Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 164

  1. Which of the following controls would BEST detect intrusion?

    • User IDs and user privileges are granted through authorized procedures.
    • Automatic logoff is used when a workstation is inactive for a particular period of time.
    • Automatic logoff of the system occurs after a specified number of unsuccessful attempts.
    • Unsuccessful logon attempts are monitored by the security administrator.

    Explanation: 
    Intrusion is detected by the active monitoring and review of unsuccessful logons. User IDs and the granting of user privileges define a policy, not a control. Automatic logoff is a method of preventing access on inactive terminals and is not a detective control. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting.

  2. Which of the following is a feature of an intrusion detection system (IDS)?

    • Gathering evidence on attack attempts
    • Identifying weaknesses in the policy definition
    • Blocking access to particular sites on the Internet
    • Preventing certain users from accessing specific servers
    Explanation: 
    An IDS can gather evidence on intrusive activity such as an attack or penetration attempt. Identifying weaknesses in the policy definition is a limitation of an IDS. Choices C and D are features of firewalls, while choice B requires a manual review, and therefore is outside the functionality of an IDS.
  3. An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the:

    • maintenance of access logs of usage of various system resources.
    • authorization and authentication of the user prior to granting access to system resources.
    • adequate protection of stored data on servers by encryption or other means.
    • accountability system and the ability to identify any terminal accessing system resources.
    Explanation: 
    The authorization and authentication of users is the most significant aspect in a telecommunications access control review, as it is a preventive control. Weak controls at this level can affect all other aspects. The maintenance of access logs of usage of system resources is a detective control. The adequate protection of data being transmitted to and from servers by encryption or other means is a method of protecting information during transmission and is not an access issue. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal.
  4. Which of the following is the MOST effective type of antivirus software?

    • Scanners
    • Active monitors
    • integrity checkers
    • Vaccines
    Explanation: 
    Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. This number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. Active monitors interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like actions.
    Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions like formatting a disk or deleting a file or set of files. Vaccines are known to be good antivirus software. However, they also need to be updated periodically to remain effective.
  5. When using public key encryption to secure data being transmitted across a network:

    • both the key used to encrypt and decrypt the data are public.
    • the key used to encrypt is private, but the key used to decrypt the data is public.
    • the key used to encrypt is public, but the key used to decrypt the data is private.
    • both the key used to encrypt and decrypt the data are private.
    Explanation: 
    Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it.
  6. The technique used to ensure security in virtual private networks (VPNs) is:

    • encapsulation.
    • wrapping.
    • transform.
    • encryption
    Explanation:
    Encapsulation, or tunneling, is a technique used to carry the traffic of one protocol over a network that does not support that protocol directly. The original packet is wrapped in another packet. The other choices are not security techniques specific to VPNs.
  7. During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is:

    • encryption.
    • callback modems.
    • message authentication.
    • dedicated leased lines.
    Explanation:
    Encryption of data is the most secure method. The other methods are less secure, with leased lines being possibly the least secure method.
  8. An internet-based attack using password sniffing can:

    • enable one party to act as if they are another party.
    • cause modification to the contents of certain transactions.
    • be used to gain access to systems containing proprietary information.
    • result in major problems with billing systems and transaction processing agreements.
    Explanation: 
    Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. Spoofing attacks can be used to enable one party to act as if they are another party. Data modification attacks can be used to modify the contents of certain transactions. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements.
  9. Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems?

    • Proxy server
    • Firewall installation
    • Network administrator
    • Password implementation and administration
    Explanation: 
    The most comprehensive control in this situation is password implementation and administration. While firewall installations are the primary line of defense, they cannot protect all access and,
    therefore, an element of risk remains. A proxy server is a type of firewall installation; thus, the same rules apply. The network administrator may serve as a control, but typically this would not be comprehensive enough to serve on multiple and diverse systems.
  10. During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used?

    • A biometric, digitalized and encrypted parameter with the customer’s public key
    • A hash of the data that is transmitted and encrypted with the customer’s private key
    • A hash of the data that is transmitted and encrypted with the customer’s public key
    • The customer’s scanned signature encrypted with the customer’s public key
    Explanation: 
    The calculation of a hash, or digest, of the data that are transmitted and its encryption require the public key of the client (receiver) and is called a signature of the message, or digital signature.
    The receiver performs the same process and then compares the received hash, once it has been decrypted with their private key, to the hash that is calculated with the received data. If they are the same, the conclusion would be that there is integrity in the data that have arrived and the origin is authenticated. The concept of encrypting the hash with the private key of the originator provides non repudiation, as it can only be decrypted with their public key and, as the CD suggests, the private key would not be known to the recipient. Simply put, in a key-pair situation, anything that can be decrypted by a sender’s public key must have been encrypted with their private key, so they must have been the sender, i.e., non-repudiation. Choice C is incorrect because, if this were the case, the hash could not be decrypted by the recipient, so the benefit of non-repudiation would be lost and there could be no verification that the message had not been intercepted and amended. A digital signature is created by encrypting with a private key. A person creating the signature uses their own private key, otherwise everyone would be able to create a signature with any public key. Therefore, the signature of the client is created with the client’s private key, and this can be verified—by the enterprise—using the client’s public key. Choice B is the correct answer because, in this case, the customer uses their private key to sign the hash data.
  11. When planning an audit of a network setup, an IS auditor should give highest priority to obtaining which of the following network documentation?

