Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 112

  1. The goal of an information system is to achieve integrity, authenticity and non-repudiation of information’s sent across the network. Which of the following statement correctly describe the steps to address all three?

    • Encrypt the message digest using symmetric key and then send the encrypted digest to receiver along with original message.
    • Encrypt the message digest using receiver’s public key and then send the encrypted digest to receiver along with original message. The receiver can decrypt the message digest using his own private key.
    • Encrypt the message digest using sender’s public key and then send the encrypted digest to the receiver along with original message. The receiver can decrypt using his own private key.
    • Encrypt message digest using sender’s private key and then send the encrypted digest to the receiver along with original message. Receiver can decrypt the same using sender’s public key.

    Explanation:

    The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature, the sender’s private key is used to encrypt the message digest of the message. Encrypting the message digest is the act of Signing the message. The receiver will use the matching public key of the sender to decrypt the Digital Signature using the sender’s public key.

    A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures cannot be forged by someone else who does not possess the private key, it can also be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.

    A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender’s identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real and has not been modified since the day it was issued.

    How Digital Signature Works
    Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.

    You copy-and-paste the contract (it’s a short one!) into an e-mail note.
    Using special software, you obtain a message hash (mathematical summary) of the contract.
    You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.
    The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)

    At the other end, your lawyer receives the message.

    To make sure it’s intact and from you, your lawyer makes a hash of the received message.
    Your lawyer then uses your public key to decrypt the message hash or summary.
    If the hashes match, the received message is valid.

    Below are some common reasons for applying a digital signature to communications:

    Authentication
    Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. The importance of high assurance in the sender authenticity is especially obvious in a financial context. For example, suppose a bank’s branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a serious mistake.

    Integrity
    In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it.(Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after the signature has been applied would invalidates the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions (see collision resistance).

    Non-repudiation
    Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures. By this property, an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature.

    Note that authentication, non-repudiation, and other properties rely on the secret key not having been revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an “online” check, e.g. checking a “Certificate Revocation List” or via the “Online Certificate Status Protocol”. This is analogous to a vendor who receives credit-cards first checking online with the credit-card issuer to find if a given card has been reported lost or stolen.

    Tip for the exam
    Digital Signature does not provide confidentiality. It provides only authenticity and integrity. The sender’s private key is used to encrypt the message digest to calculate the digital signature

    Encryption provides only confidentiality. The receiver’s public key or symmetric key is used for encryption

    The following were incorrect answers:

    Encrypt the message digest using symmetric key and then send the encrypted digest to receiver along with original message – Symmetric key encryption does not provide non-repudiation as symmetric key is shared between users

    Encrypt the message digest using receiver’s public key and then send the encrypted digest to receiver along with original message. The receiver can decrypt the message digest using his own private key – Receiver’s public key is known to everyone. This will not address non-repudiation

    Encrypt the message digest using sender’s public key and then send the encrypted digest to the receiver along with original message. The receiver can decrypt using his own private key -The sender public key is known to everyone. If sender’s key is used for encryption, then sender’s private key is required to decrypt data. The receiver will not be able to decrypt the digest as receiver will not have sender’s private key.

    Reference:

    CISA review manual 2014 Page number 331
    http://upload.wikimedia.org/wikipedia/commons/2/2b/Digital_Signature_diagram.svg
    http://en.wikipedia.org/wiki/Digital_signature
    http://searchsecurity.techtarget.com/definition/digital-signature

  2. Which of the following is an advantage of asymmetric crypto system over symmetric key crypto system?

    • Performance and Speed
    • Key Management is built in
    • Adequate for Bulk encryption
    • Number of keys grows very quickly
    Explanation:

    Key management is better in asymmetric key encryption as compare to symmetric key encryption. In fact, there is no key management built within Symmetric Crypto systems. You must use the sneaker net or a trusted courier to exchange the key securely with the person you wish to communicate with.

    Key management is the major issue and challenge in symmetric key encryption.

    In symmetric key encryption, a symmetric key is shared between two users who wish to communicate together. As the number of users grows, the number of keys required also increases very rapidly.

    For example, if a user wants to communicate with 5 different users then total number of different keys required by the user are 10. The formula for calculating total number of key required is n(n-1)/2Or total number of users times total of users minus one divided by 2.

    Where n is number of users communicating with each others securely.

    In an asymmetric key encryption, every user will have only two keys, also referred to as a Key Pair.
    Private Key – Only known to the user who initially generated the key pair
    Public key – Known to everyone, can be distributed at large

    The following were incorrect answers:

    Performance – Symmetric key encryption performance is better than asymmetric key encryption
    Bulk encryption – As symmetric key encryption gives better performance, symmetric key should be used for bulk data encryption

    Number of keys grows very quickly – The number of keys under asymmetric grows very nicely.1000 users would need a total of only 2000 keys, or a private and a public key for each user. Under symmetric encryption, one thousand users would need 495,000 keys to communicate securely with each others.

    Reference:

    CISA review manual 2014 Page number 348

  3. Which key is used by the sender of a message to create a digital signature for the message being sent?

    • Sender’s public key
    • Sender’s private key
    • Receiver’s public key
    • Receiver’s private key
    Explanation:

    The sender private key is used to calculate the digital signature

    The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature, the sender’s private key is used to encrypt the message digest (signing) of the message and receiver need to decrypt the same using sender’s public key to validate the signature.

    A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.

    A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender’s identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real.
    How It Works
    Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.

    You copy-and-paste the contract (it’s a short one!) into an e-mail note.
    Using special software, you obtain a message hash (mathematical summary) of the contract.
    You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.
    The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.)

