Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 162

  1. Which of the following is the BEST practice to ensure that access authorizations are still valid?

    • information owner provides authorization for users to gain access
    • identity management is integrated with human resource processes
    • information owners periodically review the access controls
    • An authorization matrix is used to establish validity of access

    Personnel and departmental changes can result in authorization creep and can impact the effectiveness of access controls. Many times when personnel leave an organization, or employees are promoted, transferred or demoted, their system access is not fully removed, which increases the risk of unauthorized access. The best practices for ensuring access authorization is still valid is to integrate identity management with human resources processes. When an employee transfers to a different function, access rights are adjusted at the same time.

  2. A technical lead who was working on a major project has left the organization. The project manager reports suspicious system activities on one of the servers that is accessible to the whole team. What would be of GREATEST concern if discovered during a forensic investigation?

    • Audit logs are not enabled for the system
    • A logon ID for the technical lead still exists
    • Spyware is installed on the system
    • A Trojan is installed on the system
    Audit logs are critical to the investigation of the event; however, if not enabled, misuse of the logon ID of the technical lead and the guest account could not be established. The logon ID of the technical lead should have been deleted as soon as the employee left the organization but, without audit logs, misuse of the ID is difficult to prove. Spyware installed on the system is a concern but could have been installed by any user and, again, without the presence of logs, discovering who installed the spyware is difficult. A Trojan installed on the system is a concern, but it can be done by any user as it is accessible to the whole group and, without the presence of logs, investigation would be difficult.
  3. An organization is using an enterprise resource management (ERP) application. Which of the following would be an effective access control?

    • User-level permissions
    • Role-based
    • Fine-grained
    • Discretionary
    Role-based access controls the system access by defining roles for a group of users. Users are assigned to the various roles and the access is granted based on the user’s role. User-level permissions for an ERP system would create a larger administrative overhead. Fine-grained access control is very difficult to implement and maintain in the context of a large enterprise.
    Discretionary access control may be configured or modified by the users or data owners, and therefore may create inconsistencies in the access control management.
  4. What should be the GREATEST concern to an IS auditor when employees use portable media (MP3 players, flash drives)?

    • The copying of sensitive data on them
    • The copying of songs and videos on them
    • The cost of these devices multiplied by all the employees could be high
    • They facilitate the spread of malicious code through the corporate network
    The MAIN concern with MP3 players and flash drives is data leakage, especially sensitive information. This could occur if the devices were lost or stolen. The risk when copying songs and videos is copyright infringement, but this is normally a less important risk than information leakage. Choice C is hardly an issue because employees normally buy the portable media with their own funds. Choice D is a possible risk, but not as important as information leakage and can be reduced by other controls.
  5. An IS auditor should expect the responsibility for authorizing access rights to production data and systems to be entrusted to the:

    • process owners.
    • system administrators.
    • security administrator.
    • data owners.
    Data owners are primarily responsible for safeguarding the data and authorizing access to production data on a need-to-know basis.
  6. An IS auditor has completed a network audit. Which of the following is the MOST significant logical security finding?

    • Network workstations are not disabled automatically after a period of inactivity.
    • Wiring closets are left unlocked
    • Network operating manuals and documentation are not properly secured.
    • Network components are not equipped with an uninterruptible power supply.
    Choice A is the only logical security finding. Network logical security controls should be in place to restrict, identify, and report authorized and unauthorized users of the network. Disabling inactive workstations restricts users of the network. Choice D is an environmental issue and choices B and C are physical security issues. Choices B, C and D should be reported to the appropriate entity.
  7. Which of the following would MOST effectively enhance the security of a challenge- response based authentication system?

    • Selecting a more robust algorithm to generate challenge strings
    • implementing measures to prevent session hijacking attacks
    • increasing the frequency of associated password changes
    • increasing the length of authentication strings
    Challenge response-based authentication is prone to session hijacking or man-in-the- middle attacks. Security management should be aware of this and engage in risk assessment and control design when they employ this technology. Selecting a more robust algorithm will enhance the security; however, this may not be as important in terms of risk when compared to man-in- the-middle attacks. Choices C and D are good security practices; however, they are not as effective a preventive measure. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk.
  8. Which of the following should an IS auditor recommend for the protection of specific sensitive information stored in the data warehouse?

    • implement column- and row-level permissions
    • Enhance user authentication via strong passwords
    • Organize the data warehouse into subject matter-specific databases
    • Log user access to the data warehouse
    Choice A specifically addresses the question of sensitive data by controlling what information users can access. Column-level security prevents users from seeing one or more attributes on a table. With row-level security a certain grouping of information on a table is restricted; e.g., if a table held details of employee salaries, then a restriction could be put in place to ensure that, unless specifically authorized, users could not view the salaries of executive staff. Column- and row-level security can be achieved in a relational database by allowing users to access logical representations of data rather than physical tables. This ‘fine-grained’ security model is likely to offer the best balance between information protection while still supporting a wide range of analytical and reporting uses. Enhancing user authentication via strong passwords is a security control that should apply to all users of the data warehouse and does not specifically address protection of sensitive data. Organizing a data warehouse into subject-specific databases is a potentially useful practice but, in itself, does not adequately protect sensitive data. Database-level security is normally too ‘coarse’ a level to efficiently and effectively protect information. For example, one database may hold information that needs to be restricted such as employee salary and customer profitability details while other information such as employee department may need to be legitimately a accessed by a large number of users. Organizing the data warehouse into subject matter-specific databases is similar to user access in that this control should generally apply. Extra attention could be devoted to reviewing access to tables with sensitive data, but this control is not sufficient without strong preventive controls at the column and row level. For choice D, logging user access is important, but it is only a detective control that will not provide adequate protection to sensitive information.
  9. The responsibility for authorizing access to a business application system belongs to the:

    • data owner.
    • security administrator.
    • IT security manager.
    • requestor’s immediate supervisor.
    When a business application is developed, the best practice is to assign an information or data owner to the application. The Information owner should be responsible for authorizing access to the application itself or to back-end databases for queries. Choices B and C are not correct because the security administrator and manager normally do not have responsibility for authorizing access to business applications. The requestor’s immediate supervisor may share the responsibility for approving user access to a business application system; however, the final responsibility should go to the information owner.
  10. An organization has created a policy that defines the types of web sites that users are forbidden to access. What is the MOST effective technology to enforce this policy?

