Download CISA Practice Exam 323 Questions with Verified Answers,100% CORRECT and more Exams Information and Communications Technology (ICT) in PDF only on Docsity! CISA Practice Exam 323 Questions with Verified Answers Identify the most critical element from the following for the successful implementation and ongoing regular maintenance of an information security policy. [BAC] A.Management support and approval for the information security policy B. Understanding of the information security policy by all appropriate parties C. Punitive actions for any violation of information security rules D. Stringent access control monitoring of information security rules - CORRECT ANSWER B. An information security policy comprises of processes, procedures, and rules in an organization. The most important aspect of a successful implementation of an information security policy is the assimilation by all appropriate parties such as employees, service providers, and business partners. Punitive actions for any violations are related to the education and awareness of the policy. Fair Lending has implemented a disaster recovery plan. Andrew, CFO of Fair Lending, wants to ensure that the implemented plan is adequate. Identify the immediate next step from the following. Initiate the Full Operational Test Initiate the Desk-based Evaluation Initiate the Preparedness Test Socialize with the Senior Management and Obtain Sponsorship - CORRECT ANSWER B. The immediate next step to evaluate the adequacy of a disaster recovery plan once it has been implemented is to conduct a desk-based evaluation which is also known as a paper test. The paper test involves walking through the plan and discussion on what might happen in a particular type of service disruption with the major stakeholders. As per the best practice, the paper test precedes the preparedness test. There are various methods of suppressing a data center fire. Identify the MOST effective and environmentally friendly method from the following. Water-based systems (sprinkler systems) Argonite systems Carbon dioxide systems Dry-pipe sprinkling systems - CORRECT ANSWER D, Dry-pipe sprinkling systems are the most effective and environmentally friendly from the available options. In this system, the water does not flow until the fire alarm activates a pump. Water- based systems (sprinkler systems) are environmentally friendly but may not present the most effective option. In this system, the water is always present in the piping, which can potentially leak, causing damage to equipment. IT risk management process comprises of following 5 steps listed in no particular sequence. (b) Asset Identification (e) Evaluation of Threats and Vulnerabilities to Assets (a) Evaluation of the Impact (c) Calculation of Risk (d) Evaluation of and Response to Risk Identify the correct sequence from the following b, a, e, c, d b, e, a, c, d b, e, a, d, c a, b, c, d, e - CORRECT ANSWER B. IT risk management process comprises of following 5 steps: Step 1: Asset Identification Step 2: Evaluation of Threats and Vulnerabilities to Assets Step 3: Evaluation of the Impact Step 4: Calculation of Risk Step 5: Evaluation of and Response to Risk Palm Trading Company has implemented digital signatures to protect email communication with their customers. Identify the benefit of using a digital signature from the following. Protects email content from unauthorized reading Protects email content from data theft Ensure timely delivery of email content Ensures integrity of the email content - CORRECT ANSWER D. The digital signature is used for verifying the identity of the sender and the integrity of the content. Merlin, head of information systems audit at Cocoa Payroll Services, was invited to a development project meeting. During the meeting, Merlin noted that no project risks were documented and raised this issue with the head of IT. The IT project manager opined that it was too early to identify risks and that they intend Andrew, CFO of Palm Trading Company, a relatively smaller organization, wants to implement segregation of duties for information processing facility (IPF) roles. Considering this requirement, identify a false statement from the following A network administrator normally would be restricted from reporting to the end- user manager A network administrator normally would be restricted from having additional end-user responsibilities A network administrator normally would be restricted from being responsible for network security administration A network administrator normally would be restricted from having programming responsibilities - CORRECT ANSWER D. The computer room and support areas in any organization usually make up the information processing facility (IPF). many organizations have widely dispersed IPFs in addition to a central IPF. The dispersed IPFs include the management of network at branches and geographically remote locations. Under these circumstances, a network administrator may have additional network security administration and end-user responsibilities and may report to an end-user manager. However, a network administrator is not allowed to have programming responsibilities to ensure objectives of segregation of duties are met. An information systems auditor with Super Systems wants review arrangements to protect against non-privileged users be able to escalate their access level to enter supervisory state. Identify the artifact that is useful to review for the identification of such arrangement/controls. Access control violations logs System access logs Access control software parameters System configuration files for control options used - CORRECT ANSWER D, The information systems auditor should review system configuration files for control options used to protect the supervisory state. These options, if uncontrolled, provide a nonprivileged user a way to gain access to the OS's supervisory state. A review of systems access logs and access violations logs is a detective control in nature. Access control software is run under the operating system. Lorena, an information systems auditor with the Town Bank, is conducting a review of a business application. She requested a data flow diagram (DFD) from the auditee. How does a DFD assist Lorena in her work? Establish a summary graphical view of data paths and storage Establish a step-by-step data generation flow Establish a hierarchical data model Establish high-level data definitions - CORRECT ANSWER A Data flow diagrams (DFD) provide a view of data flow between upstream and downstream systems. The DFD also provides an understanding of where the data gets stored. Using this information a useful summary of data flow paths and storage can be established that helps to provide an easy to understand the succinct view of systems being audited. Julio, head of information technology architecture with the Palm Trading Company, thinks that transaction audit trails are essential for a well-designed system. Identify the main consideration of Julio in this case. Transaction audit trails are for information systems auditors to help them in transactions tracing Transaction audit trails help to make capacity planning more accurate by providing useful data for planning Transaction audit trails are essential for ensuring non-repudiation Transaction audit trails help to improve the efficiency of the backup process - CORRECT ANSWER C The main consideration for Julio to think the usefulness of transaction audit trails is that they help to determine accountability and responsibility for processed transactions, and ensuring non-repudiation The ABC System has initiated a data privacy compliance audit. The information systems auditor must review the following as a first step: Technology infrastructure inventory and diagrams Adherence to enterprise risk management framework Statutory and regulatory requirements Enterprise risk management framework - CORRECT ANSWER C In order to provide a comprehensive and independent view on data privacy compliance, the information systems auditor must first start from review of applicable statutory and regulatory requirements. Identify from following an important parameter for determining an adequate disaster recovery strategy. Service delivery objective Software development methodology Funding availability Management awareness - CORRECT ANSWER A Service delivery objective (SDO) means the level of services to be reached during the alternate process mode until the normal situation is restored. This is directly related to business needs. Jaime, an information systems auditor at Evergreen Bank, discovered unauthorized transactions during a review of enterprise data interchange platform. Identify from following the most likely recommendation for Jaime to make Improvement of operational controls at transaction origination systems Improvement of project management and change control procedures Improvement of authentication mechanism for sending and receiving transactional messages Review of operational and service level agreements between transaction origination systems and consuming systems - CORRECT ANSWER C Since the observation is related to unauthorized transactions, information systems auditor is most likely concerned about weak authentication mechanism for sending and receiving transactional messages. Review of operational and service level agreements between transaction origination systems and consuming systems can also be conducted - however that could only be an additional recommendation. Blue Xylo Systems, a software development startup, intends to implement a suitable testing method to test the functional operating effectiveness of the information system without regard to any specific internal program structure. Identify from following the right testing method to meet this objective. Alpha test Beta test Interview the system administrator Conduct interviews on a sample of employees Review the security reminders sent to the employees Review the security training program - CORRECT ANSWER B Interviewing a carefully selected set of employees may provide good view of effectiveness of security awareness and training program. The interviews need to be conducted in an adequate manner so as to obtain unbiased and untempered views. Jim, an information security architect with the Cocoa Exports Company, is tasked to suggest protection for the wireless networks. Identify the best option from the following. Disable Dynamic Host Configuration Protocol (DHCP) at all wireless access points Enable Dynamic Host Configuration Protocol (DHCP) at selected wireless access points Enable Dynamic Host Configuration Protocol (DHCP) at all wireless access points Remove all wireless access points from the organization network - CORRECT ANSWER A Dynamic Host Configuration Protocol (DHCP) is used for assigning IP addresses, subnet mask and other parameters for networked computers and devices. This process, however, can be exploited by a malicious actor to understand the internal IP ranges of the organization. Disabling DHCP is the best option since the connecting computers and devices will be having a static IP and be less risky as compared to the