Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 111

  1. As described at security policy, the CSO implemented an e-mail package solution that allows for ensuring integrity of messages sent using SMIME. Which of the options below BEST describes how it implements the environment to suite policy´s requirement?

    • Implementing PGP and allowing for recipient to receive the private key used to sign e-mail message.
    • Implementing RSA standard for messages envelope and instructing users to sign all messages using their private key from their PKI digital certificate.
    • Implementing RSA standard for messages envelope and instructing users to sign all messages using their public key from their PKI digital certificate.
    • Implementing MIME solutions and providing a footer within each message sent, referencing to policy constraints related to e-mail usage.

    Explanation:

    RSA e-mail standers stands for SMIME envelope. Using tm’s private key to sign messages, users will ensure recipients of message integrity by using sender´s public key for hash decryption and content comparison.

    Exam candidates should be aware of e-mail solutions and technologies that addresses confidentiality, integrity and non-repudiation.

    The following answers are incorrect:

    Implementing PGP and allowing for recipient to receive the private key used to sign e-mail message.

    Implementing RSA standard for messages envelope and instructing users to sign all messages using their public key from the PKI digital certificate.

    Implementing MIME solutions and providing a footer within each message sent, referencing to policy constraints related to e-mail usage.

    Reference:
    CISA Review Manual 2010 – Chapter 5 – 5.4.5-Encryption – Digital Envelope

  2. How often should a Business Continuity Plan be reviewed?

    • At least once a month
    • At least every six months
    • At least once a year
    • At least Quarterly
    Explanation:

    As stated in SP 800-34 Rev. 1:

    To be effective, the plan must be maintained in a ready state that accurately reflects system requirements, procedures, organizational structure, and policies. During the Operation/Maintenance phase of the SDLC, information systems undergo frequent changes because of shifting business needs, technology upgrades, or new internal or external policies.

    As a general rule, the plan should be reviewed for accuracy and completeness at an organization-defined frequency (at least once a year for the purpose of the exam) or whenever significant changes occur to any element of the plan. Certain elements, such as contact lists, will require more frequent reviews.

    Remember, there could be two good answers as specified above. Either once a year or whenever significant changes occur to the plan. You will of course get only one of the two presented within your exam.

    Reference:
    NIST SP 800-34 Revision 1

  3. Which of the following attack involves slicing small amount of money from a computerize transaction or account?

    • Eavesdropping
    • Traffic Analysis
    • Salami
    • Masquerading
    Explanation:

    Salami slicing or Salami attack refers to a series of many small actions, often performed by clandestine means, that as an accumulated whole produces a much larger action or result that would be difficult or unlawful to perform all at once. The term is typically used pejoratively. Although salami slicing is often used to carry out illegal activities, it is only a strategy for gaining an advantage over time by accumulating it in small increments, so it can be used in perfectly legal ways as well.

    An example of salami slicing, also known as penny shaving, is the fraudulent practice of stealing money repeatedly in extremely small quantities, usually by taking advantage of rounding to the nearest cent (or other monetary unit) in financial transactions. It would be done by always rounding down, and putting the fractions of a cent into another account. The idea is to make the change small enough that any single transaction will go undetected.

    In information security, a salami attack is a series of minor attacks that together results in a larger attack. Computers are ideally suited to automating this type of attack.

    The following answers are incorrect:

    Eavesdropping – is the act of secretly listening to the private conversation of others without their consent, as defined by Black’s Law Dictionary. This is commonly thought to be unethical and there is an old adage that “eavesdroppers seldom hear anything good of themselves…eavesdroppers always try to listen to matters that concern them.”

    Traffic analysis – is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.

    Masquerading – A masquerade attack is an attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification. If an authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack. Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process. The attack can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network. The amount of access masquerade attackers get depends on the level of authorization they’ve managed to attain. As such, masquerade attackers can have a full smorgasbord of cybercrime opportunities if they’ve gained the highest access authority to a business organization. Personal attacks, although less common, can also be harmful.

    Reference:

    http://searchfinancialsecurity.techtarget.com/definition/eavesdropping
    http://en.wikipedia.org/wiki/Salami_slicing
    http://en.wikipedia.org/wiki/Eavesdropping
    http://en.wikipedia.org/wiki/Traffic_analysis
    http://www.techopedia.com/definition/4020/masquerade-attack

  4. Which of the following attack best describe “Computer is the target of a crime” and “Computer is the tool of a crime”?

