is possible or completed through this access. To
access a database, it is necessary that a user is authenticated using a user id.
.........................................................................................................
136. Which of the following antispam filtering techniques would BEST prevent a valid,
variable-length e-mail message containing a heavily weighted spam keyword from being
labeled as spam?
A. Heuristic (rule-based)
B. Signature-based
C. Pattern matching
D. Bayesian (statistical)
The correct answer is:
D. Bayesian (statistical)
Explanation:
Bayesian filtering applies statistical modeling to messages, by performing a frequency analysis
on each word within the message and then evaluating the message as whole. Hence, it can
"ignore" a suspicious keyword, if the entire message is within normal bounds. Heuristic filtering
is less effective, since new "exception" rules may need to be defined when a valid message is
labeled as spam. Signature-based filtering is useless against variable-length messages, because
the calculated MD5 hash changes all the time. Finally, pattern matching is actually a degraded
rule-based technique, where the rules operate at the word level, using wildcards, and not at
higher levels.
.........................................................................................................
137. An IS auditor examining a biometric user authentication system establishes the
existence of a control weakness that would allow an unauthorized individual to update the
centralized database on the server that is used to store biometric templates. Of the
following, which is the BEST control against this risk?
A. Kerberos
B. Vitality detection
C. Multimodal biometrics
D. Before-image/after-image logging
The correct answer is:
A. Kerberos
Explanation:
Kerberos is a network authentication protocol for client-server applications that can be used to
restrict access to the database to authorized users. Choices B and C are not correct because
vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks.
Before-image/after-image logging of database transactions is a detective control, as opposed to
Kerberos, which is a preventative control.
.........................................................................................................
138. Which of the following components is responsible for the collection of data in an
intrusion detection system (IDS)?
A. Analyzer
B. Administration console
C. User interface
D. Sensor
The correct answer is:
D. Sensor
Explanation:
Sensors are responsible for collecting data. Analyzers receive input from sensors and determine
intrusive activity. An administration console and a user interface are components of an IDS.
.........................................................................................................
139. The risk of gaining unauthorized access through social engineering can BEST be
addressed by:
A. security awareness programs.
B. asymmetric encryption.
C. intrusion detection systems.
D. a demilitarized zone.
The correct answer is:
A. security awareness programs.
Explanation:
The human factor is the weakest link in the information security chain. Social engineering is the
human side of breaking into an enterprise's network. It relies on interpersonal relations and
deception. Organizations with technical security countermeasures, such as an authentication
process, encryption, intrusion detection systems or firewalls, may still be vulnerable if an
employee gives away confidential information. The best means of defense for social engineering
is an ongoing security awareness program wherein all employees are educated about the dangers
of social engineering.
.........................................................................................................
140. While copying files from a floppy disk, a user introduced a virus into the network.
Which of the following would MOST effectively detect the existence of the virus?
A. A scan of all floppy disks before use
B. A virus monitor on the network file server
C. Scheduled daily scans of all network drives
D. A virus monitor on the user's personal computer
The correct answer is:
C. Scheduled daily scans of all network drives
Explanation:
Scheduled daily scans of all network drives will detect the presence of a virus after the infection
has occurred. All of the other choices are controls designed to prevent a computer virus from
infecting the system.
.........................................................................................................
141. The creation of an electronic signature:
A. encrypts the message.
B. verifies from where the message came.
C. cannot be compromised when using a private key.
D. cannot be used with e-mail systems.
The correct answer is:
B. verifies from where the message came.
Explanation:
The creation of an electronic signature does not in itself encrypt the message or secure it from
compromise. It only verifies the message's origination.
.........................................................................................................
142. The IS auditor learns that when equipment was brought into the data center by a
vendor, the emergency power shutoff switch was accidentally pressed and the UPS was
engaged. Which of the following audit recommendations should the IS auditor suggest?
A. Relocate the shutoff switch.
B. Install protective covers.
C. Escort visitors.
D. Log environmental failures.
The correct answer is:
B. Install protective covers.
Explanation:
A protective cover over the switch would allow it to be accessible and visible, but would prevent
accidental activation. Relocating the shutoff switch would defeat the purpose of having it readily
accessible. Escorting the personnel who move the equipment may not have prevented this
incident, and logging of environmental failures would provide management with a report of
incidents, but reporting alone would not prevent a reoccurrence.