dynamic allocation. Enabling DHCP at all wireless access points is the complete opposite of the best option. Selective enable/disable still has the risk. Completely removing wireless access points is not a feasible solution since it affects functionality. The primary control objective of classifying information assets is to assist management and auditors in risk assessment establish guidelines for the level of access controls to be assigned ensure access controls are assigned to all information assets identification of assets for insurance against losses - CORRECT ANSWER B In order to establish guidelines for the level of access controls to be assigned, information assets must be classified. Frank, an information security analyst at Micro Lending Inc, has been tasked to handle a windows web server compromise incident. Identify from following the first task for Frank to perform Isolate the compromised server from the network Restart the compromised server in a fail-safe mode Take a dump of server memory and volatile storage data to a disk Power down the compromised server - CORRECT ANSWER A As part of incident handling procedures, isolation of the compromised server from the network is the immediate first step to contain the damage. Identify control from following to help address a referential integrity issue a relational database management system Key constraints Database backup Real application cluster Domain constraints - CORRECT ANSWER A Referential integrity issues result in orphan records in child tables also known as dangling tuples. These are records in the referencing relation that do not have "counterparts" in the referenced relation i.e. parent table. Referential integrity issues can be addressed by establishing foreign key constraints. A key constraint limits the values that an attribute or a set of attributes can take. A foreign key constraint ensures that all child records do have a valid parent record. Domain constraints operate at the database schema level and do not help in referential integrity issues. Clustering and backups are important - however, not useful in this situation. Lawrence, an information security architect with the Quick Micropayments, is tasked to identify a suitable biometric system that has a very high-security requirement. Identify a useful performance indicator from the following to help in this case. Equal Error Rate (EER) False Acceptance Rate (FAR) False Identification Rate (FIR) False Rejection Rate (FRR) - CORRECT ANSWER B Since the biometric system has a very high-security requirement, protection against false acceptance is paramount. The performance indicator of FAR is useful in measuring the false acceptance rate. Identify from the following the best technique to assist in project duration estimation. Component-based development Program evaluation and review technique (PERT) chart Artificial intelligence (AI) Software cost estimation - CORRECT ANSWER B Program Evaluation and Review Technique (PERT) is a project management technique used in the planning and control of system projects. A PERT chart helps in identifying the duration of the project once all the activities and the work involved are known. Jim, an information security architect with the Cocoa Exports Company, is overseeing the implementation of an intrusion detection system (IDS) in the organization. Identify the most important aspect of IDS implementation from the following. The resilience of the IDS system Placement within the enterprise network Adequate threat intelligence Protection against DDoS attacks - CORRECT ANSWER B An intrusion detection system (IDS) secures networks and complements firewalls by monitoring network usage anomalies on routers and firewalls. Placement of the intrusion detection systems (IDS) within the enterprise network is most crucial amongst the available options. Improper placement of an IDS may not provide sufficient coverage of key network parts thus becoming less effective. The firm's in-house financial management application data is migrated to a new vendor supported off-the-shelf industry renown financial management product. Which of the following stakeholders should be primarily responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? Data Owner Firm's Migration Project Manager Internal Audit Department assist in their work. Identify the best tool/mechanism from the following to achieve Lisa's objectives. An extract, transform, load (ETL) system A security information event management (SIEM) product An industry-standard big data warehouse A log management tool - CORRECT ANSWER D Lisa is most likely to choose a log management tool to achieve her objectives of log processing and reporting. All other options, while having similar sounding capabilities, may not be the best fit for the given purpose. The sender A sends a message to the receiver B. The message hash and the message itself is encrypted by A's private key. Identify from the following the purpose of this encryption arrangement. Authenticity and Integrity Authenticity and Privacy Integrity and Privacy Privacy and Nonrepudiation - CORRECT ANSWER A Since the message can be decrypted by the sender's public key. this method won't ensure the privacy of the message. However, this encryption arrangement is helpful in ensuring the authenticity of the sender and the message integrity. "Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rules for the data for which they are responsible." Identify the appropriate role for the above mentioned responsibility. Data Users Data Custodians Data Owners Security Administrator - CORRECT ANSWER C The mentioned responsibility falls under the remit of data owners. Data owners are usually business leaders responsible for using information for running and controlling the business. Data custodians are people responsible for storing and safeguarding the data and include IT personnel. Data users include the user communities with access levels authorized by the data owners. Security administrators have the responsibility to provide physical and logical security for data, software, and hardware. An information systems auditor, while reviewing the IT strategic plan, should ensure that the plan: identifies and addresses the required operational controls recognizes the need and incorporates cutting edge technology a long-term plan describing how IT resources will contribute to the enterprise's strategic objectives clearly sets out project management practices - CORRECT ANSWER C IT strategic plan is a long-term plan (i.e. three to five-year horizon) in which business and IT management cooperatively describe how IT resources will contribute to the enterprise's strategic objectives (goals). Palm Trading Company has seen a gradual increase in phishing and spear-phishing attacks on its corporate network recently. Identify the best control from the following to address this threat. Strong authentication A web application firewall (WAF) An intrusion detection system (IDS) User education - CORRECT ANSWER A Phishing and spear-phishing attacks can be mounted in various innovative ways, and user education may work as the best defense against such attacks. Organizations conduct test drills to simulate phishing attacks to see organization preparedness to deal with these on a regular basis. Other controls do not provide sufficient defense against phishing attacks. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user's computer. Identify from following options that a malicious actor could primarily achieve by password sniffing carried out via the Internet. Password sniffers can comprise the transaction integrity Password sniffers can masquerade the identity of the malicious attacker Sniffed passwords can be successfully exploited to gain unauthorized access Sniffed passwords can be successfully exploited to impact transaction initiation system availability - CORRECT ANSWER C A sniffed password could "first" be used to gain unauthorized access to systems and data. Once the access is established, further malicious actions to affect confidentiality, integrity or availability of system/data can be carried out. Using a sniffed password, the malicious attacker could also log in as another user and also clean the audit trail to hide its identity. Guava Trading Company is running a variety of access points. These include a mix of access points with an obsolete security algorithm that does not have any upgrades available from the vendor, and the newer access points having advanced wireless security. Lisa, an information systems auditor with the organization, wants to recommend IT to replace the obsolete access points. Identify the best justification from following to support Lisa's recommendation. Centralize and easier management of new access points Performance concerns with the old access points The security chain is only as strong as its weakest link New access points have become more affordable recently - CORRECT ANSWER C The security chain is only as strong as its weakest link is probably the best justification to support Lisa's recommendation to replace the access points. Performance concerns, easier management, and affordability are secondary in this situation. Manuel, CFO at Evergreen Bank, has requested reviewing and updating business continuity plans (BCP) that also require gaining/re-validating the understanding of organizational business processes. Identify from following the tools for doing so. Structured walk-through Risk assessment Full interruption test Business process re-engineering - CORRECT ANSWER B Risk assessment, together with the business impact analysis (BIA), is used to gain an understanding of organizational business processes in order to develop an adequate business continuity plan (BCP). Structured walk-through and full interruption tests are methods to test the effectiveness of a BCP. Business process re-engineering (BPR) Preparation - CORRECT ANSWER B The five key steps of incident response are (1) Preparation, (2) Detection and Reporting, (3) Triage and Analysis, (4) Containment and Neutralization, and (5) Post-incident Activity. Technology auditors perform a functional walk-through during the preliminary phase of an audit assignment. Identify the primary reason: Comply with audit methodology and standards Identify potential control weaknesses Plan substantive testing Develop and validate the business process understanding - CORRECT ANSWER D Auditors need to understand the business process and/or validate their understanding by performing a walk-through at the early stage of an audit assignment. Lisa, an information systems auditor at a non-profit charitable organization, is reviewing organizational preparedness to effectively fight against social engineering attempts. Identify the right protection from following for Lisa to recommend as the most effective measure against such attacks. Security Awareness Training Social Media Monitoring Policy Intrusion Detection Systems (IDS) Anti-SPAM Digital Controls - CORRECT ANSWER A Security Awareness Training is the best defense against social engineering attempts. Social engineering thrives on weakness in human behavior and exploits the