    • Denial of Service (DoS) and Installing Key loggers
    • War Driving and War Chalking
    • Piggybacking and Race Condition
    • Traffic analysis and Eavesdropping
    Explanation:

    In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots. (See botnet) DoS (Denial of Service) attacks are sent by one person or system.
    Keystroke logging, often referred to as key logging or keyboard capturing, is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. It also has very legitimate uses in studies of human-computer interaction. There are numerous key logging methods, ranging from hardware and software-based approaches to acoustic analysis.

    There are four types of a computer crimes:

    1. Computer is the target of a crime – Perpetrator uses another computer to launch an attack. In this attack the target is a specific identified computer. Ex. Denial of Service (DoS), hacking

    2. Computer is the Subject of a crime – In this attack perpetrator uses computer to commit crime and the target is another computer. In this attack, target may or may not be defined. Perpetrator launches attack with no specific target in mind. Ex. Distributed DoS, Malware

    3. Computer is the tool of a crime – Perpetrator uses computer to commit crime but the target is not a computer. Target is the data or information stored on a computer. Ex. Fraud, unauthorized access, phishing, installing key logger

    4. Computer Symbolizes Crime – Perpetrator lures the user of a computer to get confidential information. Target is user of computer. Ex. Social engineering methods like Phishing, Fake website, Scam Mails, etc

    The following answers are incorrect:

    Eavesdropping – is the act of secretly listening to the private conversation of others without their consent, as defined by Black’s Law Dictionary. This is commonly thought to be unethical and there is an old adage that “eavesdroppers seldom hear anything good of themselves…eavesdroppers always try to listen to matters that concern them.”

    Traffic analysis – is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.

    Masquerading – A masquerade attack is an attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification. If an authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack. Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process. The attack can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network. The amount of access masquerade attackers get depends on the level of authorization they’ve managed to attain. As such, masquerade attackers can have a full smorgasbord of cybercrime opportunities if they’ve gained the highest access authority to a business organization. Personal attacks, although less common, can also be harmful.

    Reference:

    CISA review Manual 2014. Page number 321

    http://en.wikipedia.org/wiki/Denial-of-service_attack
    http://en.wikipedia.org/wiki/Eavesdropping
    http://en.wikipedia.org/wiki/Traffic_analysis
    http://www.techopedia.com/definition/4020/masquerade-attack

  5. Which of the following is NOT a disadvantage of Single Sign On (SSO)?

    • Support for all major operating system environment is difficult
    • The cost associated with SSO development can be significant
    • SSO could be single point of failure and total compromise of an organization asset
    • SSO improves an administrator’s ability to manage user’s account and authorization to all associated system
    Explanation:

    Single sign-on (SSO)is a Session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session.

    SSO Advantages include
    Multiple passwords are no longer required

    It improves an administrator’s ability to manage user’s accounts and authorization to all associated systems
    It reduces administrative overhead in resetting forgotten password over multiple platforms and applications
    It reduces time taken by users to logon into multiple application and platform

    SSO Disadvantages include
    Support for all major operating system is difficult

    The cost associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary
    The centralize nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information asset.

    Reference:
    CISA review manual 2014 Page number 332

  6. An IS auditor is reviewing the remote access methods of a company used to access system remotely. Which of the following is LEAST preferred remote access method from a security and control point of view?

    • RADIUS
    • TACACS
    • DIAL-UP
    • DIAMETER
    Explanation:

    Dial-up connectivity not based on centralize control and least preferred from security and control standpoint.

    Remote access user can connect remotely to their organization’s networks with the same level of functionality as if they would access from within their office.

    In connecting to an organization’s network, a common method is to use dial-up lines. Access is granted through the organization’s network access server (NAS) working in concert with an organization network firewall and router. The NAS handle user authentication, access control and accounting while maintaining connectivity. The most common protocol for doing this is the Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Controller System (TACACS).

