A |
This condition would not be considered an exception if procedures are followed according to approved policies.
|
B |
While reviewing logs may be a good compensating control, the more important course of action would be to determine if policies are being followed.
|
C |
There may be valid reasons for these settings to be different; therefore, the auditor would not normally recommend changes before researching company policies and procedures.
|
D |
If the policy documents the purpose and approval for different procedures, then an IS auditor only needs to document observations and tests as to whether the procedures are followed.
|
A |
Terminating user sessions is often done for remote login (periodic re-authentication) or after a certain amount of inactivity on a web or server session. There is more risk related to leaving the workstation unlocked; therefore, this is not the correct answer.
|
B |
A Password protected screen saver with a proper time interval is the best measure to prevent Unauthorized access to unattended end-user systems. It is important to ensure that users lock the workstation when they step away from the machine, which is something that could be reinforced via awareness training.
|
C |
There are solutions that will lock machines when users step away from their desks, and those would be suitable here; however, those tools are a more expensive solution, which would normally include the use of smart cards and extra hardware. Therefore, the use of a password protected screen saver would be a better solution.
|
D |
Switching off the monitor would not be a solution because the monitor could simply be switched on.
|
A |
Cross-site scripting involves the compromise of the web page to redirect users to content on the attacker web site. The use of hidden fields has no impact on the likelihood of a cross-site scripting attack because these fields are static content that cannot ordinarily be modified to create this type of attack. Web applications use cookies to save session state information on the client machine so that the user does not need to login every time a page is visited.
|
B |
Stealth commanding is the hijacking of a web server by the installation of unauthorized code. While the use of hidden forms may increase the risk of server compromise, the most conunon server exploits involve vulnerabilities of the server operating system or web server.
|
C |
Cookie poisoning refers to the interception and modification of session cookies to impersonate the user or steal login credentials. The use of hidden fields has no relation to cookie poisoning.
|
D |
Web application developers sometimes use hidden fields to save information about a client session or to submit hidden parameters, such as the language of the end user; to the underlying application. Because hidden form fields do not display in the browser, developers may feel safe passing unvalidated data in the hidden fields (to be validated later). This practice is not safe because an attacker can intercept, modify and submit requests, which can discover information or perform functions that the web developer never intended. The malicious modification of web application parameters is known as parameter tampering.
|
A |
Database administrators would have access to all data on the server, but there is no practical control to prevent that; therefore, this would not be a concern.
|
B |
If a stored procedure contains a security sensitive function such as encrypting data, it can be a requirement to encrypt the stored procedure. However, this is less critical than ensuring initialization parameters are correct.
|
C |
Database audit logs normally would not contain any confidential data; therefore, encrypting the log files is not required.
|
D |
When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle Database Management System), which contains many settings. The system initialization parameters address many "global" database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters. An IS auditor has been asked by management to review a potentially fraudulent transaction. The
|
A |
Enabling encryption is a good idea to prevent unauthorized network access, but it is more important to isolate the consultants from the rest of the corporate network.
|
B |
Antivirus signatures and patch levels are good practices but not as critical as preventing network access via access controls for the corporate servers.
|
C |
The installation of the wireless network device presents risk to the corporate servers from both authorized and unauthorized users. A separate virtual local area network is the best solution because it ensures that both authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users.
|
D |
Protecting the organization's servers through good passwords is good practice, but it IS still necessary to isolate the network being used by the consultants. If the consultants can access the rest of the network, they could use password cracking tools against other corporate machines.
|
A |
Although any storage device could be used to steal data, the damage caused by malware could be widespread and severe for the enterprise, which is the more significant risk.
|
B |
Although device drivers may be incompatible and crash the user's PC, the damage caused by malware could be widespread and severe for the enterprise.
|
C |
Although inappropriate content could result, the damage caused by malware could be widespread and severe for the enterprise.
|
D |
Any storage device can be a vehicle for infecting other computers with malware. There are several examples where it has been discovered that some devices are infected in the factory during the manufacturing process and controls should exist to prohibit employees from connecting any storage media devices to their company-issued PCs.
|
A |
Adequate segregation of duties (SoD) is a preventative control-that can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task.
|
B |
Management supervision of DBA activities is used to detect which DBA activities were not authorized.