weaknesses. Other controls provide limited defense against such attack attempts but may not be comprehensive. Amongst the available options, security education and awareness provide the best coverage against attacks. Identify the correct answer from the following to be included in an organization's information systems security policy? Relevant software security features Criteria for access authorization Inventory of key IT resources to be secured Identity of sensitive security features - CORRECT ANSWER B The security policy provides the broad framework of security including a definition of those authorized to grant access and the basis for granting the access. Other choices are more detailed and are likely candidates for inclusion in standards/procedures. Identify the correct feature of a digital signature from below that confirms the authorizer of a transaction or sender of a message unrefutable Nonrepudiation Confidentiality Encryption Authorization Integrity Authentication - CORRECT ANSWER A The feature that ensures undeniability is called nonrepudiation. Digital signatures are used to sign the transactions to confirm the authorization which cannot be denied later. Identify from the following an invalid software testing method. Alpha testing Gama testing Black-box testing Pilot testing Beta testing White-box testing - CORRECT ANSWER B All but gama testing are valid software testing methods. Alpha testing is the first end-to-end testing of a product to ensure it meets the business requirements and functions correctly. It is typically performed by internal employees and conducted in a lab/stage environment. An alpha test ensures the product really works and does everything it's supposed to do. Beta testing is a type of user acceptance testing where the product team gives a nearly finished product to a group of target users to evaluate product performance in the real world. There is no standard for what a beta test should look like and how to set up beta testing. Black box testing is the Software testing method which is used to test the software without knowing the internal structure of code or program. White box testing is the software testing method in which internal structure is being known to tester who is going to test the software. Biometrics is a security technique used in modern systems and implementations to verify identity by analyzing a unique physical attribute of an individual such as a handprint. Identify a valid example of a biometric replay attack from the following. Use in multi-factor authentication (MFA) to authorize access Using a copy of the impression left on the thumbprint scanner Use of stolen biometric information to launch a brute force Use of shoulder surfing to gain unauthorized access - CORRECT ANSWER B A biometric replay attack is carried out using residual biometric information such as a thumb impression on a biometric scanner. Other options are incorrect. The information system auditor discovers that both the technology and accounting functions are being performed by the same user of the financial system during a compliance audit of a small local cooperative bank. Identify the best supervisor review control from the following: Database table dump containing audit trails of date/time of each transaction Daily summary of number of transactions and sum total of value of each transaction User account administration report Computer log files that show individual transactions in the financial system - CORRECT ANSWER D, While other supervisory review controls are important, the most important in this situation is to review the computer log files that show individual transactions in the financial system Lisa, an information systems auditor at the AZ Systems, while conducting the review of the UNIX system administration function, observed that shared user id is used by the team of ten administrators. Identify the concern that Lisa may have with this observation financial loss in certain events that would require the BCP to be invoked. Identify a suitable approach from following for the team to adopt to complete the exercise. Use the present value of underlying assets to determine financial loss The team should spend the time needed to determine exact financial loss In such a scenario the team should adopt a qualitative approach Obtain historical financial loss values from the accounting department - CORRECT ANSWER C In such a scenario when the team is facing difficulty in determining the potential financial loss, they should adopt a qualitative approach. The qualitative approach is useful with non-numerical or un-computable data. The experienced managers could determine the financial losses by their experience and sense of judgment. Lorena, an information systems auditor with the Town Bank, is reviewing the adequacy of the bank's security awareness training program. Identify the best performance evaluation criterion from the following. Number of incidents with business or reputational impact Adequate funding for security initiatives commensurating with the level of risk and business impact Board-level awareness of critical information assets and focus on their protection Roles and responsibilities include accountability for information security - CORRECT ANSWER D Roles and responsibilities including a clear statement of accountability for information security is the best evaluation measure of the bank's security awareness training program. An information systems auditor is testing developers access to a Loan System in Super Finance Inc. The auditor selected a sample of current employees from the list provided by the auditee. In such a situation, which of the following evidence is most reliable to support the audit testing. Human Resources records signed by people managers Spreadsheet list provided by the database administrator System-generated list of accounts with access levels Desktop review performed with the system administrator - CORRECT ANSWER C A system-generated list of accounts with access levels is most reliable to support the audit testing in the described scenario. Blue Xylo Systems, a software development startup, intends to implement a suitable testing method to test the effectiveness of software program logic and determine the procedural accuracy of a program's specific logic paths. Identify from following the right testing method to meet this objective. Black box test Structured walkthrough White box test Paper test - CORRECT ANSWER C White box testing is a test type that focuses on the effectiveness of software program logic and uses test data to determine the procedural accuracy of a program's specific logic paths. Identify from following valid disk-based backup systems. Real application cluster Log shipping Host-based replication Virtual tape libraries - CORRECT ANSWER Virtual tape libraries (VTLs) systems consist of disk storage and software that control backup and recovery data sets. Host-based replication is executed at the host level by a special software running on this server and on the target server. Log shipping and real application cluster are not relevant to disk-based backup systems. Jamaica Foundry has installed Ethernet cable (an unshielded twisted pair (UTP) network) that is more than 100 meters long. Identify the potential negative effect caused by the length of the cable? Cross-talk Electromagnetic interference (EMI) Dispersion Attenuation - CORRECT ANSWER D Attenuation is the weakening of signals during transmission. Upon weakening of signlas, it begins to read a 1 for a 0, and the user may experience communication problems. UTP faces attenuation around 100 meters. UTP implementations are susceptible to other negative effects as well, however not due to the length of the UTP cable. Identify the correct answer from the following to be included in an organization's information systems security policy? Identity of sensitive security features Inventory of key IT resources to be secured Relevant software security features Criteria for access authorization - CORRECT ANSWER D The security policy provides the broad framework of security including a definition of those authorized to grant access and the basis for granting the access. Other choices are more detailed and are likely candidates for inclusion in standards/procedures. Peter, a system administrator, needs to select a control to provide the greatest assurance of server's operating system integrity. Identify the correct answer from the following Strong boot password for strong security Logging of events and activites, and appropriate monitoring Server configuration hardening Physical security control by protecting the server in a secure location - CORRECT ANSWER C OS security hardening guidelines can be developed that define how the OS should be configured. Hardening a system means to configure it in the most secure manner to prevent nonprivileged users from gaining the right to execute privileged instructions and thus take control of the entire machine, jeopardizing the OS's integrity. Protecting the server in a secure location and setting a boot password are good practices, but do not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. Activity logging has two weaknesses in this scenario: (i) it is a detective control (not a preventive one), and (ii) the attacker who already gained privileged access can modify logs or disable them. Jacob is a business continuity manager with Guava Trading Company. Identify the first step for Jacob to perform soon after the replacement of hardware at the primary data centre? WPA depends on a central authentication server to authenticate each user - CORRECT ANSWER WPA does not allow unencrypted source addresses. Rest are true statements about WPA. Merlin, head of information systems audit at Cocoa Payroll Services, wants to implement an adequate control over unauthorized use of data files collected during an audit as pieces of evidence. Identify the most effective method of meeting the objective from the following. Automated access trails Access control software Appoint data custodian within the audit department Permanently revoke library access upon audit completion - CORRECT ANSWER B Access control software provides effective and efficient protection against the threat. It is an active control designed to prevent unauthorized access to data. The automated access trail is a detective control. Appointing data custodian is a manual process and may not be the most efficient. Permanently revoking library access may affect functionality. James, an information security architect with the Town Bank, is reviewing architecture to be able to support continuous operations in the event of a disruption or disaster. Identify the valid option from the following that may be helpful in such an event. [BAG] High-availability Computing Distributed Backup Fault-tolerant Hardware Load Balancer - CORRECT ANSWER C Fault-tolerant hardware enables continuous, uninterrupted service in the event of a disruption or disaster. Load balancers are used to split the workload between several servers to improve the performance. High-availability computing provides a quick but not continuous