.........................................................................................................
143. Which of the following provides the framework for designing and developing logical
access controls?
A. Information systems security policy
B. Access control lists
C. Password management
D. System configuration files
The correct answer is:
A. Information systems security policy
Explanation:
The information systems security policy developed and approved by the top management in an
organization is the basis upon which logical access control is designed and developed. Access
control lists, password management and systems configuration files are tools for implementing
the access controls.
.........................................................................................................
144. Which of the following provides nonrepudiation services for e-commerce transactions?
A. Public key infrastructure (PKI)
B. Data Encryption Standard (DES)
C. Message authentication code (MAC)
D. Personal identification number (PIN)
The correct answer is:
A. Public key infrastructure (PKI)
Explanation:
PKI is the administrative infrastructure for digital certificates and encryption key pairs. The
qualities of an acceptable digital signature are: it is unique to the person using it, it is capable of
verification, it is under the sole control of the person using it, and it is linked to data in such a
manner that if data are changed, the digital signature is invalidated. PKI meets these tests. The
Data Encryption Standard (DES) is the most common private key cryptographic system. DES
does not address nonrepudiation. A MAC is a cryptographic value calculated by passing an
entire message through a cipher system. The sender attaches the MAC before transmission and
the receiver recalculates the MAC and compares it to the sent MAC. If the two MACs are not
equal, this indicates that the message has been altered during transmission. It has nothing to do
with nonrepudiation. A PIN is a type of password, a secret number assigned to an individual that,
in conjunction with some other means of identification, serves to verify the authenticity of the
individual.
.........................................................................................................
145. The BEST overall quantitative measure of the performance of biometric control
devices is:
A. false-rejection rate.
B. false-acceptance rate.
C. equal-error rate.
D. estimated-error rate.
The correct answer is:
C. equal-error rate.
Explanation:
A low equal-error rate (EER) is a combination of a low false-rejection rate and a low falseacceptance
rate. EER, expressed as a percentage, is a measure of the number of times that the
false-rejection and false-acceptance rates are equal. A low EER is the measure of the more
effective biometrics control device. Low false-rejection rates or low false-acceptance rates alone
do not measure the efficiency of the device. Estimated-error rate is nonexisting and hence
irrelevant.
.........................................................................................................
146. Active radio frequency ID (RFID) tags are subject to which of the following
exposures?
A. Session hijacking
B. Eavesdropping
C. Malicious code
D. Phishing
The correct answer is:
B. Eavesdropping
Explanation:
Like wireless devices, active RFID tags are subject to eavesdropping. They are by nature not
subject to session hijacking, malicious code or phishing.
.........................................................................................................
147. Which of the following is an example of the defense in-depth security principle?
A. Using two firewalls of different vendors to consecutively check the incoming network
traffic
B. Using a firewall as well as logical access controls on the hosts to control incoming
network traffic
C. Having no physical signs on the outside of a computer center building
D. Using two firewalls in parallel to check different types of incoming traffic
The correct answer is:
B. Using a firewall as well as logical access controls on the hosts to control incoming
network traffic
Explanation:
Defense in-depth means using different security mechanisms that back up each other. When
network traffic passes the firewall unintentionally, the logical access controls form a second line
of defense. Using two firewalls of different vendors to consecutively check the incoming
network traffic is an example of diversity in defense. The firewalls are the same security
mechanisms. By using two different products the probability of both products having the same
vulnerabilities is diminished. Having no physical signs on the outside of a computer center
building is a single security measure. Using two firewalls in parallel to check different types of
incoming traffic is a single security mechanism and therefore no different than having a single
firewall checking all traffic.
.........................................................................................................
148. Which of the following exposures could be caused by a line grabbing technique?
A. Unauthorized data access
B. Excessive CPU cycle usage
C. Lockout of terminal polling
D. Multiplexor control dysfunction
The correct answer is:
A. Unauthorized data access
Explanation:
Line grabbing will enable eavesdropping, thus allowing unauthorized data access. It will not
necessarily cause multiplexor dysfunction, excessive CPU usage or lockout of terminal polling.