    Remote access Controls include:

    Policy and standard
    Proper authorization
    Identification and authentication mechanism
    Encryption tool and technique such as use of VPN
    System and network management

    Reference:
    CISA Review Manual 2014 Page number 334

  7. There are many types of audit logs analysis tools available in the market. Which of the following audit logs analysis tools will look for anomalies in user or system behavior?

    • Attack Signature detection tool
    • Variance detection tool
    • Audit Reduction tool
    • Heuristic detection tool
    Explanation:

    Trend/Variance Detection tool are used to look for anomalies in user or system behavior. For example, if a user typically logs in at 9:00 am, but one day suddenly access the system at 4:30 am, this may indicate a security problem that may need to be investigated.

    Other types of audit trail analysis tools should also be known for your CISA exam

    The following were incorrect answers:

    Audit Reduction tool – They are preprocessor designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tool can remove many audit records known to have little security significance.

    Attack-signature detection tool – They look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example would be repeated failed logon attempts.
    Heuristic detection tool – Heuristic analysis is an expert based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. Multi Criteria analysis (MCA) is one of the means of weighing. This method differs with statistical analysis, which bases itself on the available data/statistics.

    Reference:

    CISA review manual 2014 Page number 336
    and
    http://en.wikipedia.org/wiki/Heuristic_analysis

  8. As an IS auditor, it is very important to make sure all storage media are well protected. Which of the following is the LEAST important factor for protecting CDs and DVDs?

    • Handle by edges or by the hole in the middle
    • Store in anti-static bag
    • Avoid long term exposure to bright light
    • Store in a hard jewel case, not in soft sleeves
    Explanation:

    CDs and DVDs are least affected by static current so it is not as important to store them into anti-static bags.

    CDs and DVDs Storage protection recommendations:

    Handle by edges or by hole in the middle
    Be careful not to bend the CD or DVD
    Avoid long term exposure to bright light
    Store in a hard jewel case, not is soft sleeves

    Also, you should know the media storage precautions listed below in preparation for the CISA exam:

    USB and portable hard drive

    Avoid high temperature, humidity extremes and strong magnetic field

    Tape Cartridges
    Store Cartridges vertically
    Store cartridges in a protective container for transport

    Write-protect cartridges immediately

    Hard Drive
    Store hard drives in anti-static bags, and be sure that person removing them from bag is static free
    If the original box and padding for the hard drive is available, use it for shipping
    If the hard drive has been in a cold environment, bring it to room temperature prior to installing and using it

    Reference:

    Reference used – CISA review manual 2014. Page number 338

  9. As an auditor it is very important to ensure confidentiality, integrity, authenticity and availability are implemented appropriately in an information system. Which of the following definitions incorrectly describes these parameters?

    1. Authenticity – A third party must be able to verify that the content of a message has been sent by a specific entity and nobody else.

    2. Non-repudiation – The origin or the receipt of a specific message must be verifiable by a third party. A person cannot deny having sent a message if the message is signed by the originator.

    3. Accountability – The action of an entity must be uniquely traceable to different entities
    4. Availability – The IT resource must be available on a timely basis to meet mission requirements or to avoid substantial losses.

    • All of the options presented
    • None of the options presented
    • Options number 1 and 2
    • Option number 3
    Explanation:

    It is important to read carefully the question. The word “incorrectly” was the key word. You had to find which one of the definitions presented is incorrect. The definition of Accountability was NOT properly described. Below you have the proper definition.

    The correct definitions are as follows

    Authenticity – A third party must be able to verify that the content of a message is from a specific entity and nobody else.

    Non-repudiation – The origin or the receipt of a specific message must be verifiable by a third party. A person cannot deny having sent a message if the message is signed by the originator.

    Accountability – The action of an entity must be uniquely traceable to that entity

    Network availability – The IT resource must be available on a timely basis to meet mission requirements or to avoid substantial losses.

    Reference:

    CISA review manual 2014 Page number 34

  10. Which of the following statement correctly describes difference between packet filtering firewall and stateful inspection firewall?