recovery. Distributed backups require longer recovery times. Identify the most important action from the below for an employee who is terminated from service recently. [AFB] Removal of the organization's data from employee-owned devices Send internal communication to notify other employees Complete a backup of the employee's local files and emails Complete handover of employee's work files to another colleague - CORRECT ANSWER A For the prevention of data leakage and the misuse, an organization's data must be removed immediately from employee-owned devices upon termination. While other options are important as well, however, they can be conducted in the order of priority. James, an information security architect with the Town Bank, is tasked to implement an antivirus software strategy in a large corporate network comprising of various sub-networks. Identify the best option from the following. [AFH] Workstation Antivirus Virus Walls Server-side Antivirus Virus Signature Updates - CORRECT ANSWER B A Virus Wall, a program used to block the transmission of files "infected" by a Virus, can prove handy in an interconnected network by scanning incoming traffic to detect and remove viruses before they enter the protected network. A Virus Wall is usually implemented as a WWW Proxy or Mail Relay, and may be considered to be a part of a Firewall. Implementation of server-side or workstation antivirus software may co-exist with the implementation of a Virus Wall strategy. Likewise, Virus signature updates are necessary for all of these. Quick Microsystems has initiated a postincident review following the resolution of a service outage that it suffered recently. Identify the main objective of such a review from the following Improve employee awareness of the incident response process Improve internal control procedures Identify network hardening opportunities to industry best practices Identify network and application hardening opportunities to industry best practices - CORRECT ANSWER B Incidents occur due to inadequately identified and addressed vulnerabilities. A postincident review phase helps to determine the vulnerabilities not addressed and the root cause of the same. This works as an input for improvement to the policies, procedures and internal controls. Identification of network and application hardening opportunities is valid but may not be the primary objective of the postincident review process. Lessons from the postincident review process may be used for improving employee awareness later on. Montero Automotives is embarking on its journey to implement enterprise governance of information and technology (EGIT) framework. What is the most important goal of an organization in implementing the EGIT framework? [ADJ] IT investments return enhancement Accountability Aligning IT with the business IT value realization - CORRECT ANSWER C The purpose of EGIT is to direct IT endeavors to ensure that IT aligns with and supports the enterprise's objectives and its realization of promised benefits. In addition, IT should enable the enterprise by exploiting opportunities and maximizing benefits. Resources should be used responsibly, and IT-related risk should be managed appropriately. Julio, IT Head at Quick Micropayments, is an auditee for a software development project which is more than 80 percent complete but has already overrun time by 10 percent and costs by 25 percent. The information systems auditor informs him that this observation may lead to the conclusion that the organization does not have effective project management. Identify the ideal next step at this juncture. [BBE] Information systems auditor to recommend replacement of the project manager Information systems auditor to conclude an ineffective project management process Information systems auditor to review the conduct of the project and the business case Information systems auditor to perform a review of IT governance structure - CORRECT ANSWER C The immediate next step at this juncture is for the information systems auditor to seek out more information to understand the factors that have contributed to making the project over budget and over schedule. Based on the outcome of the necessary recommendations can be made. Organizations implemented Electronic Data Interchange (EDI) to replace their traditional paper document exchange. Identify a potential risk in such implementation from the following. Increased operational costs Removal of robust manual controls Transaction authorization Employee dissatisfaction - CORRECT ANSWER C Electronic Data Interchange (EDI) replaced the traditional paper document exchange. Therefore, proper controls and edits, such as transaction authorization, need to be built within each organization's application system to allow this communication to take place in a trusted manner. Other options may not be valid. James, an information security architect with the Town Bank, is tasked to implement protection against hacking for connecting a critical desktop-based system to the Internet. Identify the best option from the following. [AGA] A remote access server (RAS) An application-level firewall A bastion host A proxy serve - CORRECT ANSWER B An application gateway or application-level gateway is a firewall proxy that provides network security is the best way to protect against hacking because it can define with allow/deny rules for users and connections. It filters incoming node traffic to certain specifications which means that only transmitted network application data is filtered including OSI layers 5, 6 and 7 i.e. protocols such as HTTP, FTP, SNMP, etc. Super Systems has made an integrated development environment (IDE) available to its IT department. Identify the strength of the IDE from the following. [BAE] Increases program and processing integrity Expands the programming resources and aids available Controls the proliferation of multiple versions of programs Prevents valid changes from being overwritten by others - CORRECT ANSWER B The strength of an IDE is that it expands the programming resources and aids available. Julio, IT Head at Quick Micropayments, conducts logical access control review on a pre-defined periodicity. Identify the primary objective of the review from the following. [AGH] Ensure access is granted per the organization's authorizations Develop a realistic view of all access needed to the IT environment Provide assurance that computer systems are adequately protected against abuse Validate access controls provided by the application are functioning properly - CORRECT ANSWER A The primary objective of a logical access control review is to determine whether or not access is granted per the organization's authorizations. Identify the true statement from below to correctly define Governance and Management as per COBIT's view. (Select Two) [WTCSFHAVXCISA] Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body Governance ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives Governance plans, builds, runs and monitors activities in alignment with the direction set by the governance body Management ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives - CORRECT ANSWER A B COBIT's view on this key distinction between governance and management is: • Governance: Ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-on enterprise objectives; direction is set through prioritization and decision-making; and performance and compliance are monitored against agreed-on direction and objectives • Management: Plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives Fair Lending has implemented a disaster recovery plan. In order to implement the optimum business continuity strategy, what would Fair Lending have considered: [AJC] Mean of the combined downtime and recovery cost Lowest recovery cost despite the highest downtime cost Lowest downtime cost despite the highest recovery cost The lowest sum of downtime cost and recovery cost - CORRECT ANSWER D Ideally, businesses would want to minimize both the downtime cost and recovery cost. The optimum business continuity strategy aims to keep both of them at the lowest possible mark. Highest recovery cost cannot be the optimum strategy, similarly, the highest downtime cost cannot be the optimum strategy either. The average of the combined downtime and recovery cost is a distractor. Palm Trading Company uses Cocoa Payroll Services to process its employee timesheets and manage monthly payouts. Identify the most effective and efficient way for Cocoa Payroll Services to ensure the accuracy of services being rendered. [AFE] Randomly selected sample payouts be compared to payout reports Payout reports to be compared to employee timesheets Sum of all payouts be recalculated outside the computer system Randomly selected sample payouts to be compared to employee timesheets - CORRECT ANSWER B The most effective and efficient way to verify the accuracy of the processing is by comparing the input data (reports) with output data (reports). Therefore, in this case, the comparison of payout reports with employee timesheets is the best option. The remaining options are either not effective or not efficient. Audit documentation provides the support for the representations in the auditor's report includes: 1. Demonstrate that the engagement complied with the standards. 2. Support the basis for the auditor's conclusions. Identify the non- mandatory information from the following to be included in the audit documentation. [WTCSFHBFXCISA] Last five years result of control self-assessments Audit steps performed and audit evidence gathered Audit findings, conclusions, and recommendations Planning and preparation of the audit scope and objectives - CORRECT ANSWER A The audit documentation may not include the results of CSAs performed in the last fine years unless absolutely necessary. Remaining are mandatory inclusion in the audit documentation. device. Accounting Resources is about the records of the resource usage in the WAN (who uses what). The other basic networking management tasks, according to ISO/IEC 10040, are Fault Management, Performance Management, and Security Management. Identify the purpose of Enterprise Governance of Information and Technology (EGIT) from the following. (Select Two) [AIH] Decentralize IT resources across the organization Realization of promised benefits Centralize control of IT Support the organizations' objectives - CORRECT ANSWER B , C Enterprise Governance of Information and Technology (EGIT) must support the organizations' objectives and help to realize the promised benefits. Lorena, an information systems auditor with the Town Bank, noted that a recently installed security patch crashed the production webserver. Lorena should recommend the following to minimize the probability of this occurring again. [AEA] Ensure that the patches are approved after an adequate a risk assessment Ensure that the patches are applied according to the patch's release notes Ensure that a good change management process is in place Ensure that patches are thoroughly tested before applying to production - CORRECT ANSWER C Lorena should recommend IT management to ensure that a good