.........................................................................................................
149. When performing an audit of access rights, an IS auditor should be suspicious of
which of the following if allocated to a computer operator?
A. Read access to data
B. Delete access to transaction data files
C. Logged read/execute access to programs
D. Update access to job control language/script files
The correct answer is:
B. Delete access to transaction data files
Explanation:
Deletion of transaction data files should be a function of the application support team, not
operations staff. Read access to production data is a normal requirement of a computer operator,
as is logged access to programs and access to JCL to control job execution.
.........................................................................................................
150. A certificate authority (CA) can delegate the processes of:
A. revocation and suspension of a subscriber's certificate.
B. generation and distribution of the CA public key.
C. establishing a link between the requesting entity and its public key.
D. issuing and distributing subscriber certificates.
The correct answer is:
C. establishing a link between the requesting entity and its public key.
Explanation:
Establishing a link between the requesting entity and its public key is a function of a registration
authority. This may or may not be performed by a CA; therefore, this function can be delegated.
Revocation and suspension and issuance and distribution of the subscriber certificate are
functions of the subscriber certificate life cycle management, which the CA must perform.
Generation and distribution of the CA public key is a part of the CA key life cycle management
process and, as such, cannot be delegated.
.........................................................................................................
151. Use of asymmetric encryption in an Internet e-commerce site, where there is one
private key for the hosting server and the public key is widely distributed to the customers,
is MOST likely to provide comfort to the:
A. customer over the authenticity of the hosting organization.
B. hosting organization over the authenticity of the customer.
C customer over the confidentiality of messages from the hosting organization.
D. hosting organization over the confidentiality of messages passed to the customer.
The correct answer is:
A. customer over the authenticity of the hosting organization.
Explanation:
Any false site will not be able to encrypt using the private key of the real site, so the customer
would not be able to decrypt the message using the public key. Many customers have access to
the same public key so the host cannot use this mechanism to ensure the authenticity of the
customer. The customer cannot be assured of the confidentiality of messages from the host as
many people have access to the public key and can decrypt the messages from the host. The host
cannot be assured of the confidentiality of messages sent out, as many people have access to the
public key and can decrypt it.
.........................................................................................................
152. Which of the following is a feature of an intrusion detection system (IDS)?
A. Gathering evidence on attack attempts
B. Identifying weaknesses in the policy definition
C. Blocking access to particular sites on the Internet
D. Preventing certain users from accessing specific servers
The correct answer is:
A. Gathering evidence on attack attempts
Explanation:
An IDS can gather evidence on intrusive activity such as an attack or penetration attempt.
Identifying weaknesses in the policy definition is a limitation of an IDS. Choices C and D are
features of firewalls, and choice B requires a manual review and, therefore, is outside the
functionality of an IDS.
.........................................................................................................
153. Which of the following is a distinctive feature of the Secure Electronic Transactions
(SET) protocol when used for electronic credit card payments?
A. The buyer is assured that neither the merchant nor any other party can misuse his/her
credit card data.
B. All personal SET certificates are stored securely in the buyer's computer.
C. The buyer is liable for any transaction involving his/her personal SET certificates.
D. The payment process is simplified, as the buyer is not required to enter a credit card
number and an expiration date.
The correct answer is:
C. The buyer is liable for any transaction involving his/her personal SET certificates.
Explanation:
The usual agreement between the credit card issuer and the cardholder stipulates that the
cardholder assumes responsibility for any use of his/her personal SET certificates for ecommerce
transactions. Depending upon the agreement between the merchant and the buyer's
credit card issuer, the merchant will have access to the credit card number and expiration date.
Secure data storage in the buyer's computer (local computer security) is not part of the SET
standard. Although the buyer is not required to enter his/her credit card data, he/she will have to
handle the wallet software.
.........................................................................................................
154. An Internet-based attack using password sniffing can:
A. enable one party to act as if they are another party.
B. cause modification to the contents of certain transactions.
C. be used to gain access to systems containing proprietary information.
D. result in major problems with billing systems and transaction processing agreements.
The correct answer is:
C. be used to gain access to systems containing proprietary information.
Explanation:
Password sniffing attacks can be used to gain access to systems on which proprietary information
is stored. Spoofing attacks can be used to enable one party to act as if they are another party.