    At the other end, your lawyer receives the message:

    To make sure it’s intact and from you, your lawyer makes a hash of the received message.
    Your lawyer then uses your public key to decrypt the message hash or summary.
    If the hashes match, the received message is valid.

    Below are some common reasons for applying a digital signature to communications:

    Authentication
    Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. When ownership of a digital signature secret key is bound to a specific user, a valid signature shows that the message was sent by that user. The importance of high confidence in sender authenticity is especially obvious in a financial context. For example, suppose a bank’s branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a grave mistake.
    Integrity
    In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it. (Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after signature invalidates the signature. Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions (see collision resistance).

    Non-repudiation
    Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures. By this property, an entity that has signed some information cannot at a later time deny having signed it. Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature.

    Note that these authentication, non-repudiation etc. properties rely on the secret key not having been revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an “online” check, e.g. checking a “Certificate Revocation List” or via the “Online Certificate Status Protocol”. Very roughly this is analogous to a vendor who receives credit-cards first checking online with the credit-card issuer to find if a given card has been reported lost or stolen. Of course, with stolen key pairs, the theft is often discovered only after the secret key’s use, e.g., to sign a bogus certificate for espionage purposes.

    Tip for the exam:

    Digital Signature does not provide confidentiality. The sender’s private key is used for calculating digital signature
    Encryption provides only confidentiality. The receiver’s public key or symmetric key is used for encryption

    The following were incorrect answers:

    Sender’s Public key – This is incorrect as receiver will require sender’s private key to verify digital signature.
    Receiver’s Public Key – The digital signature provides non-repudiation. The receiver’s public key is known to every one. So it can not be used for digital-signature. Receiver’s public key can be used for encryption.
    Receiver’s Private Key – The sender does not know the receiver’s private key. So this option is incorrect.

    Reference:

    CISA review manual 2014 Page number 348
    http://upload.wikimedia.org/wikipedia/commons/2/2b/Digital_Signature_diagram.svg
    http://en.wikipedia.org/wiki/Digital_signature
    http://searchsecurity.techtarget.com/definition/digital-signature

  4. Which of the following cryptography is based on practical application of the characteristics of the smallest “grains” of light, the photon, the physical laws governing their generation and propagation and detection?

    • Quantum Cryptography
    • Elliptical Curve Cryptography (ECC)
    • Symmetric Key Cryptography
    • Asymmetric Key Cryptography
    Explanation:

    Quantum cryptography is based on a practical application of the characteristics of the smallest “grain” of light, photons and on physical laws governing their generation, propagation and detection.
    Quantum cryptography is the next generation of cryptography that may solve some of the existing problem associated with current cryptographic systems, specifically the random generation and secure distribution of symmetric cryptographic keys. Initial commercial usage has already started now that the laboratory research phase has been completed.

    Quantum cryptography is based on a practical application of the characteristics of the smallest “grain” of light, photons and on physical laws governing their generation, propagation and detection.
    Quantum cryptography is the next generation of cryptography that may solve some of the existing problem associated with current cryptographic systems, specifically the random generation and secure distribution of symmetric cryptographic keys. Initial commercial usage has already started now that the laboratory research phase has been completed.

    The following were incorrect answers: Elliptic Key Cryptography(ECC) – A variant and more efficient form of a public key cryptography (how to manage more security out of minimum resources) gaining prominence is the ECC. ECC works well on a network computer requires strong cryptography but have some limitation such as bandwidth and processing power. This is even more important with devices such as smart cards, wireless phones and other mobile devices. It is believed that ECC demands less computational power and, therefore offers more security per bit. For example, an ECC with a 160-bit key offer the same security as an RSA based system with a 1024-bit key.

    Symmetric Encryption- Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

    The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message.

    Asymmetric encryption -In which there are two related keys–a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.

    Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.

    This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public). A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.

    Reference:

    CISA review manual 2014 Page number 349 and 350
    http://support.microsoft.com/kb/246071

  5. Which of the following cryptography demands less computational power and offers more security per bit?

    • Quantum cryptography
    • Elliptic Curve Cryptography (ECC)
    • Symmetric Key Cryptography
    • Asymmetric Key Cryptography
    Explanation:

    ECC demands less computational power and, therefore offers more security per bit. For example, an ECC with a 160-bit key offer the same security as an RSA based system with a 1024-bit key.

    ECC is a variant and more efficient form of a public key cryptography (how tom manage more security out of minimum resources) gaining prominence is the ECC. ECC works well on a network computer requires strong cryptography but have some limitation such as bandwidth and processing power. This is even more important with devices such as smart cards, wireless phones and other mobile devices.

    The following were incorrect answers:

    Quantum Cryptography – Quantum cryptography is based on a practical application of the characteristics of the smallest “grain” of light, photons and on physical laws governing their generation, propagation and detection. Quantum cryptography is the next generation of cryptography that may solve some of the existing problem associated with current cryptographic systems, specifically the random generation and secure distribution of symmetric cryptographic keys. Initial commercial usage has already started now that the laboratory research phase has been completed.

    Symmetric Encryption – Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

    Asymmetric Encryption – The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys–a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it. Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key. This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public). A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message.

    Reference:

    CISA review manual 2014 Page number 349 and 350
    http://support.microsoft.com/kb/246071

  6. Which of the following is a form of Hybrid Cryptography where the sender encrypts the bulk of the data using Symmetric Key cryptography and then communicates securely a copy of the session key to the receiver?

    • Digital Envelope
    • Digital Signature
    • Symmetric key encryption
    • Asymmetric
    Explanation:

    A Digital Envelope is used to send encrypted information using symmetric keys, and the relevant session key along with it. It is a secure method to send electronic document without compromising the data integrity, authentication and non-repudiation, which were obtained with the use of symmetric keys.