    • Packet filtering firewall do not maintain client session whereas Stateful firewall maintains client session.
    • Packet filtering firewall and Stateful firewall both maintain session of client.
    • Packet filtering firewall is a second generation firewall whereas Stateful is a first generation of firewall.
    • Packet filtering firewall and Stateful firewall do not maintain any session of client.
    Explanation:

    Packet Filtering Firewall

    Also Known as First Generation Firewall
    Do not maintain client session
    The advantage of this type of firewall are simplicity and generally stable performance since the filtering rules are performed at the network layer.
    Its simplicity is also disadvantage, because it is vulnerable to attack from improperly configured filters and attack tunneled over permitted services.
    Some of the more common attack on packet filtering are IP Spoofing, Source Routing specification, Miniature fragment attack.

    Stateful Inspection Firewall

    A stateful inspection firewall keep track of the destination IP address of each packet that leaves the organization’s internal network.
    The session tracking is done by mapping the source IP address of incoming packet with the list of destination IP addresses that is maintained and updated
    This approach prevent any attack initiated and originated by outsider.
    The disadvantage includes stateful inspection firewall can be relatively complex to administer as compare to other firewall.

    The following were incorrect answers:

    All other choices presented were incorrect answers because they all had the proper definition.

    Reference:
    CISA review manual 2014 Page number 345 and 346

  11. There are many firewall implementations provided by firewall manufacturers. Which of the following implementation utilize two packet filtering routers and a bastion host? This approach creates the most secure firewall system since it supports network and application level security while defining a separate DMZ.

    • Dual Homed firewall
    • Screened subnet firewall
    • Screened host firewall
    • Anomaly based firewall
    Explanation:

    In network security, a screened subnet firewall is a variation of the dual-homed gateway and screened host firewall. It can be used to separate components of the firewall onto separate systems, thereby achieving greater throughput and flexibility, although at some cost to simplicity. As each component system of the screened subnet firewall needs to implement only a specific task, each system is less complex to configure.
    A screened subnet firewall is often used to establish a demilitarized zone (DMZ).

    Below are few examples of Firewall implementations:

    Screened host Firewall

    Utilizing a packet filtering router and a bastion host, this approach implements a basic network layer security and application server security.
    An intruder in this configuration has to penetrate two separate systems before the security of the private network can be compromised
    This firewall system is configured with the bastion host connected to the private network with a packet filtering router between internet and the bastion host

    Dual-homed Firewall

    A firewall system that has two or more network interface, each of which is connected to a different network
    In a firewall configuration, a dual homed firewall system usually acts to block or filter some or all of the traffic trying to pass between the network
    A dual-homed firewall system is more restrictive form of screened-host firewall system

    Demilitarize Zone (DMZ) or screened-subnet firewall

    Utilizing two packet filtering routers and a bastion host
    This approach creates the most secure firewall system since it supports network and application level security while defining a separate DMZ network
    Typically, DMZs are configured to limit access from the internet and organization’s private network.

    The following were incorrect answers:

    The other types of firewall mentioned in the option do not utilize two packet filtering routers and a bastion host.

    Reference:
    CISA review manual 2014 Page number 346

  12. Which of the following type of IDS has self-learning functionality and over a period of time will learned what is the expected behavior of a system?

    • Signature Based IDS
    • Host Based IDS
    • Neural Network based IDS
    • Statistical based IDS
    Explanation:

    Neural Network based IDS monitors the general patterns of activity and traffic on the network, and create a database of normal activities within the system. This is similar to statistical model but with added self-learning functionality.

    Also, you should know below categories and types of IDS for CISA exam:

    An IDS works in conjunction with routers and firewall by monitoring network usage anomalies.

    Broad category of IDS includes:

    Network based IDS
    Host based IDS

    Network Based IDS

    They identify attack within the monitored network and issue a warning to the operator.
    If a network based IDS is placed between the Internet and the firewall, it will detect all the attack attempts whether or not they enter the firewall

    Host Based IDS

    They are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack.
    They can detect the modification of executable programs, detect the detection of files and issue a warning when an attempt is made to use a privilege account.

    Types of IDS includes

    Signature Based IDS – These IDS system protect against detected intrusion patterns. The intrusive pattern they can identify are stored in the form of signature.
    Statistical Based IDS – This system needs a comprehensive definition of the known and expected behavior of system
    Neural Network – An IDS with this feature monitors the general patterns of activity and traffic on the network, and create a database. This is similar to statistical model but with added self-learning functionality

    The following were incorrect answers:

    The other types of IDS mentioned in the options do not monitor general patterns of activities and contains self-learning functionalities.

    Reference:

    CISA review manual 2014 Page number 346 and 347

  13. Which of the following type of an IDS resides on important systems like database, critical servers and monitors various internal resources of an operating system?

    • Signature based IDS
    • Host based IDS
    • Network based IDS
    • Statistical based IDS
    Explanation:

    Host Based IDS resides on important systems like database, critical servers and monitors various internal resources of an operating system.

    Also, you should know below mentioned categories and types of IDS for CISA exam

    An IDS works in conjunction with routers and firewall by monitoring network usage anomalies.
    Broad categories of IDS include:

    1. Network Based IDS
    2. Host Based IDS

    Network Based IDS

    They identify attack within the monitored network and issue a warning to the operator.
    If a network based IDS is placed between the Internet and the firewall, it will detect all the attack attempts whether or not they enter the firewall
    Network Based IDS are blinded when dealing with encrypted traffic

    Host Based IDS

    They are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack.
    They can detect the modification of executable programs, detect the detection of files and issue a warning when an attempt is made to use a privilege account.
    They can monitor traffic after it is decrypted and they supplement the Network Based IDS.

    Types of IDS includes:

    Statistical Based IDS – This system needs a comprehensive definition of the known and expected behavior of system

    Neural Network – An IDS with this feature monitors the general patterns of activity and traffic on the network, and create a database. This is similar to statistical model but with added self-learning functionality.

    Signature Based IDS – These IDS system protect against detected intrusion patterns. The intrusive pattern they can identify are stored in the form of signature.

    The following were incorrect answers:

    The other types of IDS mentioned in the options do not resides on important systems like database and critical servers

    Reference:
    CISA review manual 2014 Page number 346 and 347

  14. There are many known weaknesses within an Intrusion Detection System (IDS). Which of the following is NOT a limitation of an IDS?

    • Weakness in the identification and authentication scheme.
    • Application level vulnerability.
    • Backdoor into application
    • Detect zero day attack.
    Explanation:

    Detecting zero day attack is an advantage of IDS system making use of behavior or heuristic detection.

    It is important to read carefully the question. The word “NOT” was the key word.

    Intrusion Detection System are somewhat limited in scope, they do not address the following:

    Weakness in the policy definition
    Application-level vulnerability
    Backdoor within application
    Weakness in identification and authentication schemes

    Also, you should know the information below for your CISA exam:

    An IDS works in conjunction with routers and firewall by monitoring network usage anomalies.

    Broad category of IDS includes:

    1. Network Based IDS
    2. Host Based IDS

    Network Based IDS
    They identify attack within the monitored network and issue a warning to the operator.
    If a network based IDS is placed between the Internet and the firewall, it will detect all the attack attempts whether or not they enter the firewall
    Network Based IDS are blinded when dealing with encrypted traffic

    Host Based IDS
    They are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack.
    They can detect the modification of executable programs, detect the detection of files and issue a warning when an attempt is made to use a privilege account.
    They can monitor traffic after it is decrypted and they supplement the Network Based IDS.

    Types of IDS includes:
    Statistical Based IDS – This system needs a comprehensive definition of the known and expected behavior of system

    Neural Network – An IDS with this feature monitors the general patterns of activity and traffic on the network, and create a database. This is similar to statistical model but with added self-learning functionality.

    Signature Based IDS – These IDS system protect against detected intrusion patterns. The intrusive pattern they can identify are stored in the form of signature.

    The following were incorrect answers:

    The other options mentioned are all limitations of an IDS.

    Reference:

    CISA review manual 2014 Page number 346 and 347

  15. Which of the following is a software application that pretend to be a server on the Internet and is not set up purposely to actively protect against break-ins?

    • Bastion host
    • Honey pot
    • Dual Homed
    • Demilitarize Zone (DMZ)
    Explanation:

    A Honey pot is a software application or system that pretends to be a normal server on the internet and it is not set up actively protect against all break-ins. In purpose, some of the updates, patches, or upgrades are missing.

    You then monitor the honey pot to learn from the offensive side.
    There are two types of honey pot:

    High-interaction Honey pots – Essentially gives hacker a real environment to attack. High-interaction honey pots imitate the activities of the production systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste his time. According to recent research into high-interaction honey pot technology, by employing virtual machines, multiple honey pots can be hosted on a single physical machine. Therefore, even if the honey pot is compromised, it can be restored more quickly. In general, high-interaction honey pots provide more security by being difficult to detect, but they are highly expensive to maintain. If virtual machines are not available, one honey pot must be maintained for each physical computer, which can be exorbitantly expensive. Example: Honey net.

    Low interaction – Emulate production environment and therefore, provide more limited information. Low-interaction honey pots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the virtual system’s security. Example: Honeyed.

    The following were incorrect answers:

    Bastion host – On the Internet, a bastion host is the only host computer that a company allows to be addressed directly from the public network and that is designed to screen the rest of its network from security exposure. DMZ or Demilitarize Zone In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. Dual Homed – Dual-homed or dual-homing can refer to either an Ethernet device that has more than one network interface, for redundancy purposes, or in firewall technology, dual-homed is one of the firewall architectures for implementing preventive security.

    Dual-Homed – An example of dual-homed devices are enthusiast computing motherboards that incorporate dual Ethernet network interface cards or a firewall with two network interface cards. One facing the external network and one facing the internal network.

    Reference:

    CISA review manual 2014 Page number 348

    http://searchsecurity.techtarget.com/definition/bastion-host http://searchsecurity.techtarget.com/definition/DMZ
    http://en.wikipedia.org/wiki/Honeypot_%28computing%29
    http://en.wikipedia.org/wiki/Dual-homed

  16. Which of the following type of honey pot essentially gives a hacker a real environment to attack?

    • High-interaction
    • Low-interaction
    • Med-interaction
    • None of the choices
    Explanation:

    High-interaction type of honey pot essentially gives an attacker a real environment to attack.

    Also, you should know below information about honey pot for CISA exam:

    A Honey pot is a software application that pretends to be an unfortunate server on the internet and is not set up actively protect against break-ins.

    There are two types of honey pot:

    High-interaction Honey pots – Essentially gives hacker a real environment to attack. High-interaction honey pots imitate the activities of the production systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste his time. According to recent research into high-interaction honey pot technology, by employing virtual machines, multiple honey pots can be hosted on a single physical machine. Therefore, even if the honey pot is compromised, it can be restored more quickly. In general, high-interaction honey pots provide more security by being difficult to detect, but they are highly expensive to maintain. If virtual machines are not available, one honey pot must be maintained for each physical computer, which can be exorbitantly expensive. Example: Honey net.
    Low interaction – Emulate production environment and therefore, provide more limited information. Low-interaction honey pots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the virtual system’s security. Example: Honeyed.

    The following were incorrect answers:

    Med-interaction – Not a real type of honey pot

    Reference:

    CISA review manual 2014 Page number 348
    http://en.wikipedia.org/wiki/Honeypot_%28computing%29
    http://www.ce-infosys.com/english/free_compusec/free_compusec.aspx

  17. An IS auditor needs to consider many factors while evaluating an encryption system. Which of the following is LEAST important factor to be considered while evaluating an encryption system?

    • Encryption algorithm
    • Encryption keys
    • Key length
    • Implementation language
    Explanation:

    Implementation language is LEAST important as compare to other options. Encryption algorithm, encryption keys and key length are key elements of an Encryption system.

    It is important to read carefully the question. The word “LEAST” was the key word. You had to find which one was LEAST important.

    The following were incorrect answers:

    Other options mentioned are key elements of an Encryption system

    Encryption Algorithm – A mathematically based function or calculation that encrypts/decrypts data

    Encryption keys – A piece of information that is used within an encryption algorithm (calculation) to make encryption or decryption process unique. Similar to passwords, a user needs to use the correct key to access or decipher the message into an unreadable form.

    Key length – A predetermined length for the key. The longer the key, the more difficult it is to compromise in brute-force attack where all possible key combinations are tried.

    Reference:

    CISA review manual 2014 Page number 348

  18. Which of the following statement correctly describes the difference between symmetric key encryption and asymmetric key encryption?