Data modification attacks can be used to modify the contents of certain transactions. Repudiation
of transactions can cause major problems with billing systems and transaction processing
agreements.
.........................................................................................................
155. Which of the following is the MOST important action in recovering from a
cyberattack?
A. Creation of an incident response team
B. Use of cyberforensic investigators
C. Execution of a business continuity plan
D. Filing an insurance claim
The correct answer is:
C. Execution of a business continuity plan
Explanation:
The most important key step in recovering from cyberattacks is the execution of a business
continuity plan to quickly and cost-effectively recover critical systems, processes and data. The
incident response team should exist prior to a cyberattack. When a cyberattack is suspected,
cyberforensics investigators should be used to set up alarms, catch intruders within the network,
and track and trace them over the Internet. After taking the above steps, an organization may
have a residual risk that needs to be insured and claimed for traditional and electronic exposures.
.........................................................................................................
156. An IS auditor inspected a windowless room containing phone switching and
networking equipment and documentation binders. The room was equipped with two
handheld fire extinguishers—one filled with CO2, the other filled with halon. Which of the
following should be given the HIGHEST priority in the auditor's report?
A. The halon extinguisher should be removed because halon has a negative impact on the
atmospheric ozone layer.
B. Both fire suppression systems present a risk of suffocation when used in a closed room.
C. The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing
fires involving solid combustibles (paper).
D. The documentation binders should be removed from the equipment room to reduce
potential risks.
The correct answer is:
B. Both fire suppression systems present a risk of suffocation when used in a closed room.
Explanation:
Protecting people's life should always be of highest priority in fire suppression activities. CO2
and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal
hazards. In many countries installing or refilling halon fire suppression systems is not allowed.
Although CO2 and halon are effective and appropriate for fires involving synthetic combustibles
and electrical equipment, they are nearly totally ineffective on solid combustibles (wood and
paper). Although not of highest priority, removal of the documentation would probably reduce
some of the risks.
.........................................................................................................
157. With the help of the security officer, granting access to data is the responsibility of:
A. data owners.
B. programmers.
C. system analysts.
D. librarians.
The correct answer is:
A. data owners.
Explanation:
Data owners are responsible for the use of data. Written authorization for users to gain access to
computerized information should be provided by the data owners. Security administration with
the owners approval sets up access rules stipulating which users or group of users are authorized
to access data or files and the level of authorized access (e.g., read or update).
.........................................................................................................
158. Which of the following is the MOST secure and economical method for connecting a
private network over the Internet in a small- to medium-sized organization?
A. Virtual private network
B. Dedicated line
C. Leased line
D. Integrated services digital network
The correct answer is:
A. Virtual private network
Explanation:
The most secure method is a virtual private network (VPN), using encryption, authentication and
tunneling to allow data to travel securely from a private network to the Internet. Choices B, C
and D are network connectivity options that are normally too expensive to be practical for smallto
medium-sized organizations.
.........................................................................................................
159. Which of the following results in a denial-of-service attack?
A. Brute-force attack
B. Ping of death
C. Leapfrog attack
D. Negative acknowledgement (NAK) attack
The correct answer is:
B. Ping of death
Explanation:
The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a
denial of service. A brute-force attack is typically a text attack that exhausts all possible key
combinations. A leapfrog attack, the act of telneting through one or more hosts to preclude a
trace, makes use of user id and password information obtained illicitly from one host to
compromise another host. A negative acknowledgement attack is a penetration technique that
capitalizes on a potential weakness in an operating system that does not handle asynchronous
interrupts properly, leaving the system in an unprotected state during such interrupts.
.........................................................................................................
160. Which of the following is an advantage of elliptic curve encryption over RSA
encryption?
A. Computation speed
B. Ability to support digital signatures
C. Simpler key distribution
D. Greater strength for a given key length
The correct answer is:
A. Computation speed
Explanation:
The main advantage of elliptic curve encryption over RSA encryption is its computation speed.