|
C |
Reviews of access logs are used to detect the activities performed by the DBA.
|
D |
Exception reports are detective controls used to indicate when the activities of the database administrator (DBA) were performed without authorization.
|
A |
Verification of nodes from the node list would follow the review of the network diagram.
|
B |
The review of the acceptance test report would follow the verification of nodes from the node list.
|
C |
To properly review a local area network implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure.
|
D |
The users list would be reviewed after the acceptance test report.
|
A |
Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent non privileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.
|
B |
Setting a boot password is a good practice but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS.
|
C |
Protecting the server in a secure location is a good practice, but it does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS).
|
D |
Activity logging has two weaknesses in this scenario-it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.
|
A |
While controls regarding password complexity are important, two-factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials.
|
B |
Two-factor authentication requires a user to use a password in combination with another identification factor that is not easily stolen or guessed by an attacker. Types of two-factor authentication include electronic access tokens that show one-time passwords on their display panels or biometric authentication systems.
|
C |
Host intrusion detection software will assist in the detection of unauthorized system access but does not prevent such access.
|
D |
While controls regarding password expiration and lockout from failed login attempts are iroporuml, two-factor authentication methods or techniques would most effectively reduce the risk of stolen or compromised credentials. Password-only based authentication may not provide adequate security.
|
A |
While it is also Important to assess all relevant evidence, it is more important to maintain the chain of custody, which ensures the integrity of evidence.
|
B |
Although it is important for an IS auditor to maintain independence, in this case it is more critical that the evidence be preserved.
|
C |
The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.
|
D |
Although it is important for an IS auditor to be impartial, in this case it is more critical that the evidence be preserved.
|
A |
Although contacting law enforcement may be needed, the first step would be to halt data flow by disconnecting the computer from the network.
|
B |
The first step is to disconnect the computer from the network thus ensuring that no additional data are compromised. and then, using proper forensic techniques, capture the information stored in temporary files, network connection information, programs loaded into memory and other information on the machine.
|
C |
The most important task is to prevent further data compromise and preserve evidence by disconnecting the computer from the network.
|
D |
Preserve the machine in a forensically sound condition and do not make any changes to it except to disconnect it from the network. Otherwise evidence would be destroyed by powering off the PC or updating the software on the PC. Information stored in temporary files, network connection information, programs loaded into memory, and other information may be lost.
|
A |
A stateful inspection firewall will screen all packets from the wireless network into the company network; however, the configuration of the firewall would need to be audited and firewall compromises, although unlikely, are possible.
|
B |
Keeping the wireless network physically separate from the company network is the best way to secure the company network from intrusion.
|
C |
Changing the password for the wireless network does not secure against unauthorized access to the company network, especially because a guest could gain access to the wireless local area network at any time prior to the weekly password change interval.
|
D |
An intrusion detection system will detect intrusions but will not prevent unauthorized individuals from accessing the network.
|
A |
Audit trails are used to track transactions for various purposes, not just for audit. The use of audit trails for IS auditors is valid; however, it is not the primary reason.
|
B |
Enabling audit trails involves Storage and, thus, occupies disk space and may decrease operational efficiency.
|
C |
Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system.
|
D |
The objective of enabling software to provide audit trails is not to improve system efficiency because it often involves additional processing which may, in fact, reduce response time for users.
|
A |
For customer orders to be placed, some data must be saved to the server. No customer orders could be placed on a read-only server.
|
B |
Performing a web application security review is a necessary effort that would uncover security vulnerabilities that could be exploited by hackers.
|
C |
Port 80 must be open for a web application to work and port 443 for a Secured Hypertext Transmission Protocol to operate.
|
D |
Restricting IP addresses might be appropriate for some types of web applications but is not the best solution because a new customer could not place an order until the firewall rules were changed to allow the customer to connect.
|
A |
Digital signatures are designed to provide authentication and nonrepudiation for email and other transmissions but are not adequate for confidentiality. This implementation is not adequate to address the prior-year's finding.
|
B |
Although gathering additional information is always a good step before drawing a conclusion on a finding, in this case the implemented solution simply does not provide confidentiality.
|
C |
Digital signatures do not encrypt message contents, which means that an attacker who intercepts a message can read the message because the data are in plaintext.
