Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 172

  1. Which of the following would provide the BEST protection against the hacking of a computer connected to the Internet?

    • A remote access server
    • A proxy server
    • A personal firewall
    • A password-generating token

    A personal firewall is the best way to protect against hacking, because it can be defined with rules that describe the type of user or connection that is or is not permitted. A remote access server can be mapped or scanned from the Internet, creating security exposures. Proxy servers can provide protection based on the IP address and ports; however, an individual would need to have in-depth knowledge to do this, and applications can use different ports for the different sections of their program. A password-generating token may help to encrypt the session but does not protect a computer against hacking.

  2. When installing an intrusion detection system (IDS), which of the following is MOST important?

    • Properly locating it in the network architecture
    • Preventing denial-of-service (DoS) attacks
    • Identifying messages that need to be quarantined
    • Minimizing the rejection errors
    Proper location of an intrusion detection system (IDS) in the network is the most important decision during installation. A poorly located IDS could leave key areas of the network unprotected. Choices B, C and D are concerns during the configuration of an IDS, but if the IDS is not placed correctly, none of them would be adequately addressed.
  3. In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer?

    • Nonrepudiation
    • Encryption
    • Authentication
    • Integrity
    Nonrepudiation, achieved through the use of digital signatures, prevents the claimed sender from later denying that they generated and sent the message. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. Authentication is necessary to establish the identification of all parties to a communication. Integrity ensures that transactions are accurate but does not provide the identification of the customer.
  4. Which of the following ensures confidentiality of information sent over the internet?

    • Digital signature
    • Digital certificate
    • Online Certificate Status Protocol
    • Private key cryptosystem 
    Confidentiality is assured by a private key cryptosystem. Digital signatures assure data integrity, authentication and nonrepudiation, but not confidentially. A digital certificate is a certificate that uses a digital signature to bind together a public key with an identity; therefore, it does not address confidentiality. Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of a digital certificate.
  5. To protect a VoIP infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the:

    • access control servers.
    • session border controllers.
    • backbone gateways.
    • intrusion detection system (IDS).
    Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user’s real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall’s effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users’ real addresses. They can also monitor bandwidth and quality of service. Securing the access control server, backbone gateways and intrusion detection systems (IDSs) does not effectively protect against DoS attacks.
  6. Which of the following attacks targets the Secure Sockets Layer (SSL)?

    • Man-in-the middle
    • Dictionary
    • Password sniffing
    • Phishing
    Attackers can establish a fake Secure Sockets Layer (SSL) server to accept user’s SSL traffic and then route to the real SSL server, so that sensitive information can be discovered. A dictionary attack that has been launched to discover passwords would not attack SSL since SSL does not rely on passwords. SSL traffic is encrypted; thus it is not possible to sniff the password. A phishing attack targets a user and not SSL Phishing attacks attempt to have the user surrender private information by falsely claiming to be a trusted person or enterprise.
  7. Which of the following potentially blocks hacking attempts?

    • intrusion detection system
    • Honeypot system
    • Intrusion prevention system
    • Network security scanner
    An intrusion prevention system (IPS) is deployed as an in-line device that can detect and block hacking attempts. An intrusion detection system (IDS) normally is deployed in sniffing mode and can detect intrusion attempts, but cannot effectively stop them. A honeypot solution traps the intruders to explore a simulated target. A network security scanner scans for the vulnerabilities, but it will not stop the intrusion.
  8. A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident?

    • Dump the volatile storage data to a disk.
    • Run the server in a fail-safe mode.
    • Disconnect the web server from the network.
    • Shut down the web server.
    The first action is to disconnect the web server from the network to contain the damage and prevent more actions by the attacker. Dumping the volatile storage data to a disk may be used at the investigation stage but does not contain an attack in progress. To run the server in a fail-safe mode, the server needs to be shut down. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.
  9. To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a:

    • Secure Shell (SSH-2) tunnel for the duration of the problem.
    • two-factor authentication mechanism for network access.
    • dial-in access.
    • virtual private network (VPN) account for the duration of the vendor support contract.
    For granting temporary access to the network, a Secure Shell (SSH-2) tunnel is the best approach. It has auditing features and allows restriction to specific access points. Choices B, C and D all give full access to the internal network. Two-factor authentication and virtual private network (VPN) provide access to the entire network and are suitable for dedicated users. Dial-in access would need to be closely monitored or reinforced with another mechanism to ensure authentication to achieve the same level of security as SSH-2.
  10. What is the BEST approach to mitigate the risk of a phishing attack?

    • implement an intrusion detection system (IDS)
    • Assess web site security
    • Strong authentication
    • User education
    Phishing attacks can be mounted in various ways; intrusion detection systems (IDSs) and strong authentication cannot mitigate most types of phishing attacks. Assessing web site security does not mitigate the risk. Phishing uses a server masquerading as a legitimate server. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pages and e-mail.
  11. A sender of an e-mail message applies a digital signature to the digest of the message. This action provides assurance of the:

    • date and time stamp of the message.
    • identity of the originating computer.
    • confidentiality of the message’s content.
    • authenticity of the sender.
    The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an e-mail message does not prevent access to its content and, therefore, does not assure confidentiality.
  12. The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:

    • outgoing traffic with IP source addresses externa! to the network.
    • incoming traffic with discernible spoofed IP source addresses.
    • incoming traffic with IP options set.
    • incoming traffic to critical hosts.
    Outgoing traffic with an IP source address different than the IP range in the network is invalid, in most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack.
  13. The network of an organization has been the victim of several intruders’ attacks. Which of the following measures would allow for the early detection of such incidents?

    • Antivirus software
    • Hardening the servers
    • Screening routers
    • Honeypots
    Honeypots can collect data on precursors of attacks. Since they serve no business function, honeypots are hosts that have no authorized users other than the honeypot administrators. All activity directed at them is considered suspicious. Attackers will scan and attack honeypots, giving administrators data on new trends and attack tools, particularly malicious code. However, honeypots are a supplement to, not a replacement for, properly securing networks, systems and applications. If honeypots are to be used by an organization, qualified incident handlers and intrusion detection analysts should manage them. The other choices do not provide indications of potential attacks.
  14. A company has decided to implement an electronic signature scheme based on public key infrastructure. The user’s private key will be stored on the computer’s hard drive and protected by a password. The MOST significant risk of this approach is:

    • use of the user’s electronic signature by another person if the password is compromised.
    • forgery by using another user’s private key to sign a message with an electronic signature.
    • impersonation of a user by substitution of the user’s public key with another person’s public key.
    • forgery by substitution of another person’s private key on the computer.
    The user’s digital signature is only protected by a password. Compromise of the password would enable access to the signature. This is the most significant risk. Choice B would require subversion of the public key infrastructure mechanism, which is very difficult and least likely.
    Choice C would require that the message appear to have come from a different person and therefore the true user’s credentials would not be forged. Choice D has the same consequence as choice C.
  15. An IS auditor selects a server for a penetration test that will be carried out by a technical specialist. Which of the following is MOST important?

    • The tools used to conduct the test
    • Certifications held by the IS auditor
    • Permission from the data owner of the server
    • An intrusion detection system (IDS) is enabled
    The data owner should be informed of the risks associated with a penetration test, what types of tests are to be conducted and other relevant details. All other choices are not as important as the data owner’s responsibility for the security of the data assets.
  16. After observing suspicious activities in a server, a manager requests a forensic analysis.

    Which of the following findings should be of MOST concern to the investigator?

    • Server is a member of a workgroup and not part of the server domain
    • Guest account is enabled on the server
    • Recently, 100 users were created in the server
    • Audit logs are not enabled for the server
    Audit logs can provide evidence which is required to proceed with an investigation and should not be disabled. For business needs, a server can be a member of a workgroup and, therefore, not a concern. Having a guest account enabled on a system is a poor security practice but not a forensic investigation concern. Recently creating 100 users in the server may have been required to meet business needs and should not be a concern.
  17. Which of the following would be the GREATEST cause for concern when data are sent over the Internet using HTTPS protocol?

    • Presence of spyware in one of the ends
    • The use of a traffic sniffing tool
    • The implementation of an RSA-compliant solution
    • A symmetric cryptography is used for transmitting data
    Encryption using secure sockets layer/transport layer security (SSL/TLS) tunnels makes it difficult to intercept data in transit, but when spyware is running on an end user’s computer, data are collected before encryption takes place. The other choices are related to encrypting the traffic, but the presence of spyware in one of the ends captures the data before encryption takes place.
  18. A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?

    • Reviewing logs frequently
    • Testing and validating the rules
    • Training a local administrator at the new location
    • Sharing firewall administrative duties
    A mistake in the rule set can render a firewall insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment. A regular review of log files would not start until the deployment has been completed. Training a local administrator may not be necessary if the firewalls are managed from a central location. Having multiple administrators is a good idea, but not the most important.
  19. The human resources (HR) department has developed a system to allow employees to enroll in benefits via a web site on the corporate Intranet. Which of the following would protect the confidentiality of the data?

    • SSL encryption
    • Two-factor authentication
    • Encrypted session cookies
    • IP address verification
    The main risk in this scenario is confidentiality, therefore the only option which would provide confidentiality is Secure Socket Layer (SSL) encryption. The remaining options deal with authentication issues.
  20. What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network?

    • Malicious code could be spread across the network
    • VPN logon could be spoofed
    • Traffic could be sniffed and decrypted
    • VPN gateway could be compromised
    VPN is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization’s network. Though choices B, C and D are security risks, VPN technology largely mitigates these risks.
  21. The use of digital signatures:

    • requires the use of a one-time password generator.
    • provides encryption to a message.
    • validates the source of a message.
    • ensures message confidentiality.
    The use of a digital signature verifies the identity of the sender, but does not encrypt the whole message, and hence is not enough to ensure confidentiality. A one-time password generator is an option, but is not a requirement for using digital signatures.
  22. The FIRST step in a successful attack to a system would be:

    • gathering information.
    • gaining access.
    • denying services.
    • evading detection.
    Successful attacks start by gathering information about the target system. This is done in advance so that the attacker gets to know the target systems and their vulnerabilities. All of the other choices are based on the information gathered.