This method was developed by Diffie and Martin E. Hellman, who were the first to conceive of
the concept of public key encryption. Both encyption methods support digital signatures, are
used for public key encryption and distribution, and are of similar strength.
.........................................................................................................
161. In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is
advantageous over the Authentication Header (AH) protocol because it provides:
A. connectionless integrity.
B. data origin authentication.
C. antireplay service.
D. confidentiality.
The correct answer is:
D. confidentiality.
Explanation:
Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality
via encryption.
.........................................................................................................
162. The security level of a private key system depends on the number of:
A. encryption key bits.
B. messages sent.
C. keys.
D. channels used.
The correct answer is:
A. encryption key bits.
Explanation:
The security level of a private key system depends on the number of encryption key bits. The
larger the number of bits, the more difficult it would be to understand or determine the algorithm.
The security of the message will depend on the encryption key bits used. More than keys by
themselves, the algorithm and its complexity make the content more secured. Channels, which
could be open or secure, are the mode for sending the message.
.........................................................................................................
163. Which of the following intrusion detection systems (IDSs) will MOST likely generate
false alarms resulting from normal network activity?
A. Statistical-based
B. Signature-based
C. Neural network
D. Host-based
The correct answer is:
A. Statistical-based
Explanation:
A statistical-based IDS relies on a definition of known and expected behavior of systems. Since
normal network activity may include, at times, unexpected behavior (e.g., a sudden massive
download by multiple users), these activities will be flagged as suspicious. A signature-based
IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network
combines the previous two IDSs to create a hybrid and better system. Host-based is another
classification of an IDS. Either of the three IDSs above may be host- or network-based.
.........................................................................................................
164. Which of the following can consume valuable network bandwidth?
A. Trojan horses
B. Trapdoors
C. Worms
D. Vaccines
The correct answer is:
C. Worms
Explanation:
Worms are destructive programs that may destroy data or utilize tremendous computer and
communication resources. Trojan horses can capture and transmit private information to the
attacker's computer. Trapdoors are exits out of an authorized program. Vaccines are programs
designed to detect computer viruses.
.........................................................................................................
165. An accuracy measure for a biometric system is:
A. system response time.
B. registration time.
C. input file size.
D. false-acceptance rate.
The correct answer is:
D. false-acceptance rate.
Explanation:
For a biometric solution three main accuracy measures are used: false-rejection rate (FRR),
cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid
individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is
a measure of when the false-rejection rate equals the false-acceptance rate. Choices A and B are
performance measures.
.........................................................................................................
166. Which of the following is the BEST way to handle obsolete magnetic tapes before
disposing of them?
A. Overwriting the tapes
B. Initializing the tape labels
C. Degaussing the tapes
D. Erasing the tapes
The correct answer is:
C. Degaussing the tapes
Explanation:
The best way to handle obsolete magnetic tapes is to degauss them. This action leaves a very low
residue of magnetic induction, essentially erasing the data from the tapes. Overwriting or erasing
the tapes may cause magnetic errors but would not remove the data completely. Initializing the
tape labels would not remove the data that follows the label.
.........................................................................................................
167. What is a risk associated with attempting to control physical access to sensitive areas,
such as computer rooms, using card keys or locks?
A. Unauthorized individuals wait for controlled doors to open and walk in behind those
authorized.
B. The contingency plan for the organization cannot effectively test controlled access
practices.
C. Access cards, keys and pads can be easily duplicated allowing easy compromise of the
control.
D. Removing access for those who are no longer authorized is complex.
The correct answer is:
A. Unauthorized individuals wait for controlled doors to open and walk in behind those
authorized.
Explanation:
The concept of piggybacking compromises all physical control established. Choice B would be
of minimal concern in a disaster recovery environment. Items in choice C are not easily
duplicated. Regarding choice D, while technology is constantly changing, card keys have existed
for some time and appear to be a viable option for the foreseeable future.
.........................................................................................................
168. Which of the following would an IS auditor consider a weakness when performing an
audit of an organization that uses a public key infrastructure with digital certificates for its
business-to-consumer transactions via the Internet?
A. Customers are widely dispersed geographically, but the certificate authorities are not.
B Customers can make their transactions from any computer or mobile device.
C The certificate authority has several data processing subcenters to administer
certificates.
D. The organization is the owner of the certificate authority.
The correct answer is:
D. The organization is the owner of the certificate authority.
Explanation:
If the certificate authority belongs to the same organization, this would generate a conflict of
interest. That is, if a customer wanted to repudiate a transaction, he/she could allege that because
of the shared interests an unlawful agreement exists between the parties generating the
certificates. If a customer wanted to repudiate a transaction, he/she could argue that there exists a
bribery between the parties to generate the certificates, as there exist shared interests. The other
options are not weaknesses.
.........................................................................................................
169. An IS auditor reviewing digital rights management (DRM) applications should expect
to find an extensive use for which of the following technologies?
A. Digitalized signatures
B. Hashing
C. Parsing
D. Steganography
The correct answer is:
D. Steganography
Explanation:
Steganography is a technique for concealing the existence of messages or information. An
increasingly important steganographical technique is digital watermarking, which hides data
within data, e.g., by encoding rights information in a picture or music file without altering the
picture or music's perceivable aesthetic qualities. Digitalized signatures are not related to digital
rights management. Hashing creates a message hash or digest, which is used to ensure the
integrity of the message; it is usually considered a part of cryptography. Parsing is the process of
splitting up a continuous stream of characters for analytical purposes, and it is widely applied in
the design of programming languages or in data entry editing.
.........................................................................................................
170. Which of the following cryptography options would increase overhead/cost?
A. The encryption is symmetric rather than asymmetric.
B. A long asymmetric encryption key is used.
C. The hash is encrypted rather than the message.
D. A secret key is used.
The correct answer is:
B. A long asymmetric encryption key is used.
Explanation:
Computer processing time is increased for longer asymmetric encryption keys, and the increase
may be disproportionate. For example, one benchmark showed that doubling the length of an
RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold. An
asymmetric algorithm requires more processing time than symmetric algorithms. A hash is
shorter than the original message; hence, a smaller overhead is required if the hash is encrypted
rather than the message. Use of a secret key, as a symmetric encryption key, is generally small
and used for the purpose of encrypting user data.
.........................................................................................................
171. To determine who has been given permission to use a particular system resource, the
IS auditor should review?
A. Activity lists
B. Access control lists
C. Logon ID lists
D. Password lists
The correct answer is:
B. Access control lists
Explanation:
Access control lists are the authorization tables that document the users who have been given
permission to use a particular system resource and the types of access they have been granted.
The other choices would not document who has been given permission to use (access) specific
system resources.
.........................................................................................................
172. When using public key encryption to secure data being transmitted across a network:
A. both the key used to encrypt and decrypt the data are public.
B. the key used to encrypt is private, but the key used to decrypt the data is public.
C. the key used to encrypt is public, but the key used to decrypt the data is private.
D. both the key used to encrypt and decrypt the data are private.
The correct answer is:
C. the key used to encrypt is public, but the key used to decrypt the data is private.
Explanation:
Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt
the message and a private key to decrypt it.
.........................................................................................................
173. When reviewing an intrusion detection system (IDS), an IS auditor should be MOST
concerned about which of the following?
A. Number of nonthreatening events identified as threatening
B. Attacks not being identified by the system
C. Reports/logs being produced by an automated tool
D. Legitimate traffic being blocked by the system
The correct answer is:
B. Attacks not being identified by the system
Explanation:
Attacks not being identified by the system present a higher risk, because they are unknown and
no action will be taken to address the attack. Although the number of false-positives is a serious
issue, the problem will be known and can be corrected. Often IDS reports are first analyzed by
an automated tool to eliminate known false-positives, which generally are not a problem, and an
IDS does not block any traffic.
.........................................................................................................
174. Which of the following is a concern when data are transmitted through Secure Sockets
Layer (SSL) encryption, implemented on a trading partner's server?