    A Digital envelope mechanism works as follows:

    The symmetric key, which is used to encrypt the bulk of the date or message can be referred to as session key. It is simply a symmetric key picked randomly in the key space.
    In order for the receiver to have the ability to decrypt the message, the session key must be sent to the receiver.
    This session key cannot be sent in clear text to the receiver, it must be protected while in transit, else anyone who have access to the network could have access to the key and confidentiality can easily be compromised.
    Therefore, it is critical to encrypt and protect the session key before sending it to the receiver. The session key is encrypted using receiver’s public key. Thus providing confidentiality of the key.
    The encrypted message and the encrypted session key are bundled together and then sent to the receiver who, in turn opens the session key with the receiver matching private key.
    The session key is then applied to the message to get it in plain text.

    The process of encrypting bulk data using symmetric key cryptography and encrypting the session key with a public key algorithm is referred as a digital envelope. Sometimes people refer to it as Hybrid Cryptography as well.

    The following were incorrect answers:

    Digital-signature – A digital signature is an electronic identification of a person or entity created by using public key algorithm and intended to verify to recipient the integrity of the data and the identity of the sender. Applying a digital signature consist of two simple steps, first you create a message digest, then you encrypt the message digest with the sender’s private key. Encrypting the message digest with the private key is the act of signing the message.

    Symmetric Key Encryption – Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

    Asymmetric Key Encryption – The term “asymmetric” stems from the use of different keys to perform these opposite functions, each the inverse of the other – as contrasted with conventional (“symmetric”) cryptography which relies on the same key to perform both. Public-key algorithms are based on mathematical problems which currently admit no efficient solution that are inherent in certain integer factorization, discrete logarithm, and elliptic curve relationships. It is computationally easy for a user to generate their own public and private key-pair and to use them for encryption and decryption. The strength lies in the fact that it is “impossible” (computationally unfeasible) for a properly generated private key to be determined from its corresponding public key. Thus the public key may be published without compromising security, whereas the private key must not be revealed to anyone not authorized to read messages or perform digital signatures. Public key algorithms, unlike symmetric key algorithms, do not require a secure initial exchange of one (or more) secret keys between the parties.

    Reference:

    CISA review manual 2014 Page number 350 and 351
    http://en.wikipedia.org/wiki/Public-key_cryptography

  7. How does the digital envelop work? What are the correct steps to follow?

    • You encrypt the data using a session key and then encrypt session key using private key of a sender
    • You encrypt the data using the session key and then you encrypt the session key using sender’s public key
    • You encrypt the data using the session key and then you encrypt the session key using the receiver’s public key
    • You encrypt the data using the session key and then you encrypt the session key using the receiver’s private key
    Explanation:

    The process of encrypting bulk data using symmetric key cryptography and then encrypting the session key using public key algorithm is referred as a digital envelope.

    A Digital Envelope is used to send encrypted information using symmetric crypto cipher and then key session along with it. It is secure method to send electronic document without compromising the data integrity, authentication and non-repudiation, which were obtained with the use of symmetric keys.

    A Digital envelope mechanism works as follows:

    The symmetric key used to encrypt the message can be referred to as session key. The bulk of the message would take advantage of the high speed provided by Symmetric Cipher.
    The session key must then be communicated to the receiver in a secure way to allow the receiver to decrypt the message.
    If the session key is sent to receiver in the plain text, it could be captured in clear text over the network and anyone could access the session key which would lead to confidentiality being compromised.
    Therefore it is critical to encrypt the session key with the receiver public key before sending it to the receiver. The receiver’s will use their matching private key to decrypt the session key which then allow them to decrypt the message using the session key.

    The encrypted message and the encrypted session key are sent to the receiver who, in turn decrypts the session key with the receiver’s private key. The session key is then applied to the message cipher text to get the plain text.

    The following were incorrect answers:

    You encrypt the data using a session key and then encrypt session key using private key of a sender – If the session key is encrypted using sender’s private key, it can be decrypted only using sender’s public key. The sender’s public key is known to everyone so anyone can decrypt session key and message.

    You encrypt the data using the session key and then you encrypt the session key using sender’s public key – If the session key is encrypted by using sender’s public key then only sender can decrypt the session key using his/her own private key and receiver will not be able to decrypt the same.

    You encrypt the data using the session key and then you encrypt the session key using the receiver’s private key – Sender should not have access to receiver’s private key. This is not a valid option.

    Reference:
    CISA review manual 2014 Page number 350 and 351

  8. Which of the following is NOT a true statement about public key infrastructure (PKI)?

    • The Registration authority role is to validate and issue digital certificates to end users
    • The Certificate authority role is to issue digital certificates to end users
    • The Registration authority (RA) acts as a verifier for Certificate Authority (CA)
    • Root certificate authority’s certificate is always self-signed
    Explanation:

    The word NOT is the keyword used in the question. We need to find out the invalid statement from the options.

    A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. Although the components of a PKI are generally understood, a number of different vendor approaches and services are emerging. Meanwhile, an Internet standard for PKI is being worked on.

    The public key infrastructure assumes the use of public key cryptography, which is the most common method on the Internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This secret or private key system has the significant flaw that if the key is discovered or intercepted by someone else, messages can easily be decrypted. For this reason, public key cryptography and the public key infrastructure is the preferred approach on the Internet. (The private key system is sometimes known as symmetric cryptography and the public key system as asymmetric cryptography.)