|
D |
Digital watermarking is used to protect intellectual property rights for documents rather than to protect the confidentiality of email.
|
A |
The secure use of broadband communications is subject to whether the network is shared with other users, the data are encrypted and the risk of network interruption.
|
B |
Dedicated lines are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.
|
C |
A dial-up line is fairly secure because it is a private connection, but it is too slow to be considered for most commercial applications today.
|
D |
A baseband network is one that is usually shared with many other users and requires encryption of traffic but still may allow some traffic analysis by an attacker.
|
A |
An intrusion detection system is effective in detecting network or host-based errors but not effective in measuring fraudulent transactions.
|
B |
A packet filtering router operates at a network level and cannot see a transaction.
|
C |
A firewall is an excellent tool for protecting networks and systems but not effective in detecting fraudulent transactions.
|
D |
Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.
|
A |
The existence of a firewall can be a security measure and would not normally be of concern.
|
B |
Dynamic Host Configuration Protocol provides convenience (an advantage) to the laptop users.
|
C |
Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.
|
D |
A limited number of IP addresses can be addressed through network address translation or by increasing the number of IP addresses assigned to a particular subnet.
|
A |
To comply with requirements, the IS auditor must first know what the requirements are. They can vary from one jurisdiction to another. The IT infrastructure is related to the implementation of the requirements.
|
B |
Checking for compliance is only done after the IS auditor is assured that the policies, standards and procedures are aligned with the legal requirements.
|
C |
The policies of the organization are subject to the legal requirements and should be checked for compliance after the legal requirements are reviewed.
|
D |
To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.
|
A |
Message digest 5 (MD5) is an algorithm used to generate a one-way hash of data (a fixed- length value) to test and verify data integrity. MD5 does not encrypt data but puts data through a mathematical process that cannot be reversed. As a result, MD5 could not be used to encrypt data on a universal serial bus (USB) drive.
|
B |
Data Encryption Standard (DES) is susceptible to brute force attacks and has been broken publicly; therefore, it does not provide assurance that data encrypted using DES will be protected from unauthorized disclosure.
|
C |
Secure Shell (SSH) is a protocol that is used to establish a secure, encrypted, command-line shell session, typically for remote login. Although SSH encrypts data transmitted during a session, SSH cannot encrypt data at rest, including data on USB drives. As a result, SSH is not appropriate for this scenario.
|
D |
Advanced Encryption Standard (AES) provides the strongest encryption of all of the choices listed and would provide the greatest assurance that data are protected. Recovering data encrypted with AES is considered computationally infeasible and so AES is the best choice for encrypting sensitive data.
|
A |
A reasonableness check is used to ensure that input data is within expected values, not to ensure integrity of data transmission. Data can be changed and still pass a reasonableness test.
|
B |
Hash values are calculated on the file and are very sensitive to any changes in the data values in the file. Thus, they are the best way to ensure that data has not changed.
|
C |
Check digits are used to detect an error in a numeric field such as an account number and is usually related to a transposition or transcribing error.
|
D |
Parity bits are a weak form of data integrity checks used to detect errors in transmission, but they are not as good as using a hash.
|
A |
External testing refers to a test where an external penetration tester launches attacks on the target's network perimeter from outside the target network (typically from the Internet).
|
B |
Blind testing is also known as black-box testing. This refers to a test where the penetration tester is not given any information and is forced to rely on publicly available information. This test simulates a real attack, except that the target organization is aware of the test being conducted.
|
C |
Targeted testing is also known as white-box testing. This refers to a test where the penetration tester is provided with information and the target organization is also aware of the testing activities. In some cases, the tester is also provided with a limited-privilege account to be used as a starting point.
|
D |
Double-blind testing is also known as zero-knowledge testing. This refers to a test where the penetration tester is not given any information and the target organization is not given any warning--both parties are "blind" to the test. This is the best scenario for testing response capability because the target win react as if the attack were real.
|
A |
The design of the network and the proper implementation of VLANs are more critical than ensuring that all devices are protected by emergency power.
|
B |
Segregating the Voice-over Internet Protocol (VoJP) traffic using virtual local area networks (VLANs) would best protect the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which would help to ensure uptime).
|
C |
Encryption is used when VolP calls use the Internet (not the local LAN) for transport because the assumption is that the physical security of the building as well as the Ethernet switch and VLA security is adequate.