A. The organization does not have control over encryption.
B. Messages are subjected to wire tapping.
C. Data might not reach the intended recipient.
D. The communication may not be secure.
The correct answer is:
A. The organization does not have control over encryption.
Explanation:
The SSL security protocol provides data encryption, server authentication, message integrity and
optional client authentication. Because SSL is built into all major browsers and web servers,
simply installing a digital certificate turns on the SSL capabilities. SSL encrypts the datum while
it is being transmitted over the Internet. The encryption is done in the background, without any
interaction from the user, consequently there is no password to remember either. The other
choices are incorrect. Since the communication between client and server is encrypted, the
confidentiality of information is not affected by wire tapping. Since SSL does the client
authentication, only the intended recipient will receive the decrypted data. All data sent over an
encrypted SSL connection are protected with a mechanism to detect tampering, i.e.,
automatically determining whether data has been altered in transit.
.........................................................................................................
175. The reliability of an application system's audit trail may be questionable if:
A. user IDs are recorded in the audit trail.
B. the security administrator has read-only rights to the audit file.
C. date and time stamps are recorded when an action occurs.
D. users can amend audit trail records when correcting system errors.
The correct answer is:
D. users can amend audit trail records when correcting system errors.
Explanation:
An audit trail is not effective if the details in it can be amended.
.........................................................................................................
176. A malicious code that changes itself with each file it infects is called a:
A. logic bomb.
B. stealth virus.
C. Trojan horse.
D. polymorphic virus.
The correct answer is:
D. polymorphic virus.
Explanation:
A polymorphic virus has the capability of changing its own code, enabling it to have many
different variants. Since they have no consistent binary pattern, such viruses are hard to identify.
A logic bomb is code that is hidden in a program or system which will cause something to
happen when the user performs a certain action or when certain conditions are met. A logic
bomb, which can be downloaded along with a corrupted shareware or freeware program, may
destroy data, violate system security or erase the hard drive. A stealth virus is a virus that hides
itself by intercepting disk access requests. When an antivirus program tries to read files or boot
sectors to find the virus, the stealth virus feeds the antivirus program a clean image of the file or
boot sector. A Trojan horse is a virus program that appears to be useful and harmless but which
has harmful side effects such as destroying data or breaking the security of the system on which
it is run.
.........................................................................................................
177. An organization has a mix of access points that cannot be upgraded to stronger
security and newer access points having advanced wireless security. The IS auditor
recommends replacing the nonupgradeable access points. Which of the following would
BEST justify the IS auditor's recommendation?
A. The new access points with stronger security are affordable.
B. The old access points are poorer in terms of performance.
C. The organization's security would be as strong as its weakest points.
D. The new access points are easier to manage.
The correct answer is:
C. The organization's security would be as strong as its weakest points.
Explanation:
The old access points should be discarded and replaced with products having strong security;
otherwise, they will leave security holes open for attackers and thus make the entire network as
weak as they are. Affordability is not the auditor's major concern. Performance is not as
important as security in this situation. Product manageability is not the IS auditor's concern.
.........................................................................................................
178. Who is principally responsible for periodically reviewing users' access to systems?
A. Computer operators
B. Security administrators
C. Data owners
D. IS auditors
The correct answer is:
C. Data owners
Explanation:
The data owners, who are responsible for the use and reporting of information under their
control, should provide written authorization for users to gain access to that information. The
data owner should periodically review and evaluate authorized (granted) access to ensure these
authorizations are still valid.
.........................................................................................................
179. In the ISO/OSI model, which of the following protocols is the FIRST to establish
security for the user application?
A. Session layer
B. Transport layer
C. Network layer
D. Presentation layer
The correct answer is:
A. Session layer
Explanation:
The session layer provides functions that allow two applications to communicate across the
network. The functions include security, recognition of names, logons and so on. The session
layer is the first layer where security is established for user applications. The transportation layer
provides transparent transfer of data between end points. The network layer controls the packet
routing and switching within the network, as well as to any other network. The presentation layer
provides common communication services, such as encryption, text compression and
reformatting.
.........................................................................................................

4 comments:

  1. Good Day Hemang Doshi,

    Thank for your sharing , Do you have more Video ( CISA Exam Tutorial ) and share your link to me.
    my email : leducanccr@gmail.com

    Regards
    Thank you so much.
    LDA

    ReplyDelete
  2. It's interesting that many of the bloggers to helped clarify a few things for me as well as giving.Most of ideas can be nice content.The people to give them a good shake to get your point and across the command.
    eSignature

    ReplyDelete