    • Wiring and schematic diagram
    • Users’ lists and responsibilities
    • Application lists and their details
    • Backup and recovery procedures
    Explanation: 
    The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are important but not necessary.
  12. Which of the following encrypt/decrypt steps provides the GREATEST assurance of achieving confidentiality, message integrity and nonrepudiation by either sender or recipient?

    • The recipient uses their private key to decrypt the secret key.
    • The encrypted prehash code and the message are encrypted using a secret key.
    • The encrypted prehash code is derived mathematically from the message to be sent.
    • The recipient uses the sender’s public key, verified with a certificate authority, to decrypt the prehash code.
    Explanation: 
    Most encrypted transactions use a combination of private keys, public keys, secret keys, hash functions and digital certificates to achieve confidentiality, message integrity and nonrepudiation by either sender or recipient. The recipient uses the sender’s public key to decrypt the prehash code into a posthash code, which when equaling the prehash code, verifies the identity of the sender and that the message has not been changed in route; this would provide the greatest assurance. Each sender and recipient has a private key known only to themselves and a public key, which can be known by anyone. Each encryption/decryption process requires at least one public key and one private key, and both must be from the same party. A single, secret key is used to encrypt the message, because secret key encryption requires less processing power than using public and private keys. A digital certificate, signed by a certificate authority, validates senders’ and recipients’ public keys.
  13. Use of asymmetric encryption in an internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the:

    • customer over the authenticity of the hosting organization.
    • hosting organization over the authenticity of the customer.
    • customer over the confidentiality of messages from the hosting organization.
    • hosting organization over the confidentiality of messages passed to the customer.
    Explanation: 
    Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key. Many customers have access to the same public key so the host cannot use this mechanism to ensure the authenticity of the customer. The customer cannot be assured of the confidentiality of messages from the host as many people have access to the public key and can decrypt the messages from the host. The host cannot be assured of the confidentiality of messages sent out, as many people have access to the public key and can decrypt it.
  14. E-mail message authenticity and confidentiality is BEST achieved by signing the message using the:

    • sender’s private key and encrypting the message using the receiver’s public key.
    • sender’s public key and encrypting the message using the receiver’s private key.
    • receiver’s private key and encrypting the message using the sender’s public key.
    • receiver’s public key and encrypting the message using the sender’s private key.
    Explanation: 
    By signing the message with the sender’s private key, the receiver can verify its authenticity using the sender’s public key. By encrypting the message with the receiver’s public key, only the receiver can decrypt the message using their own private key. The receiver’s private key is confidential and, therefore, unknown to the sender. Messages encrypted using the sender’s private key can be read by anyone with the sender’s public key.
  15. An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking?

    • An application-level gateway
    • A remote access server
    • A proxy server
    • Port scanning
    Explanation: 
    An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted, it analyzes in detail each package, not only in layers one through four of the OSI model but also layers five through seven, which means that it reviews the commands of each higher-level protocol (HTTP, FTP, SNMP, etc.). For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet creating security exposure. Proxy servers can provide protection based on the IP address and ports. However, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning works when there is a very specific task to complete, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping.
  16. Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization?

    • Virtual private network
    • Dedicated line
    • Leased line
    • integrated services digital network
    Explanation: 
    The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the internet. Choices B, C and D are network connectivity options that are normally too expensive to be practical for small- to medium-sized organizations.
  17. The potential for unauthorized system access by way of terminals or workstations within an organization’s facility is increased when:

    • connecting points are available in the facility to connect laptops to the network.
    • users take precautions to keep their passwords confidential.
    • terminals with password protection are located in insecure locations.
    • terminals are located within the facility in small clusters under the supervision of an administrator.
    Explanation: 
    Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points, make unauthorized access possible if the individual has knowledge of a valid user ID and password. The other choices are controls for preventing unauthorized network access. If system passwords are not readily available for intruders to use, they must guess, introducing an additional factor and requires time. System passwords provide protection against unauthorized use of terminals located in insecure locations. Supervision is a very effective control when used to monitor access to a small operating unit or production resources.
  18. Which of the following functions is performed by a virtual private network (VPN)?

    • Hiding information from sniffers on the net
    • Enforcing security policies
    • Detecting misuse or mistakes
    • Regulating access
    Explanation: 
    A VPN hides information from sniffers on the net using encryption. It works based on tunneling. A VPN does not analyze information packets and, therefore, cannot enforce security policies, it also does not check the content of packets, so it cannot detect misuse or mistakes. A VPN also does not perform an authentication function and, therefore, cannot regulate access.
  19. An IS auditor is reviewing an organization’s information asset management process. Which of the following would be of GREATEST concern to the auditor?

    • Process ownership has not been established.
    • Identification of asset value is not included in the process.
    • The process does not require specifying the physical locations of assets.
    • The process does not include asset review.
  20. Which of the following should be considered the MOST important factor when evaluating the level of protection of fireproof magnetic media containers?

    • Storage location of the containers with respect to flammable material
    • Peak temperature and humidity of the storage location
    • Peak temperature and humidity ratings inside the container
    • Resistance of the container to water, Halon, and carbon dioxide