|
D |
The use of packet buffers at VoIP endpoints is a method to maintain call quality, not a security method.
|
A |
Based on Media Access Control addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic.
|
B |
Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls.
|
C |
A virtual local area network is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network. Nevertheless, they do not effectively deal with authorized versus unauthorized traffic.
|
D |
Routers can filter packets based on parameters, such as source address but are not primarily a security tool.
|
A |
Spoofing is a form of impersonation where one computer tries to take on the identity of another computer. When an attack originates from the external network but uses an internal network address, the attacker is most likely trying to bypass firewalls and other network security controls by impersonating (or spoofing) the payroll server's internal network address. By impersonating the payroll server, the attacker may be able to access sensitive internal resources.
|
B |
A denial-of-service attack is designed to limit the availability of a resource and is characterized by a high number of requests that require response from the resource (usually a website). The target spends so many resources responding to the attack requests that legitimate requests are not serviced. These attacks are most commonly launched from networks of compromised computers (hotnets) and may involve attacks from multiple computers at once.
|
C |
A man-in-the-middle attack is a form of active eavesdropping where the attacker intercepts a computerized conversation between two parties and then allows the conversation to continue by relaying the appropriate data to both parties, while simultaneously monitoring the same data passing through the attacker's conduit. This type of attack would not register as an attack originating from the payroll server, but instead it might be designed to hijack an authorized connection between a workstation and the payroll server.
|
D |
Port scanning is a reconnaissance technique that is designed to gather information about a target before a more active attack. Port scanning might be used to determine the internal address of the payroll server but would not normally create a log entry that indicated external traffic from an internal server address.
|
A |
Because the chief information officer (CIO) is using a VPN it can be assumed that encryption is enabled in addition to the security features in GSM. In addition, VPNs will not allow the transfer of data for storage on the remote device (such as the ClO's laptop).
|
B |
Media access control (MAC) filtering can be used on a wireless LAN but does not apply to a GSM network device.
|
C |
The inherent security features of global system for mobile communications (GSM) technology combined with the use of a virtual private network (VPN) are appropriate. The confidentiality of the communication on the GSM radio link is ensured by the use of encryption and the use of a VPN signifies that an encrypted session is established between the laptop and the corporate network. GSM is a global standard for cellular telecommunications that can be used for both voice and data. Currently deployed commercial GSM technology has multiple overlapping security features which prevent eavesdropping, session hijacking or unauthorized use of the GSM carrier network. While other wireless technologies such as 802.11 wireless local area network (LAN) technologies have been designed to allow the user to adjust or even disable security settings, GSM does not allow any devices to connect to the system unless all relevant security features are active and enabled.
|
D |
Because the GSM network is being used rather than a wireless LAN, it is not possible to configure settings for two-factor authentication over the wireless link. However, two-factor authentication is recommended as it will better protect against unauthorized access than single factor authentication.
|
A |
The use of Voice-over Internet Protocol does not introduce any unique risk with respect to equipment failure, and redundancy can be used to address network failure.
|
B |
Social engineering, which involves gathering sensitive information to launch an attack, can be exercised over any kind of telephony.
|
C |
A distributed denial-of-service (DDoS) attack would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. In a traditional voice network, a DDoS attack would only affect the data network, not voice communications.
|
D |
Toll fraud occurs when someone compromises the phone system and makes unauthorized long distance calls. While toll fraud may cost the business money, the more severe risk would be the disruption of service;
|
A |
Frequent backups of audit logs would not prevent the logs from being deleted.
|
B |
For servers and applications to operate correctly, write access cannot be disabled.
|
C |
Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted.
|
D |
Having additional copies of log file activity would not prevent the original log files from being deleted
|
A |
Role-based access control limits access according to job roles and responsibilities and would be the best method to allow only authorized users to view reports on a need-to-know basis.
|
B |
Discretionary access control (DAC) is where the owner of the resources decides who should have access to that resource. Most access control systems are an implementation of DAC. This answer is not specific enough for this scenario.
|
C |
Single sign-on is an access control technology used to manage access to multiple systems, networks and applications. This answer is not specific enough for this question.
|
D |
An access control system based on mandatory access control would be expensive, and difficult to implement and maintain in a large complex organization.
|