Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 171

  1. Which of the following encryption techniques will BEST protect a wireless network from a man-in-the-middle attack?

    • 128-bit wired equivalent privacy (WEP)
    • MAC-based pre-shared key(PSK)
    • Randomly generated pre-shared key (PSKJ
    • Alphanumeric service set identifier (SSID)

    A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a computer is fixed and often accessible. WEP has been shown to be a very weak encryption technique and can be cracked within minutes. The SSID is broadcast on the wireless network in plaintext.

  2. The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed?

    • Reliability and quality of service (QoS)
    • Means of authentication
    • Privacy of voice transmissions
    • Confidentiality of data transmissions
    The company currently has a VPN; issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the VPN protocol. Reliability and QoS are, therefore, the primary considerations to be addressed.
  3. Which of the following antispam filtering techniques would BEST prevent a valid, variable- length e-mail message containing a heavily weighted spam keyword from being labeled as spam?

    • Heuristic (rule-based)
    • Signature-based
    • Pattern matching
    • Bayesian (statistical)
    Bayesian filtering applies statistical modeling to messages, by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds. Heuristic filtering is less effective, since new exception rules may need to be defined when a valid message is labeled as spam. Signature-based filtering is useless against variable- length messages, because the calculated MD5 hash changes all the time. Finally, pattern matching is actually a degraded rule- based technique, where the rules operate at the word level using wildcards, and not at higher levels.
  4. Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?

    • Certificate revocation list (CRL)
    • Certification practice statement (CPS)
    • Certificate policy (CP)
    • PKI disclosure statement (PDS)
    The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items such as the warranties, limitations and obligations that legally bind each party.
  5. Active radio frequency ID (RFID) tags are subject to which of the following exposures?

    • Session hijacking
    • Eavesdropping
    • Malicious code
    • Phishing
    Like wireless devices, active RFID tags are subject to eavesdropping. They are by nature not subject to session hijacking, malicious code or phishing.
  6. When conducting a penetration test of an organization’s internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected on the network?

    • Use the IP address of an existing file server or domain controller.
    • Pause the scanning every few minutes to allow thresholds to reset.
    • Conduct the scans during evening hours when no one is logged-in.
    • Use multiple scanning tools since each tool has different characteristics.
    Pausing the scanning every few minutes avoids overtaxing the network as well as exceeding thresholds that may trigger alert messages to the network administrator. Using the IP address of a server would result in an address contention that would attract attention. Conducting scans after hours would increase the chance of detection, since there would be less traffic to conceal ones activities. Using different tools could increase the likelihood that one of them would be detected by an intrusion detection system.
  7. Two-factor authentication can be circumvented through which of the following attacks?

    • Denial-of-service
    • Man-in-the-middle
    • Key logging
    • Brute force
    A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. A denial-of- service attack does not have a relationship to authentication. Key logging and brute force could circumvent a normal authentication but not a two-factor authentication.
  8. An organization can ensure that the recipients of e-mails from its employees can authenticate the identity of the sender by:

    • digitally signing all e-mail messages.
    • encrypting all e-mail messages.
    • compressing all e-mail messages.
    • password protecting all e-mail messages.
    By digitally signing all e-mail messages, the receiver will be able to validate the authenticity of the sender. Encrypting all e-mail messages would ensure that only the intended recipient will be able to open the message; however, it would not ensure the authenticity of the sender. Compressing all e-mail messages would reduce the size of the message, but would not ensure the authenticity. Password protecting all e-mail messages would ensure that only those who have the password would be able to open the message; however, it would not ensure the authenticity of the sender.
  9. Sending a message and a message hash encrypted by the sender’s private key will ensure:

    • authenticity and integrity.
    • authenticity and privacy.
    • integrity and privacy.
    • privacy and nonrepudiation.
    If the sender sends both a message and a message hash encrypted by its private key, then the receiver can apply the sender’s public key to the hash and get the message hash. The receiver can apply the hashing algorithm to the message received and generate a hash. By matching the generated hash with the one received, the receiver is ensured that the message has been sent by the specific sender, i.e., authenticity, and that the message has not been changed enroute.
    Authenticity and privacy will be ensured by first using the sender’s private key and then the receiver’s public key to encrypt the message. Privacy and integrity can be ensured by using the receiver’s public key to encrypt the message and sending a message hash/digest. Only nonrepudiation can be ensured by using the sender’s private key to encrypt the message. The sender’s public key, available to anyone, can decrypt a message; thus, it does not ensure privacy. 
  10. Which of the following is a passive attack to a network?

    • Message modification
    • Masquerading
    • Denial of service
    • Traffic analysis
    The intruder determines the nature of the flow of traffic (traffic analysis) between defined hosts and is able to guess the type of communication taking place. Message modification involves the capturing of a message and making unauthorized changes or deletions, changing the sequence or delaying transmission of captured messages. Masquerading is an active attack in which the intruder presents an identity other than the original identity. Denial of service occurs when a computer connected to the internet is flooded with data and/or requests that must be processed.
  11. An organization has a mix of access points that cannot be upgraded to stronger security and newer access points having advanced wireless security. An IS auditor recommends replacing the non-upgradeable access points. Which of the following would BEST justify the IS auditor’s recommendation?

    • The new access points with stronger security are affordable.
    • The old access points are poorer in terms of performance.
    • The organization’s security would be as strong as its weakest points.
    • The new access points are easier to manage.
    The old access points should be discarded and replaced with products having strong security; otherwise, they will leave security holes open for attackers and thus make the entire network as weak as they are. Affordability is not the auditor’s major concern. Performance is not as important as security in this situation. Product manageability is not the IS auditor’s concern.
  12. An investment advisor e-mails periodic newsletters to clients and wants reasonable assurance that no one has modified the newsletter. This objective can be achieved by:

    • encrypting the hash of the newsletter using the advisor’s private key.
    • encrypting the hash of the newsletter using the advisor’s public key.
    • digitally signing the document using the advisor’s private key.
    • encrypting the newsletter using the advisor’s private key.
    There is no attempt on the part of the investment advisor to prove their identity or to keep the newsletter confidential. The objective is to assure the receivers that it came to them without any modification, i.e., it has message integrity. Choice A is correct because the hash is encrypted using the advisor’s private key. The recipients can open the newsletter, recompute the hash and decrypt the received hash using the advisor’s public key. If the two hashes are equal, the newsletter was not modified in transit. Choice B is not feasible, for no one other than the investment advisor can open it. Choice C addresses sender authentication but not message integrity. Choice D addresses confidentiality, but not message integrity, because anyone can obtain the investment advisor’s public key, decrypt the newsletter, modify it and send it to others. The interceptor will not be able to use the advisor’s private key, because they do not have it.
    Anything encrypted using the interceptor’s private key can be decrypted by the receiver only by using their public key.
  13. An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice:

    • reduces the risk of unauthorized access to the network.
    • is not suitable for small networks.
    • automatically provides an IP address to anyone.
    • increases the risks associated with Wireless Encryption Protocol (WEP).
    Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connected to the network. With DHCP disabled, static IP addresses must be used and represent less risk due to the potential for address contention between an unauthorized device and existing devices on the network. Choice B is incorrect because DHCP is suitable for small networks.
    Choice C is incorrect because DHCP does not provide IP addresses when disabled. Choice D is incorrect because disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in WEP.
  14. A virtual private network (VPN) provides data confidentiality by using:

    • Secure Sockets Layer (SSL)
    • Tunneling
    • Digital signatures
    • Phishing
    VPNs secure data in transit by encapsulating traffic, a process known as tunneling. SSL is a symmetric method of encryption between a server and a browser. Digital signatures are not used in the VPN process, while phishing is a form of a social engineering attack.
  15. In auditing a web server, an IS auditor should be concerned about the risk of individuals gaining unauthorized access to confidential information through:

    • common gateway interface (CGI) scripts.
    • enterprise Java beans (EJBs).
    • applets.
    • web services.
    Common gateway interface (CGI) scripts are executable machine independent software programs on the server that can be called and executed by a web server page. CGI performs specific tasks such as processing inputs received from clients. The use of CGI scripts needs to be evaluated, because as they run in the server, a bug in them may allow a user to gain unauthorized access to the server and from there gain access to the organization’s network.
    Applets are programs downloaded from a web server and executed on web browsers on client machines to run any web-based applications. Enterprise java beans (EJBs) and web services have to be deployed by the web server administrator and are controlled by the application server. Their execution requires knowledge of the parameters and expected return values.
  16. An IS auditor reviewing access controls for a client-server environment should FIRST:

    • evaluate the encryption technique.
    • identify the network access points.
    • review the identity management system.
    • review the application level access controls.
    A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified. Evaluating encryption techniques, reviewing the identity management system and reviewing the application level access controls would be performed at a later stage of the review.
  17. To prevent IP spoofing attacks, a firewall should be configured to drop a packet if:

    • the source routing field is enabled.
    • it has a broadcast address in the destination field.
    • a reset flag (RST) is turned on for the TCP connection.
    • dynamic routing is used instead of static routing.
    IP spoofing takes advantage of the source-routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing (choice D). Choices B and C do not have any relation to IP spoofing attacks. If a packet has a broadcast destination address (choice B), it will be sent to all addresses in the subnet. Turning on the reset flag (RST) (choice C) is part of the normal procedure to end a TCP connection.
  18. An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if:

    • IDS sensors are placed outside of the firewall.
    • a behavior-based IDS is causing many false alarms.
    • a signature-based IDS is weak against new types of attacks.
    • the IDS is used to detect encrypted traffic. 
    An intrusion detection system (IDS) cannot detect attacks within encrypted traffic, and it would be a concern if someone was misinformed and thought that the IDS could detect attacks in encrypted traffic. An organization can place sensors outside of the firewall to detect attacks.
    These sensors are placed in highly sensitive areas and on extranets. Causing many false alarms is normal for a behavior-based IDS, and should not be a matter of concern. Being weak against new types of attacks is also expected from a signature- based IDS, because it can only recognize attacks that have been previously identified.
  19. Which of the following BEST describes the role of a directory server in a public key infrastructure (PKI)?

    • Encrypts the information transmitted over the network
    • Makes other users’ certificates available to applications
    • Facilitates the implementation of a password policy
    • Stores certificate revocation lists (CRLs)
    A directory server makes other users’ certificates available to applications. Encrypting the information transmitted over the network and storing certificate revocation lists (CRLs) are roles performed by a security server. Facilitating the implementation of a password policy is not relevant to public key infrastructure (PKl).
  20. An organization is using symmetric encryption. Which of the following would be a valid reason for moving to asymmetric encryption? Symmetric encryption:

    • provides authenticity.
    • is faster than asymmetric encryption.
    • can cause key management to be difficult.
    • requires a relatively simple algorithm.
    In a symmetric algorithm, each pair of users’ needs a unique pair of keys, so the number of keys grows and key management can become overwhelming. Symmetric algorithms do not provide authenticity, and symmetric encryption is faster than asymmetric encryption. Symmetric algorithms require mathematical calculations, but they are not as complex as asymmetric algorithms.