    A public key infrastructure consists of:

    A certificate authority (CA) that issues and verifies digital certificate. A certificate includes the public key or information about the public key
    A registration authority (RA) that acts as the verifier for the certificate authority before a digital certificate is issued to a requester
    A Subscriber is the end user who wish to get digital certificate from certificate authority.

    The following were incorrect answers:

    The Certificate authority role is to issue digital certificates to end users – This is a valid statement as the job of a certificate authority is to issue a digital certificate to end user.

    The Registration authority (RA) acts as a verifier for Certificate Authority (CA) – This is a valid statement as registration authority acts as a verifier for certificate authority

    Root certificate authority’s certificate is always self-signed – This is a valid statement as the root certificate authority’s certificate is always self-signed.

    Reference:
    http://searchsecurity.techtarget.com/definition/PKI

  9. Which of the following functionality is NOT supported by SSL protocol?

    • Confidentiality
    • Integrity
    • Authentication
    • Availability
    Explanation:

    The NOT is a keyword used in this question. You need to find out the functionality which is NOT provided by SSL protocol. The SSL protocol provides:

    Confidentiality
    Integrity
    Authentication, e.g. between client and server
    Non-repudiation

    For CISA exam you should know the information below about Secure Socket Layer (SSL) and Transport Layer Security (TLS)

    These are cryptographic protocols which provide secure communication on Internet. There are only slight difference between SSL 3.0 and TLS 1.0. For general concept both are called SSL.

    SSL is session-connection layer protocol widely used on Internet for communication between browser and web servers, where any amount of data is securely transmitted while a session is established. SSL provides end point authentication and communication privacy over the Internet using cryptography. In typical use, only the server is authenticated while client remains unauthenticated. Mutual authentication requires PKI development to clients. The protocol allows application to communicate in a way designed to prevent eavesdropping, tampering and message forging.

    SSL involves a number of basic phases
    Peer negotiation for algorithm support
    Public-key, encryption based key exchange and certificate based authentication
    Symmetric cipher based traffic encryption.

    SSL runs on a layer beneath application protocol such as HTTP, SMTP and Network News Transport Protocol (NNTP) and above the TCP transport protocol, which forms part of TCP/IP suite.

    SSL uses a hybrid hashed, private and public key cryptographic processes to secure transmission over the INTERNET through a PKI.

    The SSL handshake protocol is based on the application layer but provides for the security of the communication session too. It negotiates the security parameter for each communication section. Multiple session can belong to one SSL session and the participating in one session can take part in multiple simultaneous sessions.

    The following were incorrect answers:
    Confidentiality – It is supported by the SSL Protocol

    Integrity -It is supported by the SSL Protocol
    Authentication – It is supported by the SSL protocol

    Reference:
    CISA review manual 2014 Page number 352

  10. Which of the following statement correctly describes one way SSL authentication between a client (e.g. browser) and a server (e.g. web server)?

    • Only the server is authenticated while client remains unauthenticated
    • Only the client is authenticated while server remains authenticated
    • Client and server are authenticated
    • Client and server are unauthenticated
    Explanation:

    In one way authentication only server needs to be authenticated where as in mutual authentication both the client and the server needs to be authenticated.

    For CISA exam you should know the information below about Secure Socket Layer (SSL) and Transport Layer Security (TLS)

    These are cryptographic protocols which provide secure communication on Internet. There are only slight difference between SSL 3.0 and TLS 1.0. For general concept both are called SSL.

    SSL is session-connection layer protocol widely used on Internet for communication between browser and web servers, where any amount of data is securely transmitted while a session is established. SSL provides end point authentication and communication privacy over the Internet using cryptography. In typical use, only the server is authenticated while client remains unauthenticated. Mutual authentication requires PKI development to clients. The protocol allows application to communicate in a way designed to prevent eavesdropping, tampering and message forging.

    SSL involves a number of basic phases
    Peer negotiation for algorithm support
    Public-key, encryption based key exchange and certificate based authentication
    Symmetric cipher based traffic encryption.

    SSL runs on a layer beneath application protocol such as HTTP, SMTP and Network News Transport Protocol (NNTP) and above the TCP transport protocol, which forms part of TCP/IP suite.

    SSL uses a hybrid hashed, private and public key cryptographic processes to secure transmission over the INTERNET through a PKI.

    The SSL handshake protocol is based on the application layer but provides for the security of the communication session too. It negotiates the security parameter for each communication section. Multiple session can belong to one SSL session and the participating in one session can take part in multiple simultaneous sessions.

    The following were incorrect answers:

    The other choices presented in the options are not valid as in one way authentication only server needs to be authenticated where as client will remain unauthenticated.

    Reference:
    CISA review manual 2014 Page number 352

  11. Which of the following statement correctly describes difference between SSL and S/HTTP?

    • Both works at application layer of OSI model
    • SSL works at transport layer where as S/HTTP works at application layer of OSI model
    • Both works at transport layer
    • S/HTTP works at transport layer where as SSL works at the application layer of OSI model
    Explanation:

    For your exam you should know below information about S/HTTP and SSL protocol:

    Secure Hypertext Transfer Protocol (S/HTTP) -As an application layer protocol, S/HTTP transmits individual messages or pages securely between a web client and server by establishing SSL-type connection. Using the https:// designation in the URL, instead of the standard http://, directs the message to a secure port number rather than the default web port address. This protocol utilizes SSL secure features but does so as a message rather than the session-oriented protocol.

    Secure Socket Layer (SSL) and Transport Layer Security (TLS) – These are cryptographic protocols which provide secure communication on Internet. There are only slight difference between SSL 3.0 and TLS 1.0. For general concept both are called SSL.
    SSL is session-connection layer protocol widely used on Internet for communication between browser and web servers, where any amount of data is securely transmitted while a session is established. SSL provides end point authentication and communication privacy over the Internet using cryptography. In typical use, only the server is authenticated while client remains unauthenticated. Mutual authentication requires PKI development to clients. The protocol allows application to communicate in a way designed to prevent eavesdropping, tampering and message forging.

    SSL involves a number of basic phases
    Peer negotiation for algorithm support
    Public-key, encryption based key exchange and certificate based authentication
    Symmetric cipher based traffic encryption.

    SSL runs on a layer beneath application protocol such as HTTP, SMTP and Network News Transport Protocol (NNTP) and above the TCP transport protocol, which forms part of TCP/IP suite.

    SSL uses a hybrid hashed, private and public key cryptographic processes to secure transmission over the INTERNET through a PKI.

    The SSL handshake protocol is based on the application layer but provides for the security of the communication session too. It negotiates the security parameter for each communication section. Multiple session can belong to one SSL session and the participating in one session can take part in multiple simultaneous sessions.

    The following were incorrect answers:

    The other choices presented in the options are not valid asSSL works at transport layer where as S/HTTP works at application layer of OSI model.

    Reference:

    CISA review manual 2014 Page number 352

  12. Which of the following is a standard secure email protection protocol?

    • S/MIME
    • SSH
    • SET
    • S/HTTP
    Explanation:

    Secure Multipurpose Internet Mail Extension (S/MIME) is a standard secure email protocol that authenticates the identity of the sender and receiver, verifies message integrity, and ensures the privacy of message’s content’s, including attachments.

    The following were incorrect answers:

    SSH – A client server program that opens a secure, encrypted command-line shell session from the Internet for remote logon. Similar to a VPN, SSH uses strong cryptography to protect data, including password, binary files and administrative commands, transmitted between system on a network. SSH is typically implemented between two parties by validating each other’s credential via digital certificates. SSH is useful in securing Telnet and FTP services, and is implemented at the application layer, as opposed to operating at network layer (IPSec Implementation)

    SET – SET is a protocol developed jointly by VISA and Master Card to secure payment transaction among all parties involved in credit card transactions among all parties involved in credit card transactions on behalf of cardholders and merchants. As an open system specification, SET is a application-oriented protocol that uses trusted third party’s encryption and digital-signature process, via PKI infrastructure of trusted third party institutions, to address confidentiality of information, integrity of data, cardholders authentication, merchant authentication and interoperability.

    Secure Hypertext Transfer Protocol (S/HTTP) – As an application layer protocol, S/HTTP transmits individual messages or pages securely between a web client and server by establishing SSL-type connection. Using the https:// designation in the URL, instead of the standard http://, directs the message to a secure port number rather than the default web port address. This protocol utilizes SSL secure features but does so as a message rather than the session-oriented protocol.

    Reference:
    CISA review manual 2014 Page number 352 and 353

  13. Which of the following statement correctly describes the differences between tunnel mode and transport mode of the IPSec protocol?

    • In transport mode the ESP is encrypted where as in tunnel mode the ESP and its header’s are encrypted
    • In tunnel mode the ESP is encrypted where as in transport mode the ESP and its header’s are encrypted
    • In both modes (tunnel and transport mode) the ESP and its header’s are encrypted
    • There is no encryption provided when using ESP or AH
    Explanation:

    ESP can be used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and (limited) traffic flow confidentiality. The set of services provided depends on options selected at the time of Security Association (SA) establishment and on the location of the implementation in a network topology. For your exam you should know the information below about the IPSec protocol:

    The IP network layer packet security protocol establishes VPNs via transport and tunnel mode encryption methods.

    For the transport method, the data portion of each packet is encrypted, encryption within IPSEC is referred to as the encapsulation security payload (ESP), it is ESP that provides confidentiality over the process.
    In the tunnel mode, the ESP payload and its header’s are encrypted. To achieve non-repudiation, an additional authentication header (AH) is applied.

    In establishing IPSec sessions in either mode, Security Associations (SAs) are established. SAs defines which security parameters should be applied between communicating parties as encryption algorithms, key initialization vector, life span of keys, etc. Within either ESP or AH header, respectively. An SAs is established when a 32-bit security parameter index (SPI) field is defined within the sending host. The SPI is unique identifier that enables the sending host to reference the security parameter to apply, as specified, on the receiving host.

    IPSec can be made more secure by using asymmetric encryption through the use of Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows automated key management, use of public keys, negotiation, establishment, modification and deletion of SAs and attributes. For authentication, the sender uses digital certificates. The connection is made secure by supporting the generation, authentication, distribution of the SAs and the cryptographic keys.

    The following were incorrect answers:

    The other options presented are invalid as the transport mode encrypts ESP and the tunnel mode encrypts ESP and its header’s.

    Reference:
    CISA review manual 2014 Page number 353

  14. Which of the following is the unique identifier within and IPSec packet that enables the sending host to reference the security parameter to apply?

    • SPI
    • SA
    • ESP
    • AH
    Explanation:

    The Security Parameter Index (SPI) is the unique identifier that enables the sending host to reference the security parameter to apply in order to decrypt the packet.

    For your exam you should know the information below about the IPSec protocol:

    The IP network layer packet security protocol establishes VPNs via transport and tunnel mode encryption methods.

    For the transport method, the data portion of each packet is encrypted, encryption within IPSEC is referred to as the encapsulation security payload (ESP), it is ESP that provides confidentiality over the process.
    In the tunnel mode, the ESP payload and its header’s are encrypted. To achieve non-repudiation, an additional authentication header (AH) is applied.

    In establishing IPSec sessions in either mode, Security Associations (SAs) are established. SAs defines which security parameters should be applied between communicating parties as encryption algorithms, key initialization vector, life span of keys, etc. Within either ESP or AH header, respectively. An SAs is established when a 32-bit security parameter index (SPI) field is defined within the sending host. The SPI is unique identifier that enables the sending host to reference the security parameter to apply, as specified, on the receiving host.

    IPSec can be made more secure by using asymmetric encryption through the use of Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows automated key management, use of public keys, negotiation, establishment, modification and deletion of SAs and attributes. For authentication, the sender uses digital certificates. The connection is made secure by supporting the generation, authentication, distribution of the SAs and the cryptographic keys.

    The following were incorrect answers:

    SA – Security Association (SA) defines which security parameters should be applied between communicating parties as encryption algorithms, key initialization vector, life span of keys, etc.
    ESP – Encapsulation Security Payload (ESP) is used to support authentication of sender and encryption of data
    AH – Authentication Header allows authentication of a sender of a data.

    Reference:
    CISA review manual 2014 Page number 353

  15. Within IPSEC which of the following defines security parameters which should be applied between communicating parties such as encryption algorithms, key initialization vector, life span of keys, etc?

    • Security Parameter Index (SPI)
    • Security Association (SA)
    • Encapsulation Security Payload (ESP)
    • Authentication Header (AH)
    Explanation:

    Security Association (SA)s defines which security parameters should be applied between communication parties as encryption algorithms, key initialization vector, life span of keys, etc.

    For your exam you should know the information below about the IPSec protocol:

    The IP network layer packet security protocol establishes VPNs via transport and tunnel mode encryption methods.

    For the transport method, the data portion of each packet is encrypted, encryption within IPSEC is referred to as the encapsulation security payload (ESP), it is ESP that provides confidentiality over the process.

    In the tunnel mode, the ESP payload and its header’s are encrypted. To achieve non-repudiation, an additional authentication header (AH) is applied.

    In establishing IPSec sessions in either mode, Security Associations (SAs) are established. SAs defines which security parameters should be applied between communicating parties as encryption algorithms, key initialization vector, life span of keys, etc. Within either ESP or AH header, respectively. An SAs is established when a 32-bit security parameter index (SPI) field is defined within the sending host. The SPI is unique identifier that enables the sending host to reference the security parameter to apply, as specified, on the receiving host.

    IPSec can be made more secure by using asymmetric encryption through the use of Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows automated key management, use of public keys, negotiation, establishment, modification and deletion of SAs and attributes. For authentication, the sender uses digital certificates. The connection is made secure by supporting the generation, authentication, distribution of the SAs and the cryptographic keys.

    The following were incorrect answers:

    Security Parameter Index (SPI) – A Security Parameter Index (SPI) is an unique identifier that enables the sending host to reference the security parameters to apply.

    Encapsulation Security Payload (ESP) – Encapsulation Security Payload (ESP) is used support authentication of sender and encryption of data.

    Authentication Header(AH) – Authentication Header allows authentication of a sender of a data.

    Reference:

    CISA review manual 2014 Page number 353

  16. Which of the following statement correctly describes the difference between IPSec and SSH protocols?

    • IPSec works at the transport layer where as SSH works at the network layer of an OSI Model
    • IPSec works at the network layer where as SSH works at the application layer of an OSI Model
    • IPSec works at the network layer and SSH works at the transport layer of an OSI Model
    • IPSec works at the transport layer and SSH works at the network layer of an OSI Model
    Explanation:

    For CISA exam you should know below information about SSH and IPSec protocol

    SSH – A client server program that opens a secure, encrypted command-line shell session from the Internet for remote logon. Similar to a VPN, SSH uses strong cryptography to protect data, including password, binary files and administrative commands, transmitted between system on a network. SSH is typically implemented between two parties by validating each other’s credential via digital certificates. SSH is useful in securing Telnet and FTP services, and is implemented at the application layer, as opposed to operating at network layer (IPSec Implementation)

    IPSec – The IP network layer packet security protocol establishes VPNsvia transport and tunnel mode encryption methods. For the transport method, the data portion of each packet referred to as the encapsulation security payload(ESP) is encrypted, achieving confidentiality over a process. In the tunnel mode, the ESP payload and its header’s are encrypted. To achieve non-repudiation, an additional authentication header (AH) is applied. In establishing IPSec sessions in either mode, Security Association (SAs) are established. SAs defines which security parameters should be applied between communication parties as encryption algorithms, key initialization vector, life span of keys, etc. Within either ESP or AH header, respectively. An SAsis established when a 32-bit security parameter index (SPI) field is defined within the sending host. The SPI is unique identifier that enables the sending host to reference the security parameter to apply, as specified, on the receiving host. IPSec can be made more secure by using asymmetric encryption through the use of Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the key management, use of public keys, negotiation, establishment, modification and deletion of SAs and attributes. For authentication, the sender uses digital certificates. The connection is made secure by supporting the generation, authentication, distribution of the SAs and those of the cryptographic keys.

    The following were incorrect answers:

    The other options presented are invalid as IPSec works at network layer where as SSH works at application layer of an OSI Model.

    Reference:
    CISA review manual 2014 Page number 352 and 353

  17. Which of the following protocol is developed jointly by VISA and Master Card to secure payment transactions among all parties involved in credit card transactions on behalf of cardholders and merchants?

    • S/MIME
    • SSH
    • SET
    • S/HTTP
    Explanation:

    Secure Electronic Transaction(SET) is a protocol developed jointly by VISA and Master Card to secure payment transaction among all parties involved in credit card transactions among all parties involved in credit card transactions on behalf of cardholders and merchants. As an open system specification, SET is an application-oriented protocol that uses trusted third party’s encryption and digital-signature process, via PKI infrastructure of trusted third party institutions, to address confidentiality of information, integrity of data, cardholders authentication, merchant authentication and interoperability.

