Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 85

  1. Upon receipt of the initial signed digital certificate the user will decrypt the certificate with the public key of the:

    • registration authority (RA).
    • certificate authority (CA).
    • certificate repository.
    • receiver.

    A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. As a part of the public key infrastructure, a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor’s information, the CA can issue a certificate. The CA signs the certificate with its private key for distribution to the user. Upon receipt, the user will decrypt the certificate with the CA’s public key.

  2. IS management is considering a Voice-over Internet Protocol (VoIP) network to reduce telecommunication costs and management asked the IS auditor to comment on appropriate security controls. Which of the following security measures is MOST appropriate?

    • Review and, where necessary, upgrade firewall capabilities
    • Install modems to allow remote maintenance support access
    • Create a physically distinct network to handle VoIP traffic
    • Redirect all VoIP traffic to allow clear text logging of authentication credentials
    Firewalls used as entry points to a Voice-over Internet Protocol (VoIP) network should be VoIP- capable. VoIP network services such as H.323 introduce complexities that are likely to strain the capabilities of older firewalls. Allowing for remote support access is an important consideration. However, a virtual private network (VPN) would offer a more secure means of enabling this access than reliance on modems. Logically separating the VoIP and data network is a good idea. Options such as virtual LANS (VLA.NS), traffic shaping, firewalls and network address translation (NAT) combined with private IP addressing can be used; however, physically separating the networks will increase both cost and administrative complexity. Transmitting or storing clear text information, particularly sensitive information such as authentication credentials, will increase network vulnerability. When designing a VoIP network, it is important to avoid introducing any processing that will unnecessarily increase latency since this will adversely impact VoIP quality.
  3. Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity?

    • Statistical-based
    • Signature-based
    • Neural network
    • Host-based
    A statistical-based IDS relies on a definition of known and expected behavior of systems. Since normal network activity may at times include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network combines the previous two IDSs to create a hybrid and better system. Host-based is another classification of IDS. Any of the three IDSs above may be host- or network-based.
  4. When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the:

    • hardware is protected against power surges.
    • integrity is maintained if the main power is interrupted.
    • immediate power will be available if the main power is lost.
    • hardware is protected against long-term power fluctuations.
    A voltage regulator protects against short-term power fluctuations. It normally does not protect against long-term surges, nor does it maintain the integrity if power is interrupted or lost.
  5. Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly?

    • Halon gas
    • Wet-pipe sprinklers
    • Dry-pipe sprinklers
    • Carbon dioxide gas
    Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they can be set to automatic release without threat to life, and water is environmentally friendly.
    Sprinklers must be dry-pipe to prevent the risk of leakage. Halon is efficient and effective as it does not threaten human life and, therefore, can be set to automatic release, but it is environmentally damaging and very expensive. Water is an acceptable medium but the pipes should be empty to avoid leakage, so a full system is not a viable option. Carbon dioxide is accepted as an environmentally acceptable gas, but it is less efficient because it cannot be set to automatic release in a staffed site since it threatens life.
  6. Which of the following is MOST efficiently protects computer equipment against short-term reductions in electrical power?

    • Power line conditioners
    • Surge protective devices
    • Alternative power supplies
    • Generators
    Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. Surge protection devices protect against high- voltage bursts. Alternative power supplies are intended for computer equipment running for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. An interruptible power supply would cause the equipment to come down whenever there was a power failure.
  7. An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers-one filled with CO2, the other filled with halon. Which of the following should be given the HIGHEST priority in the auditor’s report?

    • The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer.
    • Both fire suppression systems present a risk of suffocation when used in a closed room.
    • The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires involving solid combustibles (paper).
    • The documentation binders should be removed from the equipment room to reduce potential risks.
    Protecting people’s lives should always be of highest priority in fire suppression activities. COz and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards, in many countries installing or refilling halon fire suppression systems is not allowed. Although COz and halon are effective and appropriate for fires involving synthetic combustibles and electrical equipment, they are nearly totally ineffective on solid combustibles (wood and paper). Although not of highest priority, removal of the documentation would probably reduce some of the risks. 
  8. Which of the following would be BEST prevented by a raised floor in the computer machine room?

    • Damage of wires around computers and servers
    • A power failure from static electricity
    • Shocks from earthquakes
    • Water flood damage.
    The primary reason for having a raised floor is to enable power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risks posed when cables are placed in a spaghetti-like fashion on an open floor. Static electricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage.
  9. A penetration test performed as part of evaluating network security:

    • provides assurance that all vulnerabilities are discovered.
    • should be performed without warning the organization’s management.
    • exploits the existing vulnerabilities to gain unauthorized access.
    • would not damage the information assets when performed at network perimeters.
    Penetration tests are an effective method of identifying real-time risks to an information processing environment. They attempt to break into a live site in order to gain unauthorized access to a system. They do have the potential for damaging information assets or misusing information because they mimic an experienced hacker attacking a live system. On the other hand, penetration tests do not provide assurance that all vulnerabilities are discovered because they are based on a limited number of procedures. Management should provide consent for the test to avoid false alarms to IT personnel or to law enforcement bodies.
  10. Users are issued security tokens to be used in combination with a PIN to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy?

