Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 94

  1. Which of the following refers to an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer?

    • buffer overflow
    • format string vulnerabilities
    • integer misappropriation
    • code injection
    • None of the choices.

    Explanation:
    A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data.

  2. Buffer overflow aims primarily at corrupting:

    • system processor
    • network firewall
    • system memory
    • disk storage
    • None of the choices.
    Explanation:
    A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data.
  3. Which of the following measures can effectively minimize the possibility of buffer overflows?

    • Sufficient bounds checking
    • Sufficient memory
    • Sufficient processing capability
    • Sufficient code injection
    • None of the choices
    Explanation:
    Buffer overflows may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits. Sufficient bounds checking by either the programmer or the compiler can prevent buffer overflows.
  4. Which of the following types of attack makes use of unfiltered user input as the format string parameter in the print () function of the C language?

    • buffer overflows
    • format string vulnerabilities
    • integer overflow
    • code injection
    • command injection
    • None of the choices.
    Explanation:
    Format string attacks are a new class of vulnerabilities recently discovered. It can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as print (). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token.
  5. Which of the following kinds of function are particularly vulnerable to format string attacks?

    • C functions that perform output formatting
    • C functions that perform integer computation
    • C functions that perform real number subtraction
    • VB functions that perform integer conversion
    • SQL functions that perform string conversion
    • SQL functions that perform text conversion
    Explanation:
    Format string attacks are a new class of vulnerabilities recently discovered. It can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as print (). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token.
  6. Integer overflow occurs primarily with:

    • string formatting
    • debug operations
    • output formatting
    • input verifications
    • arithmetic operations
    • None of the choices.
    Explanation:
    An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is larger than can be represented within the available storage space. On some processors the result saturates – once the maximum value is reached attempts to make it larger simply return the maximum result.
  7. Which of the following types of attack works by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs?

    • format string vulnerabilities
    • integer overflow
    • code injection
    • command injection
    • None of the choices.
    Explanation:
    Code injection is a technique to introduce code into a computer program or system by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs.
  8. An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment?

    • Commands typed on the command line are logged
    • Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs
    • Access to the operating system command line is granted through an access restriction tool with preapproved rights
    • Software development tools and compilers have been removed from the production environment
    Explanation:
    The matching of hash keys over time would allow detection of changes to files. Choice A is incorrect because having a log is not a control, reviewing the log is a control. Choice C is incorrect because the access was already granted-it does not matter how. Choice D is wrong because files can be copied to and from the production environment.
  9. Which of the following is MOST likely to result from a business process reengineering (BPR) project?

    • An increased number of people using technology
    • Significant cost savings, through a reduction in the complexity of information technology
    • A weaker organizational structures and less accountability
    • Increased information protection (IP) risk will increase
    Explanation:
    A BPR project more often leads to an increased number of people using technology, and this would be a cause for concern. Incorrect answers:
    B. As BPR is often technology oriented, and this technology is usually more complex and volatile than in the past, cost savings do not often materialize in this area.
    D. There is no reason for IP to conflict with a BPR project, unless the project is not run properly.
  10. Which of the following is a telecommunication device that translates data from digital form to analog form and back to digital?

    • Multiplexer
    • Modem
    • Protocol converter
    • Concentrator
    Explanation:
    A modem is a device that translates data from digital to analog and back to digital.
  11. What is the PRIMARY purpose of audit trails?

    • To document auditing efforts
    • To correct data integrity errors
    • To establish accountability and responsibility for processed transactions
    • To prevent unauthorized access to data
    Explanation:
    The primary purpose of audit trails is to establish accountability and responsibility for processed transactions.
  12. A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can:

    • Identify high-risk areas that might need a detailed review later
    • Reduce audit costs
    • Reduce audit time
    • Increase audit accuracy
    Explanation: 
    A primary benefit derived from an organization employing control self-assessment (CSA) techniques is that it can identify high-risk areas that might need a detailed review later.
  13. Which of the following would have the HIGHEST priority in a business continuity plan (BCP)?

    • Resuming critical processes
    • Recovering sensitive processes
    • Restoring the site
    • Relocating operations to an alternative site
    Explanation: 
    The resumption of critical processes has the highest priority as it enables business processes to begin immediately after the interruption and not later than the declared mean time between failure (MTBF). Recovery of sensitive processes refers to recovering the vital and sensitive processes that can be performed manually at a tolerable cost for an extended period of time and those that are not marked as high priority. Repairing and restoring the site to original status and resuming the business operations are time consuming operations and are not the highest priority. Relocating operations to an alternative site, either temporarily or permanently depending on the interruption, is a time consuming process; moreover, relocation may not be required.
  14. Network ILD&P are typically installed:

    • on the organization’s internal network connection.
    • on the organization’s internet network connection.
    • on each end user stations.
    • on the firewall.
    • None of the choices.
    Explanation: 
    Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. Network ILD&P are gateway-based systems installed on the organization’s internet network connection and analyze network traffic to search for unauthorized information transmissions. Host Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and access information before it has been encrypted.
  15. Host Based ILD&P primarily addresses the issue of:

    • information integrity
    • information accuracy
    • information validity
    • information leakage
    • None of the choices.
    Explanation: 
    Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. Network ILD&P are gateway-based systems installed on the organization’s internet network connection and analyze network traffic to search for unauthorized information transmissions. Host Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and access information before it has been encrypted.
  16. Software is considered malware based on:

    • the intent of the creator.
    • its particular features.
    • its location.
    • its compatibility.
    • None of the choices.
    Explanation: 
    Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. Software is considered malware based on the intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, adware, and other malicious and unwanted software.
  17. Which of the following are valid examples of Malware:

    • viruses
    • worms
    • trojan horses
    • spyware
    • All of the above
    Explanation: 
    Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. Software is considered malware based on the intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, adware, and other malicious and unwanted software.
  18. Which of the following refers to any program that invites the user to run it but conceals a harmful or malicious payload?

    • virus
    • worm
    • trojan horse
    • spyware
    • rootkits
    • None of the choices.
  19. A Trojan horse’s payload would almost always take damaging effect immediately.

    • True
    • False
    Explanation: 
    Broadly speaking, a Trojan horse is any program that invites the user to run it, but conceals a harmful or malicious payload. The payload may take effect immediately and can lead to immediate yet undesirable effects, or more commonly it may install further harmful software into the user’s system to serve the creator’s longer-term goals.
  20. Which of the following terms is used more generally for describing concealment routines in a malicious program?

    • virus
    • worm
    • trojan horse
    • spyware
    • rootkits
    • backdoor
    • None of the choices.
    Explanation: 
    Rootkits can prevent a malicious process from being reported in the process table, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system where the attacker had gained administrator access. Today, the term is used more generally for concealment routines in a malicious program.