change management process is in place which includes the patch management procedure. Other options represent a good patch management procedure. James, an information security architect with the Town Bank, is tasked to implement an anti-DDOS strategy for the IT infrastructure. There is a concern that compromised hosts may be used to launch/join the concerted DDOS attack attempt. Identify the best option from the following to prevent such a scenario. [AHD] Deny all incoming traffic with discernible spoofed IP source addresses Deny all incoming traffic with IP options set Deny all outgoing traffic with IP source addresses external to the network Deny all incoming traffic to critical hosts - CORRECT ANSWER C, Organizations should carefully review and set allow/deny rules on the firewall based on their requirements. Organizations can implement a "deny all" rule outgoing traffic targetted for unidentified IP ranges. Restricting the incoming traffic will not address this specific concern. Super Systems has implemented a virtual private network (VPN) solution on laptops issued to its employees for them to be able to access organization email and other systems remotely over an internet-based secured channel to ensure data integrity and confidentiality. Identify the technique employed by the VPN to deliver a secured channel. [BAD] Digital signatures Transport Layer Security (TLS) Secure Sockets Layer (SSL) Tunneling - CORRECT ANSWER E, Tunneling is a method by which one network protocol encapsulates another protocol within itself. VPNs secure data in transit by encapsulating traffic. Other options are not relevant to VPN solutions. James, an information security architect with the Town Bank, is tasked to implement a continuity strategy for WAN. Identify the best option from the following. [AHG] Service Provider Maintenance Contract Daily Full System Backups Alternative Routing Redundant Host Arrangement - CORRECT ANSWER C The subscriber can obtain alternate routing from the network service provider. This type of access is time- consuming and costly but useful in designing a continuity strategy and meet the uptime requirements. Other options do not present a valid solution to WAN continuity requirements. An information systems auditor at Super Systems is auditing the logical security. Identify the greatest concern of the auditor from the following. [WTCSFHBCXCISA] Lack of enforcement for periodic password rotation Excessive permissions to the network administrator account Lack of a formal written policy on privileges management Common knowledge of system administrator account IDs - CORRECT ANSWER B Excessive permission to the network administrator account is the greatest concern in this scenario. Common knowledge of system administrator account ID is a concern too but not grave enough since no passwords are shared. Lack of periodic password rotation and lack of formal written privileges management policy is also an important observation but may not be the greatest concern. Malicious actors employ various attack techniques over the internet. Identify a passive attack technique from the following. [AIB] Brute force attack Eavesdropping Message modification Packet replay - CORRECT ANSWER B Eavesdropping is a passive attack technique where the intruder gathers the information flowing through the network with the intent of acquiring and releasing the message contents for either personal analysis or for third parties. Examples of passive attacks that gather network information include network analysis, eavesdropping and traffic analysis. Information systems audit at Super Systems is conducting a review of IT department practices. Identify the most important statement from the following. [BED] IT department must be actively planning new hardware and software acquisition IT department must have the vision to implement leading-edge technology IT department must follow a low-cost philosophy IT department must have long- and short-range plan - CORRECT ANSWER D The IT department should have long- and short-range plans to ensure that they align with the corporate objectives. Low-cost philosophy and implementation of leading-edge technology are dependent on business and corporate objectives. Likewise, the plans to acquire new hardware and software also dependent on business and corporate objectives. Policy definition weakness detection - CORRECT ANSWER A An intrusion detection system (IDS) provides a detective control by detecting exploitation attempts and creating an audit trail assisting in forensic evidencing. Fair Lending has implemented a business continuity plan (BCP) in place to provide coverage for its business and operations across North America. Andrew, CFO of Fair Lending, requests the information systems audit department to review the BCP arrangements and provide their report. Lorena, the information systems auditor, makes some observations. Identify the most concerning observations from the following. [BCJ] Unavailability of manual procedures in case of physical access system failure Data stored on users' desk computer is not replicated to the BCP site One day delay in reporting product profit and loss to senior management Lack of alternate arrangement cover for the potential network outage - CORRECT ANSWER D The impact of a network outage is greatest in all listed scenarios and not having an alternate arrangement may bring entire business and operation to a halt. Other issues are important too but not as critical as the unavailability of the network itself. James, an information security architect with the Town Bank, is tasked to implement a multi-factor authentication (MFA) strategy for the bank's online banking platform. However, James is concerned about a type of attack, which has the potential of leaving the MFA unuseful. Identify the attack type that James is concerned about from the following. Key logging Man-in-the-middle (MITM) Traffic analysis Distributed denial of service (DDOS) - CORRECT ANSWER B Man-in-the-middle (MITM) attack is conducted by a malicious actor by exploiting a vulnerability in the network by replacing the original network packet with a tempered packet. The MITM attack when successful circumvents the MFA controls thus leaving them unuseful. Traffic analysis is a passive attack performed by a malicious actor prior to performing a MITM attack. Key logging may reveal users' login id and passwords but not effective against MFA. DDOS may affect the availability of the system but may not be able to circumvent MFA controls. Lorena, an information systems auditor with the Town Bank, while reviewing the disaster recovery plan (DRP) observed the following. (a) a system analyst in the IT department compiled the plan two years earlier, and not been updated since then (b) the plan includes transaction flow projections by the operations department (c) the plan awaits approval and formal issuance from the CIO - hence not tested or circulated to staff (d) interviews with management and staff show that each would know their actions in the event of a disruptive incident (e) the plan aims to re-establish live processing at an alternative site (f) the alternative site with a similar hardware configuration (but not identical) is already established Identify the next step for Lorena to take from here. [BCA] Perform a review to verify that the alternate site can support live processing Conclude the outcome of audit as ineffective due to lack of an - CORRECT ANSWER A Lorena should review the arrangements at the alternate site to determine if that is able to support live processing in event of a disaster. Lack of a formal and approved plan is a concern but not as grave as not having an alternate site itself. Lorena, an information systems auditor with the Town Bank, is conducting a review of network security arrangements. Lorena should be most concerned with the following if observed. [BAJ] The network administrator is responsible for voice networks The network administrator performs planning, implementation, and maintenance of network infrastructure The network administrator maintains local area network (LAN) and assists end- users Network administrator tracks problems resulting from network changes - CORRECT ANSWER D The network administrator is usually responsible for planning, implementing and maintaining the telecommunications infrastructure. Additionally, the administrator may also be responsible for voice networks, a local area network (LAN) and assist end-users. However, tracking problems arising from network changes may not rightly fit into the administrator's job role. Organizations leverage public key infrastructure (PKI) for online transaction security. Identify the key feature that helps to trace an online transaction back to the origin unrefutably from the following. [BBD] Nonrepudiation Integrity Encryption Authentication - CORRECT ANSWER A Public key infrastructure (PKI) is a series of processes and technologies for the association of cryptographic keys with the entity to whom those keys were issued. Nonrepudiation is achieved through the use of digital signatures to trace an online transaction back to the origin unrefutably. This mechanism ensures undeniable digital evidence. Lorena, an information systems auditor with the Town Bank, is conducting a review of network security arrangements. Lorena should obtain which of the following network documentation at first. [BDF] Network ACLs Application lists and their details Users lists and responsibilities Wiring and schematic diagram - CORRECT ANSWER D The information systems auditor should request the wiring and schematic diagram of the network. This is a necessary piece of documentation to carry out a network audit. All other monitoring thresholds to reset thus avoiding the detection. Masquerade may not work as it is likely to be identified by the monitoring tools, similarly performing the network scanning activity using multiple tools or performing in the after office hours is likely to picked by the network monitoring tools. An information systems auditor at Super Systems is testing program change management. How should the sample be selected in this case? [WTCSFHBBYCISA] Select the sample of production code changes and trace back to system-produced logs to ascertain the date-time of the change Select the change management documents based on system criticality and examine for appropriateness Randomly select the change management documents and examine for appropriateness Select the sample of production code changes and trace to appropriate authorizing documentation - CORRECT ANSWER D Starting from production code changes and tracing them back to appropriate authorization documentation is the best option. In addition, traceback using system-produced logs to ascertain the date-time of the change is also usefu An information systems auditor noted data integrity issues in certain attributes of a transaction table. This issue can be prevented by implementing the following key: [BEF] Private key Foreign key Primary key Public key - CORRECT ANSWER B Relational databases offer foreign key control feature to ensure referential integrity between master and child