    • In symmetric key encryption the same key is used for encryption and decryption where as asymmetric key uses private key for encryption and decryption
    • In symmetric key encryption the public key is used for encryption and the symmetric key for decryption. Where as in asymmetric key encryption the public key is used for encryption and private key is used for decryption
    • In symmetric key encryption the same key is used for encryption and decryption where as in asymmetric key encryption the public key is used for encryption and private key is used for decryption.
    • Both uses private key for encryption and the decryption process can be done using public key
    Explanation:

    There are two basic techniques for encrypting information: symmetric encryption (also called secret key encryption) and asymmetric encryption (also called public key encryption.)

    Symmetric Encryption
    Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

    Few examples of symmetric key algorithms are DES, AES, Blowfish, etc

    Asymmetric Encryption
    The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is the usage of asymmetric encryption, in which there are two related keys, usually called a key pair. The public key is made freely available to anyone who might want to send you a message. The second key, called the private key is kept secret, so that only you know it.

    Any message (text, binary files, or documents) that are encrypted using the public key can only be decrypted by the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.

    This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public).A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.

    Few examples of asymmetric key algorithms are RSA, Elliptic key Cryptography (ECC), El Gamal, Differ-Hellman, etc

    The following were incorrect answers:

    The other options don’t describe correctly the difference between symmetric key and asymmetric key encryption.

    Reference:

    CISA review manual 2014 Page number 348 and 349
    http://support.microsoft.com/kb/246071

  19. Which policy helps an auditor to gain a better understanding of biometrics system in an organization?

    • BIMS Policy
    • BOMS Policy
    • BMS Policy
    • BOS Policy
    Explanation:

    The auditor should use a Biometric Information Management System (BIMS) Policy to gain better understanding of the biometric system in use.

    Management of Biometrics

    Management of biometrics should address effective security for the collection, distribution and processing of biometrics data encompassing:

    Data integrity, authenticity and non-repudiation
    Management of biometric data across its life cycle – compromised of the enrollment, transmission and storage, verification, identification, and termination process
    Usage of biometric technology, including one-to-one and one-to-many matching, for identification and authentication
    Application of biometric technology for internal and external, as well as logical and physical access control
    Encapsulation of biometric data
    Security of the physical hardware used throughout the biometric data life cycle
    Techniques for integrity and privacy protection of biometric data.

    Management should develop and approve a Biometric Information Management and Security (BIMS) policy. The auditor should use the BIMS policy to gain better understanding of the biometric system in use. With respect to testing, the auditor should make sure this policy has been developed and biometric information system is being secured appropriately.

    The identification and authentication procedures for individual enrollment and template creation should be specified in BIMS policy.

    The following were incorrect answers:

    All other choices presented were incorrect answers because they are not valid policies.

    Reference:

    CISA review manual 2014 Page number 331 and 332

  20. Which of the following comparisons are used for identification and authentication in a biometric system?

    • One-to-many for identification and authentication
    • One-to-one for identification and authentication
    • One-to-many for identification and one-to-one for authentication
    • One-to-one for identification and one-to-many for authentication
    Explanation:

    In identification mode the system performs a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown individual. The system will succeed in identifying the individual if the comparison of the biometric sample to a template in the database falls within a previously set threshold. Identification mode can be used either for ‘positive recognition’ (so that the user does not have to provide any information about the template to be used) or for ‘negative recognition’ of the person “where the system establishes whether the person is who she (implicitly or explicitly) denies to be”

    In verification (or authentication) mode the system performs a one-to-one comparison of a captured biometric with a specific template stored in a biometric database in order to verify the individual is the person they claim to be.

    Management of Biometrics

    Management of biometrics should address effective security for the collection, distribution and processing of biometrics data encompassing:
    Data integrity, authenticity and non-repudiation
    Management of biometric data across its life cycle – compromised of the enrollment, transmission and storage, verification, identification, and termination process
    Usage of biometric technology, including one-to-one and one-to-many matching, for identification and authentication
    Application of biometric technology for internal and external, as well as logical and physical access control
    Encapsulation of biometric data
    Security of the physical hardware used throughout the biometric data life cycle
    Techniques for integrity and privacy protection of biometric data.

    The following were incorrect answers:

    All other choices presented were incorrectly describing identification and authentication mapping.

    Reference:

    CISA review manual 2014 Page number 331
    http://en.wikipedia.org/wiki/Biometrics