    The following were incorrect answers:

    S/MIME – Secure Multipurpose Internet Mail Extension (S/MIME) is a standard secure email protocol that authenticates the identity of the sender and receiver, verifies message integrity, and ensures the privacy of message’s content’s, including attachments.

    SSH – A client server program that opens a secure, encrypted command-line shell session from the Internet for remote logon. Similar to a VPN, SSH uses strong cryptography to protect data, including password, binary files and administrative commands, transmitted between system on a network. SSH is typically implemented between two parties by validating each other’s credential via digital certificates. SSH is useful in securing Telnet and FTP services, and is implemented at the application layer, as opposed to operating at network layer (IPSec Implementation)

    Secure Hypertext Transfer Protocol (S/HTTP) -As an application layer protocol, S/HTTP transmits individual messages or pages securely between a web client and server by establishing SSL-type connection. Using the https:// designation in the URL, instead of the standard http://, directs the message to a secure port number rather than the default web port address. This protocol utilizes SSL secure features but does so as a message rather than the session-oriented protocol.

    Reference:
    CISA review manual 2014 Page number 352 and 353

  18. An auditor needs to be aware of technical controls which are used to protect computer from malware. Which of the following technical control interrupts DoS and ROM BIOS call and look for malware like action?

    • Scanners
    • Active Monitors
    • Immunizer
    • Behavior blocker
    Explanation:

    Active monitors interpret DoS and read-only memory (ROM) BIOS calls, looking for malware like actions. Active monitors can be problematic because they can not distinguish between a user request and a program or a malware request. As a result, users are asked to confirm actions, including formatting a disk or deleting a file or set of files.

    For CISA exam you should know below mentioned different kinds of malware Controls

    A. Scanners Look for sequences of bit called signature that are typical malware programs.

    The two primary types of scanner are

    1. Malware mask or Signatures – Anti-malware scanners check files, sectors and system memory for known and new (unknown to scanner) malware, on the basis of malware masks or signatures. Malware masks or signature are specific code strings that are recognized as belonging to malware. For polymorphic malware, the scanner sometimes has algorithms that check for all possible combinations of a signature that could exist in an infected file.

    2. Heuristic Scanner – Analyzes the instructions in the code being scanned and decide on the basis of statistical probabilities whether it could contain malicious code. Heuristic scanning result could indicate that malware may be present, that is possibly infected. Heuristic scanner tend to generate a high level false positive errors (they indicate that malware may be present when, in fact, no malware is present). Scanners examines memory disk- boot sector, executables, data files, and command files for bit pattern that match a known malware. Scanners, therefore, need to be updated periodically to remain effective.

    B. Immunizers – Defend against malware by appending sections of themselves to files – sometime in the same way Malware append themselves. Immunizers continuously check a file for changes and report changes as possible malware behavior. Other types of Immunizers are focused to a specific malware and work by giving the malware the impression that the malware has already infected to the computer. This method is not always practical since it is not possible to immunize file against all known malware.

    C. Behavior Blocker – Focus on detecting potential abnormal behavior such as writing to the boot sector or the master boot record, or making changes to executable files. Blockers can potentially detect malware at an early stage. Most hardware based anti-malware mechanism are based on this concept.

    D. Integrity CRC checker – Compute a binary number on a known malware free program that is then stored in a database file. The number is called Cyclic Redundancy Check (CRC). On subsequent scans, when that program is called to execute, it checks for changes to the file as compare to the database and report possible infection if changes have occurred. A match means no infection; a mismatch means change in the program has occurred. A change in the program could mean malware within it. These scanners are effective in detecting infection; however, they can do so only after infection has occurred. Also, a CRC checker can only detect subsequent changes to files, because they assume files are malware free in the first place. Therefore, they are ineffective against new files that are malware infected and that are not recorded in the database. Integrity checker take advantage of the fact that executable programs and boot sectors do not change often, if at all.

    The following were incorrect answers:

    Scanners – Look for sequences of bit called signature that are typical malware programs.

    Immunizers – Defend against malware by appending sections of themselves to files – sometime in the same way Malware append themselves. Immunizers continuously check a file for changes and report changes as possible malware behavior.

    Behavior Blocker – Focus on detecting potential abnormal behavior such as writing to the boot sector or the master boot record, or making changes to executable files. Blockers can potentially detect malware at an early stage. Most hardware based anti-malware mechanism are based on this concept.

    Reference:

    CISA review manual 2014 Page number 354 and 355

  19. Which are the two primary types of scanner used for protecting against Malware?

    • Malware mask/signatures and Heuristic Scanner
    • Active and passive Scanner
    • Behavioral Blockers and immunizer Scanner
    • None of the above
    Explanation:

    Scanners Look for sequences of bit called signature that are typical malware programs.

    The two primary types of scanner are

    1. Malware mask or Signatures – Anti-malware scanners check files, sectors and system memory for known and new (unknown to scanner) malware, on the basis of malware masks or signatures. Malware masks or signature are specific code strings that are recognized as belonging to malware. For polymorphic malware, the scanner sometimes has algorithms that check for all possible combinations of a signature that could exist in an infected file.
    2. Heuristic Scanner – Analyzes the instructions in the code being scanned and decide on the basis of statistical probabilities whether it could contain malicious code. Heuristic scanning result could indicate that malware may be present, that is possibly infected. Heuristic scanner tend to generate a high level false positive errors (they indicate that malware may be present when, in fact, no malware is present)
    Scanner examines memory disk- boot sector, executables, data files, and command files for bit pattern that match a known malware. Scanners, therefore, need to be updated periodically to remain effective.

    For CISA exam you should know below mentioned different kinds of malware Controls

    A. Active Monitors – Active monitors interpret DOS and read-only memory (ROM) BIOS calls, looking for malware like actions. Active monitors can be problematic because they can not distinguish between a user request and a program or a malware request. As a result, users are asked to confirm actions, including formatting a disk or deleting a file or set of files.

    B. Immunizers – Defend against malware by appending sections of themselves to files – sometime in the same way Malware append themselves. Immunizers continuously check a file for changes and report changes as possible malware behavior. Other types of Immunizers are focused to a specific malware and work by giving the malware the impression that the malware has already infected to the computer. This method is not always practical since it is not possible to immunize file against all known malware.

    C. Behavior Blocker – Focus on detecting potential abnormal behavior such as writing to the boot sector or the master boot record, or making changes to executable files. Blockers can potentially detect malware at an early stage. Most hardware based anti-malware mechanism are based on this concept.

    D. Integrity CRC checker – Compute a binary number on a known malware free program that is then stored in a database file. The number is called Cyclic Redundancy Check (CRC). On subsequent scans, when that program is called to execute, it checks for changes to the file as compare to the database and report possible infection if changes have occurred. A match means no infection; a mismatch means change in the program has occurred. A change in the program could mean malware within it. These scanners are effective in detecting infection; however, they can do so only after infection has occurred. Also, a CRC checker can only detect subsequent changes to files, because they assume files are malware free in the first place. Therefore, they are ineffective against new files that are malware infected and that are not recorded in the database. Integrity checker take advantage of the fact that executable programs and boot sectors do not change often, if at all.

    The following were incorrect answers:

    The other options presented are not a valid primary types of scanner.

    Reference:
    CISA review manual 2014 Page number 354 and 355

  20. Which of the following malware technical fool’s malware by appending section of themselves to files – somewhat in the same way that file malware appends themselves?

    • Scanners
    • Active Monitors
    • Immunizer
    • Behavior blocker
    Explanation:

    Immunizers defend against malware by appending sections of themselves to files – sometime in the same way Malware append themselves. Immunizers continuously check a file for changes and report changes as possible malware behavior. Other type of Immunizers are focused to a specific malware and work by giving the malware the impression that the malware has already infected to the computer. This method is not always practical since it is not possible to immunize file against all known malware.

    For your exam you should know below mentioned different kinds of malware Controls

    A. Scanners – Look for sequences of bit called signature that are typical malware programs.
    The two primary types of scanner are

    1. Malware mask or Signatures – Anti-malware scanners check files, sectors and system memory for known and new (unknown to scanner) malware, on the basis of malware masks or signatures. Malware masks or signature are specific code strings that are recognized as belonging to malware. For polymorphic malware, the scanner sometimes has algorithms that check for all possible combinations of a signature that could exist in an infected file.
    2. Heuristic Scanner – Analyzes the instructions in the code being scanned and decide on the basis of statistical probabilities whether it could contain malicious code. Heuristic scanning result could indicate that malware may be present, that is possibly infected. Heuristic scanner tend to generate a high level false positive errors (they indicate that malware may be present when, in fact, no malware is present)
    Scanner examines memory disk- boot sector, executables, data files, and command files for bit pattern that match a known malware. Scanners, therefore, need to be updated periodically to remain effective.

    B. Immunizers – Defend against malware by appending sections of themselves to files – sometime in the same way Malware append themselves. Immunizers continuously check a file for changes and report changes as possible malware behavior. Other type of Immunizers are focused to a specific malware and work by giving the malware the impression that the malware has already infected to the computer. This method is not always practical since it is not possible to immunize file against all known malware.

    C. Behavior Blocker – Focus on detecting potential abnormal behavior such as writing to the boot sector or the master boot record, or making changes to executable files. Blockers can potentially detect malware at an early stage. Most hardware based anti-malware mechanism are based on this concept.

    D. Integrity CRC checker – Compute a binary number on a known malware free program that is then stored in a database file. The number is called Cyclic Redundancy Check (CRC). On subsequent scans, when that program is called to execute, it checks for changes to the file as compare to the database and report possible infection if changes have occurred. A match means no infection; a mismatch means change in the program has occurred. A change in the program could mean malware within it. These scanners are effective in detecting infection; however, they can do so only after infection has occurred. Also, a CRC checker can only detect subsequent changes to files, because they assume files are malware free in the first place. Therefore, they are ineffective against new files that are malware infected and that are not recorded in the database. Integrity checker take advantage of the fact that executable programs and boot sectors do not change often, if at all.
    E. Active Monitors – Active monitors interpret DOS and read-only memory (ROM) BIOS calls, looking for malware like actions. Active monitors can be problematic because they can not distinguish between a user request and a program or a malware request. As a result, users are asked to confirm actions, including formatting a disk or deleting a file or set of files.

    The following were incorrect answers:

    Scanners – Look for sequences of bit called signature that are typical malware programs.
    Active Monitors – Active monitors interpret DOS and read-only memory (ROM) BIOS calls, looking for malware like actions. Active monitors can be problematic because they can not distinguish between a user request and a program or a malware request. As a result, users are asked to confirm actions, including formatting a disk or deleting a file or set of files.

    Behavior Blocker – Focus on detecting potential abnormal behavior such as writing to the boot sector or the master boot record, or making changes to executable files. Blockers can potentially detect malware at an early stage. Most hardware based anti-malware mechanism are based on this concept.

    Reference:
    CISA review manual 2014 Page number 354 and 355