    • Stateful inspection firewall
    • Web content filter
    • Web cache server
    • Proxy server
    A web content filter accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, organizations and vendors have made available URL blacklists and classifications for millions of web sites. A stateful inspection firewall is of little help in filtering web traffic since it does not review the content of the web site nor does it take into consideration the sites classification. A web cache server is designed to improve the speed of retrieving the most common or recently visited web pages. A proxy server is incorrect because a proxy server is a server which services the request of its clients by forwarding requests to other servers. Many people incorrectly use proxy server as a synonym of web proxy server even though not all web proxy servers have content filtering capabilities.
  11. What would be the MOST effective control for enforcing accountability among database users accessing sensitive information?

    • implement a log management process
    • implement a two-factor authentication
    • Use table views to access sensitive data
    • Separate database and application servers
    Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour. Choice B, implementing a two- factor authentication, and choice C, using table views to access sensitive data, are controls that would limit access to the database to authorized users but would not resolve the accountability problem. Choice D may help in a better administration or even in implementing access controls but, again, does not address the accountability issues.
  12. Which of the following intrusion detection systems (IDSs) monitors the general patterns of activity and traffic on a network and creates a database?

    • Signature-based
    • Neural networks-based
    • Statistical-based
    • Host-based
    The neural networks-based IDS monitors the general patterns of activity and traffic on the network and creates a database. This is similar to the statistical model but has the added function of self-learning. Signature-based systems are a type of IDS in which the intrusive patterns identified are stored in the form of signatures. These IDS systems protect against detected intrusion patterns. Statistical-based systems need a comprehensive definition of the known and expected behavior of systems. Host-based systems are not a type of IDS, but a category of IDS, and are configured for a specific environment. They will monitor various internal resources of the operating system to warn of a possible attack.
  13. The MOST important difference between hashing and encryption is that hashing:

    • is irreversible.
    • output is the same length as the original message.
    • is concerned with integrity and security.
    • is the same at the sending and receiving end.
    Hashing works one way; by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. Hashing creates an output that is smaller than the original message, and encryption creates an output of the same length as the original message. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the message hash/digest. Encryption will not necessarily use the same algorithm at the sending and receiving and to encrypt and decrypt. 
  14. Which of the following cryptography options would increase overhead/cost?

    • The encryption is symmetric rather than asymmetric.
    • A long asymmetric encryption key is used.
    • The hash is encrypted rather than the message.
    • A secret key is used.
    Computer processing time is increased for longer asymmetric encryption keys, and the increase may be disproportionate. For example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold. An asymmetric algorithm requires more processing time than symmetric algorithms. A hash is shorter than the original message; therefore, a smaller overhead is required if the hash is encrypted rather than the message. Use of a secret key, as a symmetric encryption key, is generally small and used for the purpose of encrypting user data.
  15. The MOST important success factor in planning a penetration test is:

    • the documentation of the planned testing procedure.
    • scheduling and deciding on the timed length of the test.
    • the involvement of the management of the client organization.
    • the qualifications and experience of staff involved in the test.
    The most important part of planning any penetration test is the involvement of the management of the client organization. Penetration testing without management approval could reasonably be considered espionage and is illegal in many jurisdictions.
  16. Which of the following virus prevention techniques can be implemented through hardware?

    • Remote booting
    • Heuristic scanners
    • Behavior blockers
    • Immunizers
    Remote booting (e.g., diskless workstations) is a method of preventing viruses, and can be implemented through hardware. Choice C is a detection, not a prevention, although it is hardware-based. Choices B and D are not hard ware-based.
  17. Which of the following append themselves to files as a protection against viruses?

    • Behavior blockers
    • Cyclical redundancy checkers (CRCs)
    • Immunizers
    • Active monitors
    Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record, or making changes to executable files. Cyclical redundancy checkers compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare it to the database and report possible infection if changes have occurred. Active monitors interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like actions.
  18. Which of the following acts as a decoy to detect active internet attacks?

    • Honeypots
    • Firewalls
    • Trapdoors
    • Traffic analysis
    Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals’ computer systems. The concept of a honeypot is to learn from intruder’s actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. A firewall is basically a preventive measure. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. Traffic analysis is a type of passive attack.
  19. A certificate authority (CA) can delegate the processes of:

    • revocation and suspension of a subscriber’s certificate.
    • generation and distribution of the CA public key.
    • establishing a link between the requesting entity and its public key.
    • issuing and distributing subscriber certificates.,
    Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. Revocation and suspension and issuance and distribution of the subscriber certificate are functions of the subscriber certificate life cycle management, which the CA must perform.
    Generation and distribution of the CA public key is a part of the CA key life cycle management process and, as such, cannot be delegated. 
  20. Which of the following results in a denial-of-service attack?

    • Brute force attack
    • Ping of death
    • Leapfrog attack
    • Negative acknowledgement (NAK) attack
    The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. A brute force attack is typically a text attack that exhausts all possible key combinations. A leapfrog attack, the act of tenting through one or more hosts to preclude a trace, makes use of user ID and password information obtained illicitly from one host to compromise another host. A negative acknowledgement attack is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts.