Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 155

  1. Which of the following would be considered an essential feature of a network management system?

    • A graphical interface to map the network topology
    • Capacity to interact with the Internet to solve the problems
    • Connectivity to a help desk for advice on difficult issues
    • An export facility for piping data to spreadsheets

    To trace the topology of the network, a graphical interface would be essential. It is not necessary that each network be on the internet and connected to a help desk, while the ability to export to a spreadsheet is not an essential element.

  2. The most likely error to occur when implementing a firewall is:

    • incorrectly configuring the access lists.
    • compromising the passwords due to social engineering.
    • connecting a modem to the computers in the network.
    • inadequately protecting the network and server from virus attacks.
    An updated and flawless access list is a significant challenge and, therefore, has the greatest chance for errors at the time of the initial installation. Passwords do not apply to firewalls, a modem bypasses a firewall and a virus attack is not an element in implementing a firewall.
  3. When reviewing the implementation of a LAN, an IS auditor should FIRST review the:

    • node list.
    • acceptance test report.
    • network diagram.
    • user’s list.
    To properly review a LAN implementation, an IS auditor should first verify the network diagram and confirm the approval. Verification of nodes from the node list and the network diagram would be next, followed by a review of the acceptance test report and then the user’s list.
  4. Which of the following would be the MOST secure firewall system?

    • Screened-host firewall
    • Screened-subnet firewall
    • Dual-homed firewall
    • Stateful-inspection firewall
    A screened-subnet firewall, also used as a demilitarized zone (DMZ), utilizes two packet filtering routers and a bastion host. This provides the most secure firewall system, since it supports both network- and application-level security while defining a separate DMZ network. A screened-host firewall utilizes a packet filtering router and a bastion host. This approach implements basic network layer security (packet filtering) and application server security (proxy services). A dual- homed firewall system is a more restrictive form of a screened-host firewall system, configuring one interface for information servers and another for private network host computers. A stateful-inspection firewall working at the transport layer keeps track of the destination IP address of each packet that leaves the organization’s internal network and allows a reply from the recorded IP addresses.
  5. Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)?

    • Circuit gateway
    • Application gateway
    • Packet filter
    • Screening router
    An application gateway firewall is effective in preventing applications, such as FTPs, from entering the organization network. A circuit gateway firewall is able to prevent paths or circuits, not applications, from entering the organization’s network. A packet filter firewall or screening router will allow or prevent access based on IP packets/address.
  6. Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organization?

    • A program that deposits a virus on a client machine
    • Applets recording keystrokes and, therefore, passwords
    • Downloaded code that reads files on a client’s hard drive
    • Applets opening connections from the client machine
    An applet is a program downloaded from a web server to the client, usually through a web browser that provides functionality for database access, interactive web pages and communications with other users. Applets opening connections from the client machine to other machines on the network and damaging those machines, as a denial-of-service attack, pose the greatest threat to an organization and could disrupt business continuity. A program that deposits a virus on a client machine is referred to as a malicious attack (i.e., specifically meant to cause harm to a client machine), but may not necessarily result in a disruption of service. Applets that record keystrokes, and therefore, passwords, and downloaded code that reads files on a client’s hard drive relate more to organizational privacy issues, and although significant, are less likely to cause a significant disruption of service.
  7. Which of the following protocols would be involved in the implementation of a router and an interconnectivity device monitoring system?

    • Simple Network Management Protocol
    • File Transfer Protocol
    • Simple Mail Transfer Protocol
    • Telnet
    The Simple Network Management Protocol provides a means to monitor and control network devices and to manage configurations and performance. The File Transfer Protocol (FTP) transfers files from a computer on the Internet to the user’s computer and does not have any functionality related to monitoring network devices. Simple Mail Transfer Protocol (SMTP) is a protocol for sending and receiving e-mail messages and does not provide any monitoring or management for network devices. Telnet is a standard terminal emulation protocol used for remote terminal connections, enabling users to log into remote systems and use resources as if they were connected to a local system; it does not provide any monitoring or management of network devices.
  8. Java applets and ActiveX controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when:

    • a firewall exists.
    • a secure web connection is used.
    • the source of the executable file is certain.
    • the host web site is part of the organization.
    Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere. It is virtually impossible at this time to filter at this level. A secure web connection or firewall is considered an external defense. A firewall will find it more difficult to filter a specific file from a trusted source. A secure web connection provides confidentiality. Neither a secure web connection nor a firewall can identify an executable file as friendly. Hosting the web site as part of the organization is impractical. Enabling the acceptance of Java applets and/or Active X controls is an all-or- nothing proposition. The client will accept the program if the parameters are established to do so.
  9. In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability?

    • Appliances 
    • Operating system-based
    • Host-based
    • Demilitarized
    The software for appliances is embedded into chips. Firmware-based firewall products cannot be moved to higher capacity servers. Firewall software that sits on an operating system can always be scalable due to its ability to enhance the power of servers. Host- based firewalls operate on top of the server operating system and are scalable. A demilitarized zone is a model of firewall implementation and is not a firewall architecture. 
  10. Which of the following types of transmission media provide the BEST security against unauthorized access?

    • Copper wire
    • Twisted pair
    • Fiberoptic cables
    • Coaxial cables
    Fiberoptic cables have proven to be more secure than the other media. Satellite transmission and copper wire can be violated with inexpensive equipment. Coaxial cable can also be violated more easily than other transmission media.
  11. Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization’s security policy?

    • Review the parameter settings.
    • Interview the firewall administrator.
    • Review the actual procedures.
    • Review the device’s log file for recent attacks.
    A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation. The other choices do not provide audit evidence as strong as choice A.
  12. To determine how data are accessed across different platforms in a heterogeneous environment, an IS auditor should FIRST review:

    • business software.
    • infrastructure platform tools.
    • application services. 
    • system development tools.
    Projects should identify the complexities of the IT Infrastructure that can be simplified or isolated by the development of application services. Application services isolate system developers from the complexities of the IT infrastructure and offer common functionalities that are shared by many applications. Application services take the form of interfaces, middleware, etc. Business software focuses on business processes, whereas application services bridge the gap between applications and the lT Infrastructure components. Infrastructure platform tools are related to core hardware and software components required for development of the IT infrastructure. Systems development tools represent development components of the IT infrastructure development.
  13. During the requirements definition phase for a database application, performance is listed as a top priority. To access the DBMS files, which of the following technologies should be recommended for optimal I/O performance?

    • Storage area network (SAN)
    • Network Attached Storage (NAS)
    • Network file system (NFS v2)
    • Common Internet File System (CIFS)
    In contrast to the other options, in a SAN comprised of computers, FC switches or routers and storage devices, there is no computer system hosting and exporting its mounted file system for remote access, aside from special file systems. Access to information stored on the storage devices in a SAN is comparable to direct attached storage, which means that each block of data on a disk can be addressed directly, since the volumes of the storage device are handled as though they are local, thus providing optimal performance. The other options describe technologies in which a computer (or appliance) shares its information with other systems. To access the information, the complete file has to be read.
  14. Reverse proxy technology for web servers should be deployed if:

    • http servers’ addresses must be hidden.
    • accelerated access to all published pages is required.
    • caching is needed for fault tolerance.
    • bandwidth to the user is limited.
    Reverse proxies are primarily designed to hide physical and logical internal structures from outside access. Complete URLs or URIs can be partially or completely redirected without disclosing which internal or DMZ server is providing the requested data. This technology might be used if a trade-off between security, performance and costs has to be achieved. Proxy servers cache some data but normally cannot cache all pages to be published because this depends on the kind of information the web servers provide. The ability to accelerate access depends on the speed of the back-end servers, i.e., those that are cached. Thus, without making further assumptions, a gain in speed cannot be assured, but visualization and hiding of internal structures can. If speed is an issue, a scale- out approach (avoiding adding additional delays by passing firewalls, involving more servers, etc.) would be a better solution. Due to the limited caching option, reverse proxies are not suitable for enhancing fault tolerance. User requests that are handled by reverse proxy servers are using exactly the same bandwidth as direct requests to the hosts providing the data.
  15. When auditing a proxy-based firewall, an IS auditor should:

    • verify that the firewall is not dropping any forwarded packets.
    • review Address Resolution Protocol (ARP) tables for appropriate mapping between media access control (MAC) and IP addresses.
    • verify that the filters applied to services such as HTTP are effective.
    • test whether routing information is forwarded by the firewall.
    A proxy-based firewall works as an intermediary (proxy) between the service or application and the client, it makes a connection with the client and opens a different connection with the server and, based on specific filters and rules, analyzes all the traffic between the two connections.
    Unlike a packet-filtering gateway, a proxy-based firewall does not forward any packets. Mapping between media access control (MAC) and IP addresses is a task for protocols such as Address Resolution Protocol/Reverse Address Resolution Protocol (ARP/RARP).
  16. An IS auditor should review the configuration of which of the following protocols to detect unauthorized mappings between the IP address and the media access control (MAC) address?

    • Simple Object Access Protocol (SOAP)
    • Address Resolution Protocol (ARP)
    • Routing Information Protocol (RIP)
    • Transmission Control Protocol (TCP)
    Address Resolution Protocol (ARP) provides dynamic address mapping between an IP address and hardware address. Simple Object Access Protocol (SOAP) is a platform- independent XML- based protocol, enabling applications to communicate with each other over the Internet, and does not deal with media access control (MAC) addresses. Routing Information Protocol (RIP) specifies how routers exchange routing table information. Transmission Control Protocol (TCP) enables two hosts to establish a connection and exchange streams of data.
  17. An IS auditor examining the configuration of an operating system to verify the controls should review the:

    • transaction logs.
    • authorization tables.
    • parameter settings.
    • routing tables.
    Parameters allow a standard piece of software to be customized for diverse environments and are important in determining how a system runs. The parameter settings should be appropriate to an organization’s workload and control environment, improper implementation and/or monitoring of operating systems can result in undetected errors and corruption of the data being processed, as well as lead to unauthorized access and inaccurate logging of system usage. Transaction logs are used to analyze transactions in master and/or transaction files. Authorization tables are used to verify implementation of logical access controls and will not be of much help when reviewing control features of an operating system. Routing tables do not contain information about the operating system and, therefore, provide no information to aid in the evaluation of controls.
  18. When reviewing an implementation of a VoIP system over a corporate WAN, an IS auditor should expect to find:

    • an integrated services digital network (ISDN) data link.
    • traffic engineering.
    • wired equivalent privacy (WEP) encryption of data.
    • analog phone terminals.
    To ensure that quality of service requirements are achieved, the Voice-over IP (VoIP) service over the wide area network (WAN) should be protected from packet losses, latency or jitter. To reach this objective, the network performance can be managed using statistical techniques such as traffic engineering. The standard bandwidth of an integrated services digital network (ISDN) data link would not provide the quality of services required for corporate VoIP services. WEP is an encryption scheme related to wireless networking. The VoIP phones are usually connected to a corporate local area network (LAN) and are not analog.
  19. Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks?

    • Session keys are dynamic
    • Private symmetric keys are used
    • Keys are static and shared
    • Source addresses are not encrypted or authenticated
    WPA uses dynamic session keys, achieving stronger encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used for everyone in the wireless network). All other choices are weaknesses of WEP.
  20. During the audit of a database server, which of the following would be considered the GREATEST exposure?

    • The password does not expire on the administrator account
    • Default global security settings for the database remain unchanged 
    • Old data have not been purged
    • Database activity is not fully logged
    Default security settings for the database could allow issues like blank user passwords or passwords that were the same as the username. Logging all database activity is not practical. Failure to purge old data may present a performance issue but is not an immediate security concern. Choice A is an exposure but not as serious as B.