records. Implementing a foreign key arrangement may resolve the issue highlighted in the question. The primary key helps to ensure the uniqueness of records. Public and private keys are used in cryptographic protection which has no relation to the question Cocoa Payroll Services has an ongoing employee education program whereby they cross-train their employees. Identify a potential issue security risk with these practices from the following. [BBC] Employees may acquire excessive knowledge of a system Disruption of operations Ambiguity in succession planning Roles and responsibilities are intermingled - CORRECT ANSWER A Employees may acquire excessive knowledge of a system leading to potential misuse. While cross- training is a good process and is often helpful to organizations in succession planning and recovering in event of disruption of services, the due care be taken to ensure rules for segregation of duties are not violated. Lorena, an information systems auditor with the Town Bank, conducted a review of the bank's core banking system and observed anomalous data attributes in some accounting tables. Identify the most effective control that the IT department implements to avoid such anomalies in the future. [AFF] Implement sample review by IT department Implement database integrity constraints Implement logging controls for all tables Implement before-and-after image reporting - CORRECT ANSWER B Database integrity constraints are automated and preventive controls to ensure the integrity of the data attributes, tables, and the entire database. The constraints can help to validate the data against the predefined master data, against the predefined ruleset and the tables against each other for referential integrity. The remaining options are either not effective or not efficient. Identify the correct option from the following that uses test data as part of a comprehensive test of program controls for ongoing accurate operation of the system. [AGB] Base-Case System Evaluation (BCSE) System Integration Test Parallel Run Test Data - CORRECT ANSWER A Base case system evaluation (BCSE) uses a standardized body of data created for testing purposes. Users normally establish the data. Base cases validate production application systems and test the ongoing accurate operation of the system. Implementing Enterprise Governance of Information and Technology (EGIT) framework entails the implementation of IT performance monitoring and reporting process. Identify the main objective of this process? [AFC] Performance Optimization Performance Benchmarking IT Error Reduction Performance Trend Analysis - CORRECT ANSWER A Performance optimization is the main objective for any organization implementing an IT performance monitoring and reporting process. Performance optimization includes both improving perceived service performance and improving information system productivity to the highest level possible without unnecessary additional investment in the IT infrastructure. Many WEP systems require a key in a relatively insecure format. What format is this? 256 bit format. None of the choices. 128 bit format. hexadecimal format. either Trojan horse or eavedropper. either eavedropper or computer worm. either Trojan horse or computer worm. either Tripwire or computer virus. - CORRECT ANSWER D support for customers. Hackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors, hackers prefer to use either Trojan horse or computer worm. Which of the following refers to the proving of mathematical theorems by a computer program? Automated technology proving Automated theorem processing None of the choices. Analytical theorem proving Automated theorem proving - CORRECT ANSWER E Automated theorem proving (ATP) is the proving of mathematical theorems by a computer program. Depending on the underlying logic, the problem of deciding the validity of a theorem varies from trivial to impossible. Commercial use of automated theorem proving is mostly concentrated in integrated circuit design and verification. Your final audit report should be issued: None of the choices. after an agreement on the observations is reached. if an agreement on the observations cannot reached. before an agreement on the observations is reached. without mentioning the observations. - CORRECT ANSWER B Reporting can take the forms of verbal presentation, an issue paper or a written audit report summarizing observations and management's responses. After agreement is reached on the observations, a final report can be issued. Which of the following is a tool you can use to simulate a big network structure on a single computer? honeyd None of the choices. honeytube honeymoon honeytrap - CORRECT ANSWER A honeyd is a GPL licensed software you can use to simulate a big network structure on a single computer. Integer overflow occurs primarily with: input verifications debug operations output formatting string formatting arithmetic operations - CORRECT ANSWER E An integer overflow occurs when an arithmetic operation attempts to create a numeric value that is larger than can be represented within the available storage space. On some processors the result saturates - once the maximum value is reached attempts to make it larger simply return the maximum result. The technique of rummaging through commercial trash to collect useful business information is known as: Information diving Identity diving System diving Intelligence diving Program diving - CORRECT ANSWER A Dumpster diving in the form of information diving describes the practice of rummaging through commercial trash to find useful information such as files, letters, memos, passwords ...etc. Which of the following types of attack makes use of unfiltered user input as the format string parameter in the printf() function of the C language? format string vulnerabilities command injection buffer overflows code injection integer overflow - CORRECT ANSWER A Format string attacks are a new class of vulnerabilities recently discovered. It can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token. What should be done to determine the appropriate level of audit coverage for an organization's IT environment? iptables in Linux 2.4 and above. Iptables controls the packet filtering and NAT components within the Linux kernel. It is based on Netfilter, a framework which provides a set of hooks within the Linux kernel for intercepting and manipulating network packets. Which of the following is a good time frame for making changes to passwords? every 30 to 45 days every 180 to 365 days None of the choices. every 10 to 20 days every 90 to 120 days - CORRECT ANSWER D "Passwords are the first defensive line in protecting your data and information. Your users need to be made aware of what a password provides them and what can be done with their password. They also need to be made aware of the things that make up a good password versus a bad password. A good password has mixed-case alphabetic characters, numbers, and symbols. Do use a password that is at least eight or more characters. You may want to run a ""password cracker"" program periodically, and require users to immediately change any easily cracked passwords. In any case ask them to change their passwords every 90 to 120 days." Why is it not preferable for a firewall to treat each network frame or packet in isolation? Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Such a firewall is too complicated to maintain. Such a firewall offers poor compatibility. Such a firewall is CPU hungry. Such a firewall is costly to setup. - CORRECT ANSWER A A stateless firewall treats each network frame or packet in isolation. Such a firewall has no way of knowing if any given packet is part of an existing connection, is trying to establish a new connection, or is just a rogue packet. Which of the following refers to an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer? integer misappropriation None of the choices. code injection buffer overflow format string vulnerabilities - CORRECT ANSWER D A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data. Which of the following is not a good tactic to use against hackers? Enticement Entrapment - CORRECT ANSWER B Enticement occurs after somebody has gained unlawful access to a system and then subsequently lured to a honey pot. Entrapment encourages the commitment of unlawful access. The latter is not a good tactic to use as it involves encouraging someone to commit a crime. IS audits should be selected through a risk analysis process to concentrate on: those areas of greatest risk and opportunity for improvements. random events. those areas of the greatest financial value. areas led by the key people of the organization. those areas of least risk and opportunity for improvements. - CORRECT ANSWER A Audits are typically selected through a risk analysis process to concentrate on those areas of greatest risk and opportunity for improvements. Audit topics are supposed to be chosen based on potential for cost savings and service improvements. Nowadays, computer security comprises mainly "preventive"" measures." True only for trusted networks FALSE True only for untrusted networks TRUE None of the choices. - CORRECT ANSWER TRUE "Nowadays, computer security comprises mainly ""preventive"" measures, like firewalls or an Exit Procedure. A firewall can be defined as a way of filtering network data between a host or a network and another network and is normally implemented as software running on the machine or as physical integrated hardware." Which of the following should be seen as one of the most significant factors considered when determining the frequency of IS audits within your organization? The cost of risk analysis The income generated by the business function Resource allocation strategy None of the choices. you cannot test it you cannot examine its internal workings from outside. None of the choices. you cannot tune it you cannot patch it - CORRECT ANSWER B "An intrusion detection system should to able to run continually without human supervision. The system must be reliable enough to allow it to run in the background of the system being observed.However, it should not be a ""black box"", coz you want to ensure its internal workings are examinable from outside." With Deep packet inspection, which of the following OSI layers are involved? Layer 3 through Layer 7 Layer 2 through Layer 7 Layer 3 through Layer 6 Layer 2 through Layer 5 Layer 2 through Layer 6 - CORRECT ANSWER B Deep packet inspection (DPI) is a form of computer network packet filtering that examines the data part of a through-passing packet, searching for non- protocol compliance or predefined criteria to decide if the packet can pass. DPI devices have the ability to look at Layer 2 through Layer 7 of the OSI model. Human error is being HEAVILY relied upon on by which of the following types of attack? DoS Social Engineering Eavedropping DDoS ATP - CORRECT ANSWER B In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as: trojannets botnets wormnets spynets rootnets - CORRECT ANSWER B In order to coordinate the activity of many infected computers, attackers ave