    • Users should not leave tokens where they could be stolen
    • Users must never keep the token in the same bag as their laptop computer
    • Users should select a PIN that is completely random, with no repeating digits
    • Users should never write down their PIN
    If a user writes their PIN on a slip of paper, an individual with the token, the slip of paper, and the computer could access the corporate network. A token and the PIN is a two-factor authentication method. Access to the token is of no value without the PIN; one cannot work without the other. The PIN does not need to be random as long as it is secret.
  11. Which of the following fire suppression systems is MOST appropriate to use in a data center environment?

    • Wet-pipe sprinkler system
    • Dry-pipe sprinkler system
    • FM-200system
    • Carbon dioxide-based fire extinguishers
    FM-200 is safer to use than carbon dioxide. It is considered a clean agent for use in gaseous fire suppression applications. A water-based fire extinguisher is suitable when sensitive computer equipment could be damaged before the fire department personnel arrive at the site. Manual firefighting (fire extinguishers) may not provide fast enough protection for sensitive equipment (e.g., network servers).
  12. During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:

    • enrollment.
    • identification.
    • verification.
    • storage.
    The users of a biometrics device must first be enrolled in the device. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes.
  13. An accuracy measure for a biometric system is:

    • system response time.
    • registration time.
    • input file size.
    • false-acceptance rate.
    For a biometric solution three main accuracy measures are used: false-rejection rate (FRR), cross-error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate. Choices A and B are performance measures. 
  14. What is a risk associated with attempting to control physical access to sensitive areas such as computer rooms using card keys or locks?

    • Unauthorized individuals wait for controlled doors to open and walk in behind those authorized.
    • The contingency plan for the organization cannot effectively test controlled access practices.
    • Access cards, keys and pads can be easily duplicated allowing easy compromise of the control.
    • Removing access for those who are no longer authorized is complex.
    The concept of piggybacking compromises all physical control established. Choice B would be of minimal concern in a disaster recovery environment. Items in choice C are not easily duplicated. Regarding choice D, while technology is constantly changing, card keys have existed for some time and appear to be a viable option for the foreseeable future.
  15. An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important?

    • False-acceptance rate (FAR)
    • Equal-error rate (EER)
    • False-rejection rate (FRR)
    • False-identification rate (FIR)
    FAR is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied, in an organization with high security requirements, user annoyance with a higher FRR is less important, since it is better to deny access to an authorized individual than to grant access to an unauthorized individual. EER is the point where the FAR equals the FRR; therefore, it does not minimize the FAR. FIR is the probability that an authorized person is identified, but is assigned a false ID.
  16. The MOST effective control for addressing the risk of piggybacking is:

    • a single entry point with a receptionist.
    • the use of smart cards.
    • a biometric door lock.
    • a deadman door.
    Deadman doors are a system of using a pair of (two) doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding areA. This reduces the risk of an unauthorized person following an authorized person through a secured entry (piggybacking). The other choices are all physical controls over entry to a secure area but do not specifically address the risk of piggybacking.
  17. The BEST overall quantitative measure of the performance of biometric control devices is:

    • false-rejection rate.
    • false-acceptance rate.
    • equal-error rate.
    • estimated-error rate.
    A low equal-error rate (EER) is a combination of a low false-rejection rate and a low false- acceptance rate. EER, expressed as a percentage, is a measure of the number of times that the false-rejection and false-acceptance rates are equal. A low EER is the measure of the more effective biometrics control device. Low false-rejection rates or low false- acceptance rates alone do not measure the efficiency of the device. Estimated-error rate is nonexistent and therefore irrelevant.
  18. Which of the following is the MOST effective control over visitor access to a data center?

    • Visitors are escorted.
    • Visitor badges are required.
    • Visitors sign in.
    • Visitors are spot-checked by operators.
    Escorting visitors will provide the best assurance that visitors have permission to access the data processing facility. Choices B and C are not reliable controls. Choice D is incorrect because visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility.
  19. The use of residual biometric information to gain unauthorized access is an example of which of the following attacks?

    • Replay
    • Brute force
    • Cryptographic
    • Mimic
    Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access. A brute force attack involves feeding the biometric capture device numerous different biometric samples. A cryptographic attack targets the algorithm or the encrypted data, in a mimic attack, the attacker reproduces characteristics similar to those of the enrolled user, such as forging a signature or imitating a voice.
  20. A firm is considering using biometric fingerprint identification on all PCs that access critical datA. This requires:

    • that a registration process is executed for all accredited PC users.
    • the full elimination of the risk of a false acceptance.
    • the usage of the fingerprint reader be accessed by a separate password.
    • assurance that it will be impossible to gain unauthorized access to critical data.
    The fingerprints of accredited users need to be read, identified and recorded, i.e., registered, before a user may operate the system from the screened PCs. Choice B is incorrect, as the false- acceptance risk of a biometric device may be optimized, but will never be zero because this would imply an unacceptably high risk of false rejection. Choice C is incorrect, as the fingerprint device reads the token (the user’s fingerprint) and does not need to be protected in itself by a password. Choice Dis incorrect because the usage of biometric protection on PCs does not guarantee that other potential security weaknesses in the system may not be exploited to access protected data.