used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Under the concept of ""defense in depth"", subsystems should be designed to:" ""fail secure""" ""react to attack""" ""react to failure""" None of the choices. ""fail insecure""" - CORRECT ANSWER A "With 0″"defense in depth"", more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to ""fail secure"" rather than ""fail insecure""." In a botnet, malbot logs into a particular type of system for making coordinated attack attempts. What type of system is this? SMS system Chat system Email system Log system Kernel system - CORRECT ANSWER B In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Which of the following is a good tool to use to help enforcing the deployment of good passwords? remote windowing tool password cracker None of the choices. network hacker local DoS attacker - CORRECT ANSWER B "Passwords are the first defensive line in protecting your data and information. Your users need to be made aware of what a password provides them and what can be done with their password. They also need to be made aware of the things that make up a good password versus a bad password. A good password has mixed-case alphabetic characters, numbers, and symbols. Do use a password that is at least eight or more characters. You may quick fix malware patch - CORRECT ANSWER A "The term ""exploit"" generally refers to small programs designed to take advantage of a software flaw that has been discovered, either remote or local.The code from the exploit program is frequently reused in trojan horses and computer viruses. In some cases, a vulnerability can lie in a certain programs processing of a specific file type, such as a non-executable media file." Screening router inspects traffic through examining: virus payload message header. attachment type None of the choices. message content - CORRECT ANSWER B The simplest and almost cheapest type of firewall is a packet filter that stops messages with inappropriate network addresses. It usually consists of a screening router and a set of rules that accept or reject a message based on information in the message header. If a database is restored using before-image dumps, where should the process begin following an interruption? After the last transaction As the last transaction before the latest checkpoint As the first transaction after the latest checkpoint Before the last transaction - CORRECT ANSWER D If before images are used, the last transaction in the dump will not have updated the database prior to the dump being taken. The last transaction will not have updated the database and must be reprocessed. Program checkpoints are irrelevant in this situation. Which of the following refers to any program that invites the user to run it but conceals a harmful or malicious payload? spyware rootkits virus trojan horse worm - CORRECT ANSWER D Which of the following terms refers to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders? None of the choices. ILP&C ILR&D ILD&P ICT&P - CORRECT ANSWER D Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. Network ILD&P are gateway-based systems installed on the organization's internet network connection and analyze network traffic to search for unauthorized information transmissions. Host Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and access information before it has been encrypted. Which of the following are the characteristics of a good password? None of the choices. It has mixed-case alphabetic characters, numbers, and symbols. It has mixed-case alphabetic characters and numbers. It has mixed-case alphabetic characters and symbols. It has mixed-case alphabetic characters, numbers, and binary codes. - CORRECT ANSWER B Passwords are the first defensive line in protecting your data and information. Your users need to be made aware of what a password provides them and what can be done with their password. They also need to be made aware of the things that make up a good password versus a bad password. A good password has mixed-case alphabetic characters, numbers, and symbols. Do use a password that is at least eight or more characters. What would be the major purpose of rootkit? to encrypt files for system administrators. to corrupt files for system administrators. to hijack system sessions. None of the choices. to hide evidence from system administrators. - CORRECT ANSWER E rootkit originally describes those recompiled Unix tools that would hide any trace of the intruder. You can say that the only purpose of rootkit is to hide evidence from system administrators so there is no way to detect malicious special privilege access attempts. Which of the following is by far the most common prevention system from a network security perspective? Hardened OS IDS and cryptography User account access controls and cryptography User account access controls and firewall User account access controls and IPS Firewall and cryptography - CORRECT ANSWER B User account access controls and cryptography can protect systems files and data, respectively. On the other hand, firewalls are by far the most common prevention systems from a network security perspective as they can shield access to internal network services, and block certain kinds of attacks through packet filtering. Which of the following refers to a method of bypassing normal system authentication procedures? trojan horse Backdoor virus rootkits worm - CORRECT ANSWER B A backdoor is a method of bypassing normal authentication procedures. Many computer manufacturers used to preinstall backdoors on their systems to provide technical support for customers. Hackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors, hackers prefer to use either Trojan horse or computer worm. Which of the following BEST describes the concept of ""defense in depth""?" more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. multiple firewalls are implemented. intrusion detection and firewall filtering are required. None of the choices. multiple firewalls and multiple network OS are implemented. - CORRECT ANSWER A "With 0″"defense in depth"", more than one subsystem needs to be compromised to compromise the security of the system and the information it holds. Subsystems should default to secure settings, and wherever possible should be designed to ""fail secure"" rather than ""fail insecure""." Which of the following types of attack often take advantage of curiosity or greed to deliver malware? Soft coding Tripwire Gimmes Pretexting Icing - CORRECT ANSWER C Gimmes take advantage of curiosity or greed to deliver malware. Also known as a Trojan Horse, gimmes can arrive as an email attachment promising anything. The recipient is expected to give in to the need to the program and open the attachment. In addition, many users will blindly click on any attachments they receive that seem even mildly legitimate. Which of the following types of attack almost always requires physical access to the targets? Wireless attack Direct access attack Window attack System attack Port attack - CORRECT ANSWER B Direct access attacks make use of common consumer devices that can be used to transfer data surreptitiously. Someone gaining physical access to a computer can install all manner of devices to compromise security, including operating system modifications, software worms, keyboard loggers, and covert listening devices. The attacker can also easily download large quantities of data onto backup media or portable devices. Pretexting is an act of: social engineering eavedropping DoS soft coding hard coding - CORRECT ANSWER A Pretexting is the act of creating and using an invented scenario to persuade a target to release information or perform an action and is usually done over the telephone. It is more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information. Which of the following are designed to detect network attacks in progress and assist in post-attack forensics? Audit trails Tripwire None of the choices. System logs OS patchers. eavedroppers. trojan horses only. - CORRECT ANSWER A "The term ""exploit"" generally refers to small programs designed to take advantage of a software flaw that has been discovered, either remote or local. The code from the exploit program is frequently reused in trojan horses and computer viruses. In some cases, a vulnerability can lie in a certain programs processing of a specific file type, such as a non-executable media file." For application acquisitions with significant impacts, participation of your IS audit team should be encouraged: None of the choices. at the budget preparation stage. at the final approval stage. at the testing stage. early in the due diligence stage. - CORRECT ANSWER E For acquisitions with significant IT impacts, participation of IS audit is often necessary early in the due diligence stage as defined in the audit policy. In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems? Ensuring grandfather-father-son file backups Ensuring periodic dumps of transaction logs Maintaining important data at an offsite location Maintaining system software parameters - CORRECT ANSWER B Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historical datA. The volume of activity usually associated with an online system makes other more traditional methods of backup impractical. Which of the following typically consists of a computer, some real looking data and/or a network site that appears to be part of a production network but which is in fact isolated and well prepared? IPS honeypot IDS superpot firewall - CORRECT ANSWER B You may use a honeypot to detect and deflect unauthorized use of your information systems. A typical honeypot consists of a computer, some real looking data and/or a network site that appears to be part of a production network but which is in fact isolated and well prepared for trapping hackers. The Federal Information Processing Standards (FIPS) are primarily for use by (choose all that apply): all non-military government agencies None of the choices. US government contractors all private and public colleges in the US all military government agencies - CORRECT ANSWER A C Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all nonmilitary government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community. Most trojan horse programs are spread through: None of the choices. e-mails. MS Office. Word template. MP3. - CORRECT ANSWER B "Most trojan horse programs are spread through e- mails. Some earlier trojan horse programs were bundled in ""Root Kits"". For example, the Linux Root Kit version 3 (lrk3) which was released in December 96 had tcp wrapper trojans included and enhanced in the kit. Portable devices that run Linux can also be affected by trojan horse. The Trojan.Linux.JBellz Trojan horse runs as a malformed .mp3 file." Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault? There are three individuals with a key to enter the are Paper documents are also stored in the offsite vault. The offsite vault is located in a separate facility. Data files that are stored in the vault are synchronized. - CORRECT ANSWER D Choice A is incorrect because more than one person would typically need to have a key to the vault to ensure that individuals responsible for the offsite vault can take vacations and rotate duties. Choice B is not correct because an IS auditor would not be concerned with whether paper documents are stored in the offsite vault. In fact, paper documents, such as procedural documents and a copy of the contingency plan, would most likely be stored in the offsite vault, and the location of the vault is important, but not as important as the files being synchronized. Which of the following are examples of tools for launching Distributed DoS Attack (choose all that apply): Pretexting - CORRECT ANSWER E Which of the following refers to an important procedure when evaluating database security (choose the BEST answer)? performing vulnerability assessments against the database. performing dictionary check against the database. performing data check against the database. None of the choices. performing capacity check against the database system. - CORRECT ANSWER A Databases provide many layers and types of security, including Access control, Auditing, Authentication, Encryption and Integrity controls. An important procedure when evaluating database security is performing vulnerability assessments against the database. Database administrators or Information security administrators run vulnerability scans on databases to discover misconfiguration of controls within the layers mentioned above along with known vulnerabilities within the database software. Which of the following are valid examples of Malware (choose all that apply): spyware All of the above worms viruses trojan horses - CORRECT ANSWER B Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. Software is considered malware based on the intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, adware, and other malicious and unwanted software. Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be: physically separated from the data center and not subject to the same risks. outsourced to a reliable third party. equipped with surveillance capabilities. given the same level of protection as that of the computer data center. - CORRECT ANSWER A It is important that there be an offsite storage location for IS files and that it be in a location not subject to the same risks as the primary data center. The other choices are all issues that must be considered when establishing the offsite location, but they are not as critical as the location selection What is the best defense against Distributed DoS Attack? patch your systems. run a virus checker. find the DoS program and kill it. None of the choices. run an anti-spy software. - CORRECT ANSWER A Distributed DoS Attack is a network-based attack from many servers used remotely to send packets. Examples of tools for conducting such attack include TFN, TFN2K, Trin00, Stacheldracht, and variants. The best defense is to make sure all systems patches are up-to-date. Also make sure your firewalls are configured appropriately. Which of the following types of attack involves a program that creates an infinite loop, makes lots of copies of itself, and continues to open lots of files? Distributed DoS attacks Remote DoS attacks None of the choices. Local Virus attacks Local DoS attacks - CORRECT ANSWER E Local DoS attacks can be a program that creates an infinite loop, makes lots of copies of itself, and continues to open lots of files. The best defense is to find this program and kill it. Which of the following procedures would BEST determine whether adequate recovery/restart procedures exist? Reviewing program documentation Reviewing program code Turning off the UPS, then the power Reviewing operations documentation - CORRECT ANSWER E Operations documentation should contain recovery/restart procedures, so operations can return to normal processing in a timely manner. Turning off the uninterruptible power supply (UPS) and then turning off the power might create a situation for recovery and restart, but the negative effect on operations would prove this method to be undesirable. The review of program code and documentation generally does not provide evidence regarding recovery/restart procedures. Which of the following kinds of function are particularly vulnerable to format string attacks? C functions that perform output formatting SQL functions that perform string conversion VB functions that perform integer conversion C functions that perform integer computation string cipher - CORRECT ANSWER D In cryptography, a block cipher is a symmetric key cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation. A stream cipher, on the other hand, operates on individual digits one at a time. In-house personnel performing IS audits should posses which of the following knowledge and/or skills (choose 2): information systems knowledge commensurate with the scope of the IT environment in question sufficient knowledge on secure platform development sufficient knowledge on secure system coding information systems knowledge commensurate outside of the scope of the IT environment in question sufficient analytical skills to determine root cause of deficiencies in question - CORRECT ANSWER A, E Personnel performing IT audits should have information systems knowledge commensurate with the scope of the institution's IT environment. They should also possess sufficient analytical skills to determine the root cause of deficiencies. Attack amplifier is often being HEAVILY relied upon on by which of the following types of attack? ToS Wiretapping ATP Packet dropping DDoS - CORRECT ANSWER E Distributed denial of service (DDoS) attacks are common, where a large number of compromised hosts are used to flood a target system with network requests. One technique to exhaust victim resources is though the use of an attack amplifier - where the attacker takes advantage of poorly designed protocols on 3rd party machines in order to instruct these hosts to launch the flood. As part of the IEEE 802.11 standard ratified in September 1999, WEP uses which stream cipher for confidentiality? CRC-64 RC4 3DES DES CRC-32 - CORRECT ANSWER B As part of the IEEE 802.11 standard ratified in September 1999, WEP uses the stream cipher RC4 for confidentiality and the CRC- 32 checksum for integrity. Which of the following may be deployed in a network as lower cost surveillance and early-warning tools? Honeypots Hardware IPSs Stateful inspection firewalls Botnets Hardware IDSs - CORRECT ANSWER A Honeypots, essentially decoy network- accessible resources, could be deployed in a network as surveillance and early- warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. An accurate biometric system usually exhibits (choose all that apply): low EER low CER None of the choices. high EER high CER - CORRECT ANSWER A,B One most commonly used measure of real- world biometric systems is the rate at which both accept and reject errors are equal: the equal error rate (EER), also known as the cross-over error rate (CER). The lower the EER or CER, the more accurate the system is considered to be. Which of the following methods of encryption has been proven to be almost unbreakable when correctly used? Oakley one-time pad 3-DES key pair certificate - CORRECT ANSWER B It's possible to protect messages in transit by means of cryptography. One method of encryption -the one-time pad -has been proven to be unbreakable when correctly used. This method uses a matching pair of key- codes, securely distributed, which are used once- and-only-once to encode and decode a single message. Note that this method is difficult to use securely, and is highly inconvenient as well. Send tapes daily containing transactions offsite. Send tapes hourly containing transactions offsite, Capture transactions to multiple storage devices. - CORRECT ANSWER A The only way to ensure availability of all transactions is to perform a real-time transmission to an offsite facility. Choices A and B are not in real time and, therefore, would not include all the transactions. Choice C does not ensure availabilityat an offsite location. Why is one-time pad not always preferable for encryption (choose all that apply): it is highly inconvenient to use. it requires internet connectivity. it is Microsoft only. it is difficult to use securely. it requires licensing fee. - CORRECT ANSWER A, D It's possible to protect messages in transit by means of cryptography. One method of encryption -the one-time pad -has been proven to be unbreakable when correctly used. This method uses a matching pair of key- codes, securely distributed, which are used once- and-only- once to encode and decode a single message. Note that this method is difficult to use securely, and is highly inconvenient as well. Which of the following correctly describes the purpose of an Electronic data processing audit? to verify data accuracy. to ensure document validity. to collect and evaluate evidence of an organization's information systems, practices, and operations. to collect and evaluate benefits brought by an organization's information systems to its bottomline. None of the choices. - CORRECT ANSWER C An Electronic data processing (EDP) audit is an IT audit. It is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. Physical access controls are usually implemented based on which of the following means (choose all that apply): None of the choices. guards transaction applications operating systems mechanical locks - CORRECT ANSWER B E In physical security, access control refers to the practice of restricting entrance to authorized persons. Human means of enforcement include guard, bouncer, receptionist ... etc. Mechanical means may include locks and keys. The Federal Information Processing Standards (FIPS) were developed by: IEEE IANA the United States Federal government ANSI ISO - CORRECT ANSWER C Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all nonmilitary government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community. A virus typically consists of what major parts (choose all that apply): a payload a mechanism that allows them to infect other files and reproduce" a trigger that activates delivery of a ""payload""" a signature None of the choices. - CORRECT ANSWER A,B,C "A virus typically consist of three parts, which are a mechanism that allows them to infect other files and reproduce a trigger that activates delivery of a ""payload"" and the payload from which the virus often gets its name. The payload is what the virus does to the victim file." Relatively speaking, firewalls operated at the application level of the sevenlayer OSI model are: almost always less costly to setup. almost always less secure. None of the choices. almost always less effective. almost always less efficient. - CORRECT ANSWER E Early attempts at producing firewalls operated at the application level of the seven-layer OSI model but this required too much CPU processing power. Packet filters operate at the network layer and function more efficiently because they only look at the header part of a packet. Which of the following will replace system binaries and/or hook into the function calls of the operating system to hide the presence of other programs (choose the most precise answer)?